Policy Making for Cyber Security

Cyber space is providing unprecedented opportunities; it provides a platform where ability of human race in its innovative usage is increasingly tested. They are providing new means for solving the long standing problems the human race is facing. The global architecture of the cyber space, right strategies for penetrating access to the internet, transparent internet protocols, effective evolution of ecosystem of multiple players taking the internet revolutions to every corner of the world and cost effective model of connectivity and access make this possible. However, the same model, structure, protocols, easiness and varied usages contribute to the usage of the cyber space for unethical, adversarial, and criminal activities. This affects individual, society, business, nations, and global health of cyber space. To promote responsible usage, restrain criminal activities, avoid the national conflicts, and ensure trust people on the cyber space, there is an urgent need of national policies.

HOW CYBER SPACE IS DIFFERENT

What makes cyber space different from other public policy areas? On the one hand, we see increasing digitization of information, millions of devices connecting to the internet, increasing exposure of the businesses through globalization, rising deployment of globally sourced IT systems and applications and faster and cheaper ways of transferring information. On the other hand, cyber attacks are becoming more sophisticated, the attacks are proving their ability to cause kinetic impact, state and non-state actors are operating to cause harm, and commoditization of cyber attack execution is becoming a reality. The effort of the public policy making requires dealing with these complexities and interdependencies. The cross-border nature of the affairs adds further complications. The objective of the policies is primarily to promote secure behavior in the cyber space, define responsibilities of different entities towards it, drive desired investment and efforts for security, establish necessary regulatory structures, and provide protection to the victims of criminal or adversarial acts.

CLASSIFYING CYBER SECURITY

Policy making for cyber security may be broadly classified in three categories (i) politico-military, which deal with the affairs of cyber warfare military usage of cyber space (ii) economical that deal with cyber crime aimed at certain type of gains (iii) content, which deal with the ability of people to share and update content and social, political and security issues associated with it. Evidence gathering and investigations in the cyber space may be significantly different from the physical world. It has to redefine the right of the citizen in the cyber space or reinterpret the meaning of the rights enjoyed by the citizens for the cyber space. It has to see how protections given to the citizens are translated into the ground level actions. It has to evaluate the social significance of providing the protection, where the victims may be seeking justice against a powerful person or entity, demanding specific arrangement for that. It has to see that powers entrusted in the hand of officials are judiciously used.

The proposals for governing a specific affair or aspect tend to create controversies. For example, a legitimate concern of victimization of an individual in the cyber space, as articulated by section 66A, has been found applied to two girls in Mumbai for their post on a social media site. This particular provision of the act has serious ramification on the right of freedom of expression granted to the citizen by the Indian constitution. Enacting a reasonable policy, thus, requires a comprehension of such operating scenarios. Regulation of content is the most controversial area of policy making. It leads to philosophical, political, and legal debates. The proposals are tested against the country's commitment to the democratic value systems, freedom of speech, and liberal economy.

The different stakeholders affected due to policy directions jump into the debate. Sometimes their priorities are conflicting to each other. Civil societies may demand specific structure, provision or regulatory infrastructure for governing a specific type of affair. The business affected due to that may object to proposal for their practicality; they may be worried for intrusive and bureaucratic nature of the mechanism suggested. They may be concerned for the cost they require to incur for compliance.

Policy making for cyber security is not an easy task. One has to deal with complexity, complicating interdependencies, conflicting interests, diverse social perspectives and varied philosophical and political ideas while deriving policy options. For mastering in policy making, one has to practice disciplines of sociology, political science, economics and philosophy and apply that for governing technology.