Cyber Security Strategy

A cyber security strategy has been outlined by DIT to address the strategic objectives for securing country's
cyber space and is being implemented through the following major initiatives:
• Security Policy, Compliance and Assurance
• Security Incident Early Warning & Response
• Security training skills/competence development & user end awareness.
• Security R&D for Securing the Infrastructure, meeting the domain specific needs and enabling
technologies
• Security Promotion & Publicity

Overview
In less than two decades, advances in information and communications technologies have revolutionized
government, scientific, educational, and commercial infrastructures. Powerful personal computers, high-
bandwidth and wireless networking technologies, and the widespread use of the Internet have transformed
stand-alone systems and predominantly closed networks into a virtually seamless fabric of interconnectivity.
The types of devices that can connect to this vast information technology (IT) infrastructure have multiplied
to include not only fixed wired devices but mobile wireless ones. A growing percentage of access is through
always-on connections, and users and organizations are increasingly interconnected across physical and
logical networks, organizational boundaries, and national borders. As the fabric of connectivity has
broadened, the volume of electronic information exchanged through what is popularly known as cyberspace
has grown dramatically and expanded beyond traditional traffic to include multimedia data, process control
signals, and other forms of data. New applications and services that use IT infrastructure capabilities are
constantly emerging.
The IT infrastructure has become an integral part of the critical infrastructures of the country. The IT
infrastructures interconnected computers, servers, storage devices, routers, switches, and wire line,
wireless, and hybrid links increasingly support the functioning of such critical national capabilities as power
grids, emergency communications systems, financial systems, and air traffic- control networks. The
operational stability and security of critical information infrastructure is vital for economic security of the
country.
In addition to its underlying role in critical information infrastructures, the IT infrastructure enables large-
scale processes throughout the economy, facilitating complex interactions among systems across global
networks. Their interactions propel innovation in industrial design and manufacturing, e-commerce, e-
governance, communications, and many other economic sectors. The IT infrastructure provides for the
processing, transmission, and storage of vast amounts of vital information used in every domain of society,
and it enables government agencies to rapidly interact with each other as well as with industry, citizens,
state and local governments, and the governments of other nations.

Technology Trends
The risks associated with current and anticipated vulnerabilities of, threats to, and attacks against the IT
infrastructure provide the rationale for this strategy. Fast-shifting trends in both technologies and threats
make it likely that the security issues of the IT infrastructure will only intensify in the coming years.
Key areas of concern include:
• The increasing complexity of IT systems and networks, which will present mounting security
challenges for both the providers and consumers
• The evolving nature of the telecommunications infrastructure, as the traditional phone system and
IT networks converge into a more unified architecture
• The expanding wireless connectivity to individual computers and networks, which increases their
exposure to attack. In hybrid or all-wireless network environments, the traditional defensive approach of
 securing the perimeter is not effective because it is increasingly difficult to determine the physical and
logical boundaries of networks.
• The increasing interconnectivity and accessibility of (and consequently, risk to) computer-based
systems that are critical to the countrys economy, including supply chain management systems, financial
sector networks, and distributed control systems for factories and utilities
• The breadth and increasingly global nature of the IT supply chain, which will increase opportunities
for subversion from attackers within and outside the country.

