A Proposed National Policy on Information Security in India

egov 6Security attacks pose serious threats to the sensitive information, possessed both by public and private sector, and could potentially jeopardize national security. Security of the information requires a focused policy initiatives to sensitize public and private sectors towards national security concerns and drive their actions for securing the information
Dr Nirmaljeet Singh Kalsi,
Joint Secretary (Police-II), Ministry of Home Affairs, Government of India

The Digital World is a reality today in all of our lives. Digital infrastructure is increasingly the backbone of prosperous economies, vigorous research communities, strong militaries, transparent governments, and free societies. Lacs of people across the country rely on the electronic services in the cyber space everyday. As never before, information technology is fostering transnational dialogue and facilitating the global flow of information, goods and services. These social and trade links have become indispensable to our daily lives. Critical life sustaining infrastructures that deliver electricity and water, control air traffic, and support our financial systems, all depend on networked information systems. The reach of networked technology is pervasive and global.

For all nations, the underlying digital infrastructure is or will soon become a critical national asset. Information Security is one of the important components of cyber security and is gradually taking centre stage in the national security deliberations and discussions. In fact, it has become a key component of national security design architecture and is shaping international strategies of the nations too. Information Security brings up a set of different problems that have the potential to challenge the comfort in the conventional methods of managing security issues. Cyber threat does not respect the physical and political boundaries. It explores and innovates new methods to defeat and compromise security. The identity of the attacker and the source is difficult to ascertain. Attribution in cyberspace is difficult. In most cases, it is extremely difficult to collect irrefutable evidence against a cyber attacker, and almost impossible to link any cyber attacks to nationstates with certainty, even if clearly established. In strategic discussions, cyber space restraint is being equated with nuclear restraint.

Current Symptoms of Problem in India Securing sensitive information is increasingly becoming important for  aintaining the strategic deterrence capability of a country. Economic stability, which is becoming an important parameter of defining country’s national security, is also critically dependent on Information and Communication Technologies, as financial sector in India found a leading adopter of technologies. On the other hand, intellectual property developed both in public and private sector contributes to the fate of a nation in a knowledge based economy. The examples of Stuxnet and Flame provide us an evidence of how a cyber attack could lead to a kinetic and long lasting damage to the strategic capabilities of a nation. Public sector, although increasingly relying on ICT, has not  seen completely awakened to the challenges of information security.

While private sector, otherwise seen investing in information securityfor intrinsic requirements, may not be alive to the concerns of the national security. The time has come to drive both sectors towards a strong information security culture, which is sensitive to the national imperatives. There have been revisions of Departmental Security Instructions to streamline and tighten up the various aspects of documentation, personnel and physical security procedures. However, a comprehensive approach for managing the information security affairs is still to be implemented fully.

Problems in Global and Indian Context Global Context
In an estimate of US Cyber Consequence Unit, the total economic impact of cyber attack is between USD 3.7 to 6.9 Trillion’. There have been alarming instances of cyber espionage, stealing of sensitive  information and challenging commercial and security interests of nations. The cyber espionage instances revealed as ‘Operation Shady Rats’ “ ‘Nitro Attack 8, and ‘Operation Night Dragon” demonstrate how security attacks are becoming focused, organized and targeted against governments, defence establishments and private companies looking for most sensitive pieces of information. This warrants a very high level of attention in securing the key information assets.

Indian Context
India also observed a significant increase in the number of cyber security attacks on vital  nstallations and key government ministries like PMO, External Affairs, Home Ministry, etc. A total of 8,266, 10,315 and 13,301 security incidents were reported to and handled by Cert-In during 2009, 2010 and 2011, respectively. India has also become a target for cyber espionage. Over 250 Indian websites including the Ministry of Defence, Ministry of Railways and several Indian missions abroad have been attacked in the recent past. And, worse, the number and frequency are only growing According to data compiled by the National Crime Records Bureau (NCRB) in the Ministry of Home Affairs, 1,791 cases were registered under the Information Technology (IT) Act in 2011 against 966 in 2010 – an increase of over 85 percent. Cyber cases under the Indian Penal Code also went up by 18.5 percent in 2011.

Consideration of the underlying basic:
causes of the problem Information security derives its strength from the legal and regulatory framework. However, for successful and optimized implementation of security, organisations need to weigh their strategic options, establish a policy framework to set directions, define or comply with standards for ensuring baseline, establish procedures for ensuring consistency of operations and issue guidelines for implementation. However, drivers of security go beyond securing ICT Asset and protection of IPR, where public and private entities seen investing their resources and efforts. Recently, privacy as a consumer rights has been catching the attention of the public and private sectors in response to the increasing regulatory pressures. Cyber Security and National Security have emerged as significant drivers in the recent times.

These drivers expect a certain level of response from organisations. Organisations may see awakened to these drivers. However, there has been significant gaps in the alignment of their efforts to the cause of national security. Information security policy measure should address the requirements of legal framework, strategic measures and should have a mechanism to prescribe and constantly improve standards, procedures and guidelines. The policy needs to be aligned to the bearing it has on the National Security, Cyber Security, IPR and Privacy. To achieve the national goals of information security, sensible behaviour of the organisations in both public and private sectors is imperative. This calls for a policy response that defines the direction, sets expectations, stipulates compliance norms and guides security implementations. The policy initiative should also outline a mechanism, which is empowered to direct, coordinate, and seek assurance over information security initiatives undertaken by different sectors, entities, and units.

Information Architecture:
National Security Perspective Distribution and spread of information across different entities and sectors add significant complexity in achieving goals of national level policy for the security of the information, which is critical for national security. There is a need for comprehensive and close security watch-over the sensitive information that is being created, received-accessed, processed and disposed across the entities and sectors. Comprehension should lead to evaluate priorities from the perspective of national security. The following figure reflects the information architecture from that perspective Information that is in the domain of nuclear, defence, space and energy is strategic in nature. Sensitive information leakage in these sectors, intentional and unintentional, has a potential to cause great damage to the prospects of the country’s national security.

Internal security functions and external affairs forms the next most important level from the/national security perspective. Increasing the efforts of computerisation and rising momentum towards e-Governance has lead to the transformation of sensitive physical information into digital form, exposing it to a much graver security threats. Financial information is critical for economic stability and economic security of the country. Commercial information is critical for competitive advantage of the country. Personal information, collected by companies and governments, may be another lucrative target for cyber attacks.

The objectives sought from the National Policy and Critical Constraints

The objectives of the National Information Security Policy are as follows:

• Ensure the new age goals of national security are met convincingly and confidently, namely strategic information security, economic stability through reliable information security and protection of intellectual property
• Establish an ecosystem in the country for information security with proactive role and participation of the private sector
• Establish a sense of information security in the sectors, entities and units that are involved in creating and processing sensitive information
• Provide coherent; reliant and convincing directions to information security initiatives in the country
• Drive security initiatives, desired actions and investment for information security in the country.
• Harmonise and standardise security in order to bring consistency in managing information security affairs
• Provide guidance for the implementation of information security policies, procedures and guidelines.