(Indian Government) Strategy / Planning Deficiency in Cybersecurity

Jan 04, 2014. This article has been updated based on feedback from friends in government.
The India news media is going ga-ga over the proposed cybercrime panel announced by the Home Minister.. but, not me! I have serious reservations about this activity hope good sense prevails before the panel gets to work!In case you missed the news, read it here on Deccan Herald, and here on TOI or search online

It is an accepted fact that the world is technology dependent, and, that governments and infrastructure will come to a halt in event of non-availability of IT resources. Doomsday and Pearl Harbor scenarios are thrown up by world leaders and every malicious incident is termed as cyberwar accompanied by appropriate war-drum type noises by Presidents, ministers and ministries.

Governments, globally, have a common objective of the necessity of securing their information – whether to keep state secrets or keep their black deeds secret or to steal someone else's secrets. Some are creating armies of cyber-warriors while some are deploying cyber-mercenaries to achieve their goal.  

A number of ‘so-called’ third world countries are defining their IT and Cyber Security policies and working hard (and fast) at building internal capacity and capability. These are strategically planned efforts with clearly defined objectives (we want to be the technology powerhouse in our region in 10 years time).

When we compare such activities with those at home one can only hangour heads in shame! Since the advent of the internet in 1995 and the IT Act we are yet to see any national strategy or workable plan. Yes we have seen non-working policies and delusional visions of our leaders (India is IT Superpower, Mumbai will be Shanghai, BRTS in Mumbai, Ban Google etc)

Last week the Home Minister announced the formation of a panel of experts to define a policy for cybercrime. This august panel was to comprise academics and industry professionals, but has academics and bureaucrats and not a single cybercrime officer

The action itself smacks of self-aggrandizement and demonstrates the continuing deficiency of strategic thought OR common sense at the high levels of a supposedly 'aware' government.  Without a SINGLE member having cybercrime and/or cyberlaw experience (pray) how does this august panel expect to define a national cybercrime policy which will actually work.

We can expect another big load of balderdash, alien concepts or impractical and inane directives on the same lines as the much touted National Cyber Security Policy (NCSP).

To refresh our memories, the NCSP was announced with much fanfare in mid 2013 and has, thankfully, remained dormant till now. It has provisions which are far reaching in thought and reality. So far, we do not seem to have taken our first steps. A few concern areas from the NCSP worth mentioning are:

Frankly, I can keep going on but this is another story altogether. If interested you can ask me for my clause-by-clause analysis of the NCSP. 

Before I move ahead to the present topic, I must mention another governmental activity for brownie points to get media attention - around the same time as the NCSP in 2013, the National Critical Infrastructure Guidelines document was released. It was not really a set of guidelines but was a bad clone of ISO27001 and was actually a set of controls suggested for the CI Institutions. How effectively it has been used in the establishment is evident from the fact that it is not talked about at all. One simple question - does NCIIPC exist? Yes but is it staffed appropriately, and does the staff know what they are supposed to do? Personally I have yet to hear about baby steps of this organization. 

Returning to the subject of the proposed Cybercrime Policy development panel and the serious deficiency on the part of the government establishment. 

It seems no one thought it appropriate to apply their mind to create a strategy, objective / vision BEFORE nominating names and forming panels to create national policies. Especially nominating names of persons from unrelated domains. A knee jerk reaction to the world events around cybersecurity or what? And it seems our government is just doing what it always does .. create new security organizations, panels, policies as a knee-jerk reaction whenever a new incident happens!

Doing a root cause analysis of such fiasco type acts it is obvious these are political actions designed to sound and feel good. It ends here as political masters are seriously deficient in cybersecurity knowledge and have short-term memories. 

Another surprising factor (for me) is the acceptance of the nomination by these persons of eminence. None of them felt the need to object saying that cybercrime was not his/her domain. None felt the need to ask the same Government establishment and functionaries to include additional members, especially cybercrime specialists.

I do not want to name names but is it so much of a problem for all nominees to raise a flag against such decisions if working within the government establishment.

Today there are cybercrime cells across the country and these are manned by uniformed junior and senior officers of various Law Enforcement Agencies. The personnel are qualified and professionally trained and face multiple challenges everyday in the course of their investigations and fight to control the menace of cybercrime. These cybercrime professionals have to struggle against the stonewalling tactics of domestic and foreign corporations in the business of ISP, web hosting etc and have developed an intimate knowledge of local and international laws, treaties and regulations.

These personnel are acutely aware of the limitations of Indian laws and policies and possess the leadership of thought for development of domestic rules and regulations that will help in cybercrime control at all levels and will help build the image of the country as a resilient nation that will deal strictly with new-age criminals.

I can only hope that better sense will prevail and that the powers-that-be will consider a change in their decision making process when looking at the cyber domain. This is new-age and cutting edge, stuff which has not been experienced in real life and (seriously) needs to be handled differently.

High time the establishment undertakes cyber training / learning and does a reality check to clear their mindset of conventional thinking so that the knowledge deficiencies are cleared. High time, India claimed it’s place in the Internet / Technology space as a real leader and not just a self-proclaimed one. 

The internet age needs a new pair of spectacles and no one is buying. It needs a central agency to own and operate security, it needs leaders to think but leaders do not think! It needs governance and transparency but every government is loathe to accept this. It does not need an alphabet soup of organizations with each pushing personal agendas and claiming to be the ultimate cybersecurity organization. 

High time, we become the keepers of security in cyberspace and thought leaders. 

Labels: , , , , ,