Current Scenario
In the current climate of elevated risk created by the vulnerabilities of and threats to the Nations IT
infrastructure, cyber security is not just a paperwork drill. Adversaries are capable of launching harmful
attacks on IT systems, networks, and information assets. Such attacks could damage both the IT
infrastructure and other critical infrastructures. Cyber security is slowly gaining wider adoption in many
consumer products for a variety of reasons, due to appreciation of consequences of insecurity, the need for
developing secure products, performance and cost penalties, improved user convenience, need for
implementing and consistently maintaining security practices, and importance of assessing the value of
security improvements. But consumer and enterprise concerns have been heightened by increasingly
sophisticated hacker attacks and identity thefts, warnings of âcyber terrorism, and the pervasiveness of IT
uses. Consequently, many in the industry and critical infrastructure organizations have come to recognize
that their continued ability to gain consumer confidence will depend on improved software development,
systems engineering practices and the adoption of strengthened security models and best practices.
In order to highlight the growing threat to information security in India and focus related actions,
Government had set up an Inter Departmental Information Security Task Force (ISTF) with National Security
Council as the nodal agency. The Task Force studied and deliberated on the issues such as
• National Information Security Threat Perceptions
• Critical Minimum Infrastructure to be protected
• Ways and means of ensuring Information Security including identification of relevant technologies
• Legal procedures required to ensure Information Security
• Awareness, Training and Research in Information Security
In line with the recommendations of the ISTF, the following initiatives have been taken by the Government
• Indian Computer Emergency Response Team (CERT-In) has been established to respond to the
cyber security incidents and take steps to prevent recurrence of the same
• PKI infrastructure has been set up to support implementation of Information Technology Act and
promote use of Digital Signatures
• Government has been supporting R&D activities through premier Academic and Public Sector
Institutions in the country
• Information Security Policy Assurance Framework for the protection of Government cyberspace and
critical infrastructure has been developed.
 The Government has mandated implementation of Security Policy in accordance with the
Information Security Standard ISO 27001

 Currently in India 246 organisations have obtained certification against the Information
Security Standard ISO 27001 as against total number of 2814 ISMS certificates issued worldwide. Majority
of ISMS certificates issued in India belong to IT/ITES/BPO sectors.

 Security Auditors have been empanelled for auditing, including vulnerability assessment &
penetration testing of computer systems & networks of various organizations of the government, critical
infrastructure organizations and those in other sectors of the Indian economy.

• Nation wide Information Security Education and Awareness Program has been launched

Strategic Approach
 Consistent with the need, the primary objectives for securing country's cyber space
are:

• Preventing cyber attacks against the country's critical infrastructures

• Reduce national vulnerability to cyber attacks
• Minimise damage and recovery time from cyber attacks

Actions to secure cyberspace include:

• Forensics and attack attribution

• Protection of networks and systems critical to national security
• Early watch and warnings
• Protection against organized attacks capable of inflicting debilitating damage to the economy
• research and technology development that will enable the critical infrastructure organisations to
secure their IT assets

To pursue the strategic objectives the following major initiatives have been identified:

• Security Policy, Compliance and Assurance

• Security Incident - Early Warning & Response
• Security training - skills/competence development & user end awareness.
• Security R&D for Securing the Infrastructure, meeting the domain specific needs and enabling
technologies
• Security - Promotion & Publicity

I. Security Policy, Compliance and Assurance

Focus: Creation, Establishment and operation of Cyber Security Assurance Framework aimed at enabling
Government, Critical Infrastructure Organisations and other key IT users of nation's economy

(a) Critical Inforamtion Infrastructure Protection

Many of the critical services that are essential to the well being of the economy are increasingly becoming
dependent on IT. As such, the Government is making efforts to identify the core services that need to be
protected from electronic attacks and is seeking to work with organisations responsible for these systems so
that their services are secured in a way that is proportional to the threat perception. The primary focus of
these efforts is to secure the information resources belonging to Government as well as those in the critical
sectors. The critical sectors include Defence, Finance, Energy, Transportation and Telecommunications.
Consequently, many in the industry and critical infrastructure organizations have come to recognize that
their continued ability to gain consumer confidence will depend on improved software development, systems
engineering practices and the adoption of strengthened security models and best practices.

(b) Cyber Security Assurance Framework

Cyber Security Assurance Framework is a National framework for "Cyber Security Assurance" to assist
National level efforts in protecting critical information infrastructure. It aims to cater to the security
assurance needs of Government and critical infrastructure organisations through "Enabling and Endorsing"
actions.
Enabling actions are essentially Promotional/Advisory/Regulatory in nature and are best done by Govt. or its
authorized entity that can be seen and perceived as independent of bias and/or commercial interests. They
involve publication of "National Security Policy Compliance requirements" and IT security guidelines and
supporting documents to facilitate IT security implementation and compliance
 Endorsing actions are essentially commercial in nature and may involve more than one service provider
offering commercial services after having fulfilled requisite qualification criteria and demonstrated ability
prior to empanelment. These include
• Assessment and certification of compliance to IT security best practices, standards and guidelines
(Ex. ISO 27001/BS 7799 ISMS certification, IS system audits etc)
• IT Security product evaluation and certification as per 'Common Criteria' standard ISO 15408 and
Crypto module verification standards
• IT security manpower training and other services to assist user in IT security implementation and
compliance

