The Government organisations world over have adopted digital technologies for efficient governance with an aim to improve quality of life of its citizens. As dependency on IT system has amplified manifold, so has the threat of cyber attacks. Take for instance, while the railway booking system has changed the way Indians travel, any small outage in the system can immobilise the whole Railways system and impact the lives of millions of Indians.
Cyber threat landscape has changed drastically in the past few years – from a few attackers chocking a Government website to nations engaging in cyber warfare and undertaking simultaneous attacks on Government systems. A cyber attack can compromise an individual system or multiple systems within a network and in a worst case scenario unleash wrath on complete digital infrastructure of a State or the entire country. Ironically, cyber crisis response mechanism in Government organisations is mostly incident based, unplanned and unmanaged with minimal or no preventive mechanisms in place. Whereas, cyber crisis requires a long term and a strategic orientation. Most commonly accepted practice is to have a Cyber Crisis Management Plan in place which is usually referred to as CCMP.
Government mandates all Central Ministries and agencies and all States and UTs to draw their own CCMP to handle events of cyber attacks and cyber terrorism. It is required that State and sectoral level CCMPs should be in line with the national CCMP for effective coordination and synergies in crisis response. However, only a few Ministries, States and UTs have formulated respective CCMPs.
The basic premise for having a CCMP in place is to create a strategic framework which provides direction to the organisation to not only prepare the organisation for handling crisis but more importantly guides actions to respond to the crisis and move towards recovery.
However, CCMP is easily confused with Cyber Incident Response Plan. It is important to clearly define what events would be treated as cyber crisis and crisis should be clearly differentiated from cyber incidents. For common events like virus attacks, malware infection or Disk Operating System (DOS) attacks, the organisation needs to put in place its incident response plan. Crises are much more serious events which cripple organisation’s capability to undertake its operations and have the potential to impact its financial stability or hurt its reputation. In case of a government organisation, such cyber related crisis may result in significant or complete breakdown of supplies or services essential to the life of the citizens including but not limited to Finance, Defence, Transport, Energy, Communication or other critical sectors. These events can lead to State or even National crisis.
A CCMP addresses how a crisis is to be managed before, while and after it occurs. For Government Organisations which do not have a CCMP in place and are contemplating one, it is suggested that their CCMP should cover a wide range of cyber crisis events even if the possibility of occurrence of some events is remote.
Also Read: Towards making digital India cyber secure
While formulating the CCMP, Government should also identify all critical and possible targets of cyber attack, and define institutional mechanism of decision-making and information sharing across different organisations. More importantly, roles and responsibility of each stakeholder must be clearly defined. CCMP can also contain ‘what-if’ scenarios to assist response team to provide quick response and contain the crisis. Templates for incident reporting and contact details of key stakeholders are also crucial information provided in a CCMP. The disaster recovery and business continuity concerns are also to be addressed in the plan. The CCMP should be put to test using war games and mock-drills to check for its relevance and prepare the key stakeholders for future events.
Manging cyber crisis calls for Government organisations to become more ‘cyber resilient’ which means they need to be well prepared to anticipate threats and also withstand crises whenever they occur. Besides, any impact of the cyberattack should be contained quickly without allowing it to spread and impact on other systems. It also calls for the governments to have the ability to recover and restore its systems in the event of an attack. Finally, cyber resilience also entails ability to evolve functioning and building capabilities to minimize adverse impacts. Building cyber reliance is a big challenge for government organisations which are still supported by archaic process. But having embarked upon a journey of digitally enabled governance, it is imperative that such resilience is created immediately.
Inarguably, there can be no single plan which can address the everchanging cyber threat landscape which is getting more infested by new threats emerging every hour. We can only keep pace with it by having plans which are duly updated. It is suggested that Governments should undertake review of the CCMP periodically and update it every year if not on half yearly basis.
CCMP is a comprehensive plan which outlines sequence of actions to deal with cyber crises. It is high time for every critical government organisation, be it is at central, state or local level to have a CCMP in place so as to ensure that the interruptions due to cyber crises are infrequent or transient but are manageable. More so, the risk of damage is minimised if not completely eliminated.
(Views expressed in this article are of Yudhishthira Sapru, Senior Consultant, State eGovernance Mission Team, Chandigarh Administration)