Jan 04, 2014. This article has been updated based on feedback from friends in government.
The India news media is going ga-ga over the proposed cybercrime panel announced by the Home Minister.. but, not me! I have serious reservations about this activity hope good sense prevails before the panel gets to work!In case you missed the news, read it here on Deccan Herald, and here on TOI or search online
It is an accepted fact that the world is technology
dependent, and, that governments and infrastructure will come to a halt in
event of non-availability of IT resources. Doomsday and Pearl Harbor scenarios are thrown up by
world leaders and every malicious incident is termed as cyberwar accompanied by
appropriate war-drum type noises by Presidents, ministers and ministries.
Governments, globally, have a common objective of the necessity of securing
their information – whether to keep state secrets or keep their black deeds secret or to steal someone else's secrets. Some are creating armies of cyber-warriors while some
are deploying cyber-mercenaries to achieve their goal.
A number of ‘so-called’ third world countries are defining
their IT and Cyber Security policies and working hard (and fast) at building internal
capacity and capability. These are strategically planned efforts with clearly defined objectives (we want to be the technology powerhouse in our region in 10 years time).
When we compare such activities with those at home one can
only hangour heads in shame! Since the advent of the internet in 1995 and the
IT Act we are yet to see any national strategy or workable plan. Yes we have seen non-working
policies and delusional visions of our leaders (India is IT Superpower, Mumbai will be Shanghai,
BRTS in Mumbai, Ban Google etc)
Last week the Home Minister announced the formation of a
panel of experts to define a policy for cybercrime. This august panel was to
comprise academics and industry professionals, but has academics and bureaucrats and not a single cybercrime officer.
The action itself smacks of self-aggrandizement and
demonstrates the continuing deficiency of strategic thought OR common sense at the high levels of a supposedly 'aware' government. Without a SINGLE member having cybercrime and/or cyberlaw experience (pray) how does this august panel expect to define a national cybercrime policy
which will actually work.
We can expect another big load of balderdash, alien concepts
or impractical and inane directives on the same lines as the much touted
National Cyber Security Policy (NCSP).
To refresh our memories, the NCSP was announced with much
fanfare in mid 2013 and has, thankfully, remained dormant till now. It has
provisions which are far reaching in thought and reality. So
far, we do not seem to have taken our first steps. A few concern areas from
the NCSP worth mentioning are:
- Suggestion for PPP: without talking about how will the Private
entities benefit from the Public Participation. The government expects free services –
just because they are what? Government?
- The policy says “enabling creation and operationalization of
sectoral CERTs as well as facilitating communication and coordination actions”. These are very noble intentions that sound great but just one line in a national
policy for such an important function! It had to be lost at birth!
- Using PKI for Government communication – we haven’t been
able to get government to stop using public email services and we talk about PKI.
- NCIIPC … where is this gone?
- The piece de
resistance is the last paragraph “This
policy shall be operationalised by way of detailed guidelines and plans of
action at various level such as national, sectoral, state, ministry,
department and enterprise, as may be appropriate, to address the
challenging requirements of security of the cyberspace.”
- that's great and who is responsible, how this will be done, when will this be done and is there a penalty for non-compliance?
Frankly, I can keep going on but this is another story
altogether. If interested you can ask me for my clause-by-clause analysis of the NCSP.
Before I move ahead to the present topic, I must mention
another governmental activity for brownie points to get media attention - around the same time as the
NCSP in 2013, the National Critical Infrastructure Guidelines document was released. It was not really a set of guidelines but was a bad clone of ISO27001 and
was actually a set of controls suggested for the CI Institutions. How
effectively it has been used in the establishment is evident from the fact that
it is not talked about at all. One simple question - does NCIIPC exist? Yes but is it staffed appropriately, and does the staff know what they are supposed to do? Personally I have yet to hear about baby steps of this organization.
Returning to the subject of the proposed Cybercrime Policy
development panel and the serious deficiency on the part of the government
establishment.
It seems no one thought it appropriate to apply their mind to create a strategy, objective / vision
BEFORE nominating names and forming panels to create national policies.
Especially nominating names of persons from unrelated domains. A knee jerk reaction to the world events around cybersecurity or what? And it seems our government is just doing what it always does .. create new security organizations, panels, policies as a knee-jerk reaction whenever a new incident happens!
Doing a root cause analysis of such fiasco type acts it is obvious these are political actions designed to sound and feel good. It ends here as political masters are seriously deficient in cybersecurity knowledge and have short-term memories.
Another surprising factor (for me) is the acceptance of the nomination by these persons of eminence. None of them felt the need
to object saying that cybercrime was not his/her domain. None felt the need to
ask the same Government establishment and functionaries to include additional members,
especially cybercrime specialists.
I do not want to name names but is it so much of a problem for
all nominees to raise a flag against such decisions if working within the government
establishment.
Today there are cybercrime cells across the country and
these are manned by uniformed junior and senior officers of various Law
Enforcement Agencies. The personnel are qualified and professionally trained
and face multiple challenges everyday in the course of their investigations and
fight to control the menace of cybercrime. These cybercrime professionals have
to struggle against the stonewalling tactics of domestic and foreign corporations
in the business of ISP, web hosting etc and have developed an intimate
knowledge of local and international laws, treaties and regulations.
These personnel are acutely aware of the limitations of
Indian laws and policies and possess the leadership of thought for development
of domestic rules and regulations that will help in cybercrime control at all
levels and will help build the image of the country as a resilient nation that
will deal strictly with new-age criminals.
I can only hope that better sense will prevail and that the
powers-that-be will consider a change in their decision making process when
looking at the cyber domain. This is new-age and cutting edge, stuff which has
not been experienced in real life and (seriously) needs to be handled
differently.
High time the establishment undertakes cyber training /
learning and does a reality check to clear their mindset of conventional
thinking so that the knowledge deficiencies are cleared. High time, India
claimed it’s place in the Internet / Technology space as a real leader and not
just a self-proclaimed one.
The internet age needs a new pair of spectacles and no one is buying. It needs a central agency to own and operate security, it needs leaders to think but leaders do not think! It needs governance and transparency but every government is loathe to accept this. It does not need an alphabet soup of organizations with each pushing personal agendas and claiming to be the ultimate cybersecurity organization.
High time, we become the keepers of security in cyberspace
and thought leaders.