Trusted company certification

With India emerging as a leading outsourcing partner, there is a need to address perceptible gap among
Indian IT/ITES/BPOs in respect of compliance to international standards and best practices on security and
privacy. Today, although increasing number of organisations in India have aligned their internal processes
and practices to international standards such as ISO 9000, CMM, Six Sigma, Total Quality Management, ISO
27001 etc., it is to be noted that existing models such as SEI CMM levels cover exclusively software
development processes and do not address security issues. As such, there is a need for a comprehensive
assurance framework that can enable compliance within the country and provide assurance on compliance
to out sourcing organizations and rest of the world. Accordingly, efforts are on to create a model that is
based on self-certification concept and on the lines of Software capability maturity model (SW-CMM) of CMU,
USA.

II. Security incident - Early Warning & Response

Focus: Creation of National Cyber Alert System for Rapid identification & response to security incidents and
information exchange to reduce the risk of cyber threat and resultant effects.
(a) Rapid identification, information exchange, and remediation can often mitigate the damage caused by
malicious cyberspace activity. For those activities to take place effectively at a national level, it requires a
partnership between government and industry to perform analyses, issue warnings, and coordinate
response efforts. Because no cyber security plan can be impervious to concerted and intelligent attacks,
information systems must be able to operate while under attack and also have the resilience to restore full
operations in their wake. The National Cyber Alert System will involve critical infrastructure organizations,
public and private institutions to perform analysis, conduct watch and warning activities, enable information
exchange, and facilitate restoration efforts.

(b) The essential actions under National Cyber Alert System include:

• Identification of focal points in the critical infrastructure

• Establish a public-private architecture for responding to national - level cyber incidents
• Tactical and strategic analysis of cyber attacks and vulnerability assessments;
• Expand the Cyber Warning and Information Network to support the role of Government in
coordinating crisis management for cyberspace security;
• Improve national incident response capabilities (CERT-In and Sectoral CERTs)
• Exercise cyber security continuity plans and drills

(c) Creation and Augmentation of Response Capabilities

Augmentation of CERT-In: CERT-In is operational since January 2004 and is catering to the security
needs of Indian Cyber community, especially the Critical Information Infrastructure. In line with the
expectation of the user community and various stake holders, there is a need to augment the facilities at
CERT-In in terms of Manpower, Communication systems, tools, etc. for vulnerability prediction, analysis &
 mitigation, Cyber forensics/artifact analysis, Cyber space monitoring & interception Capabilities and Critical
information infrastructure Security health check. The National Information Board and National Security
Council have endorsed the need for augmentation of facilities at CERT-In.
Creation/augmentation of Sectoral CERTs: For an effective National Cyber Security Alert System, there
is a need to create sectoral CERTs to cater to the very specific domain needs of different sectors. In this
direction sectoral CERTs have been established by Army, Air force and Navy in Defense sector, IDRBT in
Finance sector. But the facilities of these sectoral CERTs are at primitive levels and need to be augmented to
meet the needs of respective sectors. Similarity sectoral CERTs with state-of-the-art facilities need to be
created in other critical sectors such as Aviation, Energy, Telecommunication, Railways etc.

(d) International cooperation and information sharing

The cyber threat sources and attacks span across countries. As such as there is a need to enhanced global
cooperation among security agencies, CERTs and Law Enforcement agencies of various countries to
effectively mitigate cyber threats. Accordingly it vital to have well developed Cyber Security and Information
Assurance research and development Programme which is executed through different government agencies
in broad collaboration with private sectors, partners and stakeholders in academia, national and
international agencies.
In this context the priorities for collaboration are:
• Cyber Security and Information Assurance Technology to prevent, protect against, detecting,
responding, and recovering from cyber attacks in critical information infrastructure that may have large-
scale consequences.
• Collaboration for training personnel in implementing and monitoring secure government intranets
and cyber space
• Joint R&D projects in the area of Steganography, water marking of documents, security of next
generation networks and Cyber Forensics
• Coordination in early warning, threat & vulnerability analysis and incident tracking
• Cyber security drills/exercises to test the vulnerability & preparedness of critical sectors

