The much-awaited National Cyber Security Policy, to safeguard the nation’s online resources, was revealed on Tuesday.
The policy aims at setting up a nodal agency to coordinate all matters related to cyber security. A mechanism to share information and identify and respond to cyber security incidents would be soon put in place.
The policy aims at creating and enhancing a national mechanism for obtaining strategic information regarding threats. It plans to develop indigenous security technologies through research.
A legal framework would be developed to address challenges in cyber security and a computer emergency response team would be put in place.
It elaborates the vision and policy statements of India to create a secure and resilient cyber space. It also protects India’s sovereign interests.
While on one hand we can compliment the government for such a policy, we must also bear in mind the large number of challenges in implementing it.
The policy has already been much delayed. It should have been released after the 26/11 terror attack, if not earlier.
The policy is nothing but a collation of policy statements and lofty objectives without any accompanying plan of action. It seems to be incomplete as it is not accompanied by a national cyber security action plan.
The policy does not contain parameters for effective implantation. The policy also does not mention the Information Technology Act of 2000 which is significant in the event of a conflict.
In case of a conflict, the IT Act shall prevail because it was passed by Parliament and the policy is an executive decision.
Further, deficiencies can be found in the policy as it does not detail the parameters of privacy in the context of cyber security. Cyber security, privacy and civil rights or liberties constitute the three components of the triangle that is integral to the subject at hand.
Further, the policy does not speak about how the data will be collected, how it would be processed and how it will be used. It has no checks and balances to ensure that activities meant for protecting online information are not abused.
In terms of the recent intrusions into cyber space, the policy does not explain how the government will maintain a balance between the protection of cyber security and the protection of civil liberties.
The policy is drafted in a broad terms and a lot of work remains to be done.
The policy is silent about the role of relevant stake holders in cyber security system.
Ways to protect critical information and infrastructure related to public sector should have been included in the policy.
The policy is silent about Central Monitoring System, snooping surveillance interception, monitoring and scrutiny activities by other nations
Loopholes in the policy need to be addressed to make it more robust and the subsequent action plan needs to be implemented.
But formulating such a policy is a commendable first step, though it fails to match up on several parameters.