By Sandesh Anand
There is little doubt that securing our cyberspace is important. Over the last few years, the union government has acknowledged the importance and taken many initiatives to improve the security posture of our cyber infrastructure. However, the lack of a coherent message from the various agencies working on such an initiative, can lead to cyber-security becoming no more than a heavily regulated compliance burden.
The “National Cyber Security Policy” drafted in 2013 is an important document. While not yet implemented in full, various recommendations made in that documented have been implemented. One of the principal “strategies” of this policy is to create a nodal agency to co-ordinate all matters related to cyber security. The CERT-in was created to fulfill this requirement. In addition, Section 70(A) of the IT Act mandates the creation of another “nodal” agency to protect the nation’s Critical Information Infrastructure. The NCIIPC (National Critical Information Infrastructure Protection Center)f was hence created. Finally, regulators of various sectors (banking, Telecom etc.) have understood the importance of cybersecurity and have come up with their own “CyberSecurity guidelines”.
Sense the problem?
Let’s take the example of a bank, which wants to implement a cyber security program. In addition to doing all they can to protect their assets (based on their expertise), they also want to make sure all the regulatory boxes are ticked. Given they come under the definition of “Critical Infrastructure”, they will need to follow the guidelines provided by NCIIPC. In addition, RBI has multiple guidelines on how to implement their Information Security program. CERT-in also provides various guidelines on how to implement specific aspects of the bank’s Information Security program.
The story repeats when a breach occurs. NCIIPC has a 24*7 desk to handle incidents on CII (the bank will need to notify them), at the same time, banks are required to notify RBI and CERT-in when a major breach occurs (defining “major breach” itself can be an interesting exercise. Let’s reserve that for a separate post). So in addition to swiftly dealing with a breach, the bank will have to deal with the red-tape of communicating with three different agencies.
Given the complexity of the subject, it is desirable to have multiple opinions on the best way to implement cyber security. However, it is important for the regulatory framework to speak in one voice. Far too often, security is looked at as a bottleneck or a mere compliance requirement. When this happens, the focus of the industry is less about securing their ecosystem and more about making sure all the boxes are ticked. As we figure our way through the maze of cyber security, it is important for our regulatory system to get its act together. There has been talk about a “National Cyber Security Assurance Framework” being developed. Such a framework should work to unite all the current efforts instead of adding yet another layer of regulation for the industry to follow.
Sandesh Anand is a GCPP9 alumni and an Information Security professional. He tweets as @JubbaOnJeans