III. Security training - Security, Digital Evidence & Forensics

Focus - To meet the specific needs of Law Enforcement, Judiciary and other users such as E-Governance
project owners catering for
• A baseline for IT Security awareness
• Skill & Competence development
• Advanced Manpower Certification programmes
Many cyber vulnerabilities exist because of lack of cyber security awareness on the part of computer users,
system/network administrators, technology developers, auditors, Chief Information Officers (CIOs), Chief
Executive Officers (CEOs), and Corporates. A lack of trained personnel and the absence of widely accepted,
multi-level certification programs for cyber security professionals complicate the task of addressing cyber
vulnerabilities. This Cyber Security Strategy identifies following major actions and initiatives for user
awareness, education, and training:
• Promote a comprehensive national awareness program
• Foster adequate training and education programs to support the Nation's cyber security needs
• Increase the efficiency of existing cyber security training programs and devise domain specific
training programs (ex: Law Enforcement, Judiciary, E-Governance etc)
• Promote private-sector support for well-coordinated, widely recognized professional cyber security
certifications.

IV. Security R&D

Focus: Facilitating Basic research, Technology demonstration and Proof-of concept and R&D test bed
projects
(a) Indigenous R&D is an essential component of national information security measure due to various
reasons- a major one being export restrictions on sophisticated products by advanced countries. Second
major reason for undertaking R&D is to build confidence that an imported IT security product itself does not
turn out to be a veiled security threat. Other benefits include creation of knowledge and expertise to face
new and emerging security challenges, to produce cost-effective, tailor-made indigenous security solutions
and even compete for export market in information security products and services. Success in technological
innovation is significantly facilitated by a sound S&T environment. Resources like skilled manpower and
infrastructure created through pre-competitive public funded projects provide much needed inputs to
entrepreneurs to be globally competitive through further R&D. Private sector is expected to play a key role
in meeting needs of short term R&D leading to commercially viable products. Besides in-house R&D, this
sector may find it attractive to undertake collaborative R&D with leading research organisations.

Role of Government
The IT infrastructures significance to the country has gained visibility in the recent years due to cyber
attacks and rapid growth in identity theft and financial frauds. These events have made it increasingly clear
that the security of the IT infrastructure has become a key strategic interest to the Government. Although
the industry now making investments in security-related infrastructure, their actions are directed primarily
at short-term efforts driven by market demands to address immediate security problems.
The Government has a different but equally important role to play in cyber security assurance in the form of
long-term strategies. In this direction, the deliberations of the National Information Board (NIB), National
Security Council (NSC) have stressed the importance of a national strategy on cyber security, development
of national capabilities for ensuring adequate protection of critical information infrastructures including rapid
response and remediation to security incidents, long term investments in infrastructure facilities, capacity
building and R&D. Governments responsibilities in long-term investment and fundamental research will
enable development of new concepts, technologies, infrastructure prototypes, and trained personnel needed
to spur on next-generation security solutions.
Government leadership catalyzes activities of strategic importance to the Nation. In cyber security
assurance, such leadership can energize a broad collaboration with private-sector partners and stakeholders
to generate fundamental technological advances in the security of the Nations IT infrastructure. First, in
support of national and economic security, the Government should identify the most dangerous classes of
cyber security assurance threats to the Nation, the most critical IT infrastructure vulnerabilities, and the
most difficult cyber security assurance problems. Second, the Government can use these findings to develop
and implement a coordinated R&D effort focused on the key research needs that can only be addressed with
such leadership. While these needs will evolve over time, this Cyber Security Strategy provides a starting
point for such an effort.
Public-private partnership is a key component of Cyber Security Strategy. These partnerships can usefully
confront coordination problems. They can significantly enhance information exchange and cooperation.
Public-private engagement will take a variety of forms and will address awareness, training, technological
improvements, vulnerability remediation, and recovery operations.

Cyber Laws
Provides legal recognition to electronic documents and a framework to support e-filing and e-commerce
transactions and also provides a legal framework to mitigate, check cyber crimes.