By Shivshankar Menon
Oct 24 2013
Excerpts from NSA Shivshankar Menon’s address at the Conference on Cyber Security and Cyber Governance in New Delhi, October 14.
India today has the largest number of internet users after the US and China. There are over 700 million mobile phones and about 670,000 km of optical fibre laid across the country, many of our major socio-economic programmes are delivered on IP-based networks, and government and private sector networks are intimately interconnected. Overall levels of interconnectivity may be low in per capita terms relative to advanced economies, but the sheer numbers of people involved and the criticality of existing networks make their protection imperative. The consequences of manipulation, disruption or dislocation of networks can be potentially disastrous in terms of social order, economic loss and national security.
The challenge in India, as elsewhere, lies in finding practices and policies that enable us to protect networks and cyberspace while ensuring the free flow and access to information essential to a democratic society. The government of India is strongly committed to preserving the democratic nature of cyberspace, which is indeed one of its most attractive and enduring features, and the privacy of individuals, while securing cyberspace for trusted e-commerce, security of data and protection of critical information infrastructure.
The National Cyber Security Policy and Framework approved by the government earlier this year adopts an integrated approach with a series of policy, legal, technical and administrative steps to construct a multi-layered approach and a clear delineation of functional responsibilities among stakeholders. Coordination and the sharing of information in real time will, of course, be the key to success. It also strengthens our assurance and certification framework to address supply-chain vulnerabilities, harden networks.
One of the corner stones of the government’s efforts is the protection of critical information infrastructure (CII). The Information Technology Act, 2000, defines critical information infrastructure as, “the computer resource the incapacitation or destruction of which shall have debilitating impact on national security, economy, public health or safety.” As India’s CIIs get increasingly inter-connected, inter-dependent, complex and distributed, CERT-IN tells us that they have faced a phenomenal increase in the number of cyber incidents and attacks. In the meantime, the Crisis Management Plan has identified nine priority sectors for us to protect. These are defence, energy, finance, space, ICT, I&B, public essential services and utilities, law enforcement and security.
The government is actively partnering industry associations, service providers, and other stakeholders in joint efforts to secure cyberspace. A Joint Working Group with representatives of government departments and the private sector has been set up and is looking at the establishment of Information Sharing and Analysis Centres (ISACs), testing and certification laboratories in the private sector, and Centres of Excellence for capacity-building in various areas, including policy research, setting standards, cyber forensics and assistance to law enforcement agencies.
India has recently obtained “authorising nation” status under the CCRA regime for IT products. Testing labs in the country will now gain global recognition. This is an opportunity for industry to invest in product-testing and certification facilities in India. DeitY’s Standardisation Testing and Quality Certification can now be a certification body and accredit private testing labs to operate the certification scheme for IT products. There has been a gratifying interest in industry to set up telecom testing labs. It is our hope that with the progressive increase of manufacturing in India, CC test labs would also become viable. In the meantime, we will be accepting reputed international certification while our own testing and certification facilities are being established.
Given the global and multi-national nature of ICT operations, it is not viable for each country to prescribe its own security standards in isolation. This would ultimately raise the cost of service and affect inter-operability. Hence the imperative need for international cooperation on standards and evaluation methodologies. At the same time, each country has the sovereign right and duty to prescribe certification and assurance procedures and to satisfy itself as to the adequacy of the standards and that they are being respected.
India has sought to play a pro-active role in the UN Group of Governmental Experts (UNGGE) in evolving international norms of responsible state behaviour for submission to the UNGA. Our basic approach is to support democratic and representative internet governance, while preserving the strengths that come from the open nature of the domain, keeping interference to the minimum to keep it socially responsible and legal. The institutions that are invested with the authority to manage or regulate the internet should be broad-based and institutionalised so as to be able to take on board the concerns and views of all stakeholders.
The internet is effectively a global commons; it cannot be managed only as private property. Its governance and architecture should reflect this fact. We must also find ways of making the internet impervious to possible manipulation or misuse by particular state or non-state actors. How we secure private freedoms while preventing misuse of the internet, how we strike a balance between the open democratic nature of the internet and its management by a few, and still fulfil the demands of cyber security, is one of the great challenges of our times.
There is a tendency to posit a false dichotomy or antagonism between free speech and privacy on the one hand and security in cyberspace on the other. If cyberspace is a global commons... there can be no absolute rights or obligations in the commons. The issue really is how much and the nature of regulation that we can agree among all the stakeholders. In India, all that the government and its agencies do in cyberspace, whether it is monitoring or data protection or regulation, is governed by law, by the Indian Telegraph Act and the Information Technology Act. These laws do not distinguish between Indians and foreigners for these purposes.