It is a good time to make cyber security a national agenda, since the rapid digitalisation of businesses, administrative functions of the government, etc., have resulted in frequent cyberattacks on India’s cyber assets. As per a report by the Data Security Council of India (DSCI), India was the second-most affected country due to targeted cyberattacks between 2016 and 2018. The report also says that the average cost for a data breach in India has been growing steadily and significantly.
Separate budgetary allocation for cyber security
Given the risks of cyberattacks it faces, India needs a separate budget for cyber security. The separate allocation would enable the country to finance its cyber security initiatives regularly and foster innovation. Countries such as the USA, the UK, Japan, Germany, France and Australia have been allocating significantly greater funds over the past few years – nearly USD 25 billion among them – to strengthen their cyber security infrastructure. In the USA alone, overall cyber security expenditure is expected to move up by approximately 5% in FY20 to USD 17.44 billion. In the UK, the National Cyber Security Strategy has a budget of GBP 1.9 billion for 2016–2021. Developed economies are allocating separate funds for cyber security purposes and India should consider the same to and seem to ensure that 1% of its GDP is spent on cyber security, protect government systems, business ecosystems and the socioeconomic fabric of the country.
Spending the allocated amount judiciously
If the government decides to allocate funds for cyber security, they should be spent on the following areas:
- Building an effective legal framework to handle cyber security cases: At present, there isn’t any specific legislation in India that provides protection against cybercrimes. The Information Technology Rules, 2011, need to be revisited as the scale and the modus operandi of cybercrimes have evolved and will continue to do so. India needs a law to tackle cases of cybercrime. This legal framework must be designed keeping in mind the ever-changing nature of technology.
It is also necessary to ensure that conviction rates increase in cases related to cybercrime. This could be done through capacity building in the legal circles. It will be necessary to invest more in the capacity building of legal professionals and law enforcement agencies. Expenditure could be routed towards equipping law enforcement agencies with the necessary tools and technologies.
- Capacity building in the domain of cyber security: There is a dearth of adequately skilled cyber security professionals in India. A study conducted by the Information Systems Audit and Control Association (ISACA) in the past year shows that 58% of the organisations worldwide have vacant cyber security positions. This shortage, which is felt at both the government and the industry level, can affect India’s fight against cybercrimes. The government should encourage research and education related to cyber security skills in the upcoming Budget.
If the government invests in the capacity building of cyber security professionals, it is likely to result in the development of a robust cyber security ecosystem in India.
- Protecting critical infrastructure with deep monitoring and response capabilities: Critical Information Infrastructure (CII) involves assets, systems, or parts thereof, that are deemed to be critical for the normal functioning of a country. As new technologies like the Internet of things (IoT) are integrated into our national critical infrastructure, new cyber security threats emerge, which are required to be handled by specific security solutions. This, coupled with a growing trend for convergence and multi-system interconnectedness, has introduced several security issues that threaten normal economic and social functions.
There are growing concerns and debates about the protection of the country’s critical infrastructure and adequate budgetary allocation is required to build deep monitoring and response capabilities.
- Building and strengthening cyber defence and deterrence: State-sponsored cyberattacks are growing by the day and becoming a covert method of warfare, allowing countries to deny accusations and blame citizens. For the sake of sustainability and reliability in the digital age, the government needs to make India cyber-resilient by encouraging indigenous cyber security products and research and development (R&D).
Coordination and cooperation with other countries through bilateral and multilateral agreements to tackle cyber incidents is another critical step towards achieving cyber resilience and tracking cyberattacks originating from foreign countries. India needs to go through diplomatic channels to address this issue but at the same time, funds must be allocated towards setting up infrastructure dedicated to blocking malicious traffic from shadow locations. India should shut down safe havens for cybercriminals by barring internet traffic from suspected locations. India can identify countries where there are no laws against cybercrimes and block traffic originating from such countries by employing techniques such as geo-fencing.
- Strengthening the weakest links by bringing sectoral agencies and regulators under one roof: Another important area that demands urgent attention is the necessity of a national-level agency for protection from cybercrimes. While India has several sector-specific regulators and agencies focusing on their respective areas, there is clearly a need for a central authority at the national level, given that cybercrimes have evolved to penetrate various sectors and regulatory regimes. This gap needs to be filled in for swifter action against cyberattacks. The overarching agency should be empowered with sufficient funds to deal with cybercrime cases.
- Public awareness: Australia’s cyber security strategy and Singapore’s Digital Defence Department greatly emphasise citizens’ awareness against cybercrime. In India, the government too should launch result-oriented cyber awareness campaigns to provide individuals one-to-one assistance and cyber security support. The awareness drives can include the formation of guidelines and provide people with government-recognised security applications, which can be installed to secure devices.
There must be comprehensive drives to spread awareness about cybercrimes and how they can be prevented. Furthermore, the government could also consider making cyber security a part of school curriculums, so that students are aware of cyberthreats and precautions they should take when using the internet and mobile phones.
The government needs to allocate reasonable funds to strengthen the country’s cyber security framework and these funds need to be holistically distributed to strengthen the legal framework, capacity building, protection of critical infrastructure, building offensive capabilities and educating citizens about the safe use of digital assets. India can look at countries like the US, the UK, Germany and Australia and learn from the steps they have taken to ramp up their cyber security capabilities to address today’s challenges.
By Siddharth Vishwanath, Leader – Cyber Security, PwC India