New Delhi: Months after the Narendra Modi government launched a massive revamp of its official websites and computer systems to tackle cyber-attacks and hackers, it has warned states of imminent security risks and has sought reports to assess their preparedness to deal with such threats.
In a letter to all states, the Ministry of Electronics & Information Technology (MeitY) said access to digital platforms and services has increased because of the roll out of the ‘Digital India’ programme, and this has extended the scope of cyber-security risks.
The recommended measures
The MeitY’s letter says all states and Union Territories will be required to prepare a Cyber Crisis Management Plan (CCMP), which would include a detailed contingency plan for dealing with crises brought about by cyber-attacks.
The purpose of the CCMP is to establish a strategic framework and guide actions for coordinating recovery from a cyber incident, ensure that the interruptions of critical functions/services in critical sector organisations are brief, infrequent and manageable and cause least possible damage, and to assist organisations to put in place mechanisms to effectively deal with cyber-security crises.
The Centre has a CCMP in place for countering cyber-attacks and cyber-terrorism.
The ministry also said states should participate in periodic cyber-security drills and appoint a chief information security officer for implementing best practices on keeping cyber-space safe.
The letter said states should audit their IT infrastructure, web applications and websites periodically through auditors empanelled by the Indian Computer Emergency Response Team (CERT-In) to “check the resilience of cyber assets against malicious attacks”.
CERT-In, which has been around since 2004, is the central nodal agency responsible for responding to computer security incidents.
Without a law, situation grim
Cyberlaw expert Pavan Duggal, however, said that such steps merely would amount to fixing leaks, and would be “too little, too late” in the absence of a comprehensive cyber-security law.
“The current situation is grim. Cyber-security breaches are constantly on the rise and the lack of a dedicated law has emboldened criminals,” Duggal told ThePrint, adding that even the IT Act is not a law on cyber security, since it just superficially touches the subject.
Duggal cited the examples of China, Singapore, Vietnam and Australia who are bringing in their own cyber security laws, and said that the ‘Digital India’ programme is being expanded without following the basic principles of cyber security.
“Instead of looking to plug loopholes, there should be a focus on the big, holistic picture. There should be a legal framework which would act as a deterrent to cyber security breaches,” he said.
Even past government efforts on tackling crime crimes have seen little implementation, Duggal said.
“The National Cyber Security Policy of 2013 has remained a paper tiger,” he said, adding that the lack of a tough cyber security law does not augur well for the country’s economy either.
More funds and resources
Meanwhile, Sunil Abraham, executive director of Bengaluru-based research organisation Centre for Internet and Society, said the government needs to allocate more funds and resources on cyber security.
“Along with appointing CISOs (chief information security officers) and drafting laws, there should also be a budget to ensure that there is adequate incentive for the market to provide cyber security services,” he said.
For instance, after an e-governance system is developed, it is assumed that it is going to be safe. “But on the contrary, it needs to be constantly monitored for cyber security breaches and that needs a dedicated budget,” Abraham said.
“In addition, the national cyber security policy needs a large budget for implementation.”
Govt website hacks
ThePrint had earlier reported that several government websites have been vulnerable to cyber threats, because of which the National Informatics Centre had launched an overhaul of crucial government websites to make them safer.
While 114 government websites were hacked between April 2017 and January 2018, according to official MeitY data, the ministry had earlier told Parliament that between 2013 and 2016, 707 government websites, including those of central and state government departments, were hacked.
Last year, a high-powered committee was appointed by the Prime Minister’s Office to study a wide range of online challenges, including cyber-crimes, fake news and malicious content, and to come up with a framework to tackle them.
Subsequently, the Ministry of Home Affairs (MHA) had set up a Joint Working Group (JWG) for Public Private Partnership on cyber security at the National Security Council Secretariat, as part of a provision of the National Cyber Security Policy of 2013.
A ‘Cybercrime Survey Report 2017’ by consulting firm KPMG had stated that 79 per cent of Indian companies consider cyber security one of their top five business risks.
From interviews to news reports, catch ThePrint live in action on our YouTube channel. Subscribe here .