NASSCOM-DSCI Cyber Security Advisory Group (CSAG) Report

NASSCOM
PROMOTING DATA PROTECTION
NASSCOM-DSCI CYBER SECURITY ADVISORY GROUP REPORT
securing our
cyber frontiers
About NASSCOM
NASSCOM is the premier body and the chamber of commerce of the IT-BPO industries in India. NASSCOM is a global
trade body with more than 1200 members which include both Indian and multinational companies that have a
presence in India. NASSCOM's member and associate member companies are broadly in the business of software
development, software services, software products, consulting services, BPO services, e-commerce & web services,
engineering services offshoring and animation and gaming and constitute over 95 % of the industry revenues in India
and employs over 2.24 million professionals.
NASSCOM's Vision is to maintain India's leadership position in the global sourcing IT industry, to grow the market by
enabling industry to tap into emerging opportunity areas and to strengthen the domestic market in India. NASSCOM
aims to drive the overall growth of the global offshoring market and maintain India's leadership position, by taking up
the role of a strategic advisor to the industry.
About DSCI
DSCI is a focal body on data protection in India, setup as an independent Self-Regulatory Organization (SRO) by
NASSCOM, to promote data protection, develop security and privacy best practices & standards and encourage the
Indian industries to implement the same.
DSCI is engaged with the Indian IT/BPO industry, their clients worldwide, Banking and Telecom sectors, industry
associations, data protection authorities and other government agencies in different countries. It conducts industry
wide surveys and publishes reports, organizes data protection awareness seminars, workshops, projects, interactions
and other necessary initiatives for outreach and public advocacy. DSCI is focused on capacity building of Law
Enforcement Agencies for combating cyber crimes in the country and towards this; it operates several Cyber labs
across India to train police officers, prosecutors and judicial officers in cyber forensics.
Public Advocacy, Thought Leadership, Awareness and Outreach and Capacity Building are the key words with which
DSCI continues to promote and enhance trust in India as a secure global sourcing hub, and promotes data protection
in the country.
For more information on this report, contact:
DATA SECURITY COUNCIL OF INDIA

Niryat Bhawan, 3rd Floor, Rao Tula Ram Marg, New Delhi-110057, India
Phone: +91-26155070, Fax: +91 -26155072
Email: info@dsci.in
Published in March 2012

Copyright 2012 NASSCOM and DSCI. All rights reserved.
Designed & Printed by

Swati Communications
+ 91 11 41659877, + 91 9213132174
Disclaimer
This document contains information that is Intellectual Property of NASSCOM and DSCI. NASSCOM and DSCI expressly disclaim to the
maximum limit permissible by law, all warranties, express or implied, including, but not limiting to implied warranties of merchantability,
fitness for a particular purpose and non-infringement. NASSCOM and DSCI disclaim responsibility for any loss, injury, liability or damage
of any kind resulting from and arising out of use this material/information or part thereof. Views expressed herein are views of NASSCOM
and DSCI and /or their respective authors and should not be construed as legal advice or legal opinion. Further, the general availability of
information or part thereof does not intend to constitute legal advice or to create a Lawyer/Attorney-Client relationships, in any manner
whatsoever.
Foreword
he whole world suddenly appears to be waking up to the cyber security

challenge. Countries are framing policies at the national level; there
are several international initiatives for global cooperation to meet this
challenge. Why are we all so concerned about the cyberspace? This is because
our dependence on cyberspace is expanding, while cyber attacks on critical
infrastructure are increasing, and threat landscape is getting worse. Whether it
is connecting with suppliers, ordering goods, floating e-procurement tenders,
making payments to employees and vendors, communicating within and outside
of organizations, it is the cyberspace that is used to connect, do business, and
reach out to the public. Even military establishments have to use private and
public networks for their interactions with suppliers, payment systems, and other organizations in the public and
private sectors, although they may use intranets for secure internal communications.
India is no exception - our dependence on technology as a nation is increasing the Indian economy is going the
e-way - growth in e-commerce, e-payments, card circulation, domestic IT market spending, internet user base
are the leading indicators. Government is relying on technology to solve governance problems whether it is
service delivery or financial inclusion. Technology has become the lifeline of critical infrastructures such as energy,
telecommunication, banking, stock exchanges, etc. Businesses are leveraging technology to transform their business
models. Defence and Police agencies are making strategic use of technology to modernize. As a nation were as
much the victim of cyber attacks as any other country. The attackers are both local, and global driven by passion
for crimes such as financial frauds or terrorism; crime syndicates; nation-states attacking directly or using non-state
actors for economic and political espionage. Attacks on critical infrastructure can have crippling effects on civilians,
with outcomes similar to those achieved by traditional war. Several recent examples testify to this. Cyber security is
clearly important for national security.
In such a scenario, it is essential for us as a country to comprehensively understand the threats associated with the
use of technology and operating in cyberspace- which has emerged as the fifth domain after land, sea, air and space;
it has no geographical boundaries and cuts across jurisdictions. Public-Private Partnership is the key to enhance cyber
security, as more and more critical infrastructure is owned and operated by the private sector. The government has a
larger role to lead such initiatives from the front since national security is involved. The policy challenges to incentivize
the private sector to spend more on security than what the business case would justify, have to be addressed. On the
other hand, the industry needs to be more proactive on engaging with the government on cyber policy issues. It has
to take security seriously by raising it to the Board level and giving security leaders more authority and support.
The IT-BPO industry has witnessed phenomenal growth over the years - it has grown from a USD 100 million industry
to USD 100 billion this year over a period of 12 years; it accounts for 6.4% of Indias GDP and succeeded in positioning
India as the global hub of IT and BPO services. In this journey it has overcome several challenges specifically the data
protection related concerns of clients and regulators abroad. The industry, through NASSCOM, has taken proactive
steps such as the establishment of Data Security Council of India (DSCI) as a self-regulatory organization to create and
promote best practices frameworks for data security and privacy protection, keeping in view the target of achieving
the industry revenue projection of USD 225 billion by 2020. Given its international experience of managing security
and technology expertise, the IT/BPO industry is uniquely positioned to contribute in the cyber security initiatives
of the country specifically through public-private partnerships.
NASSCOM and DSCI established Cyber Security Advisory Group (CSAG) to bring public and private sector together
to deliberate on cyberspace issues, understand the steps taken by other countries, and to identify priority areas for
SECURING OUR CYBER FRONTIERS
action. The key recommendations made by the group, identify ten such areas along with the role of government
and the industry for each area. These recommendations have been developed after taking into consideration the
ongoing global cyber security efforts and developments while keeping the Indian environment in context. I strongly
believe that the government will find the CSAG Report thought provoking and useful in creating appropriate policy
instruments for enhancing cyber security in the country.
I would like to thank all the CSAG members for actively participating in this initiative and making valuable contributions.
My special thanks to Dr. Kamlesh Bajaj, CEO, DSCI for steering this Group and leading the DSCI team in preparing
this Report. Under his leadership DSCI has helped bring cyber security into focus among the industry and other
stakeholders in the country and is emerging as a think tank in data protection and cyber security. On behalf of the
Group, I extend my thanks to the DSCI team for driving the overall process in an efficient, effective and collaborative
manner.
Rajendra Pawar
22 March, 2012
NASSCOM-DSCI CSAG REPORT
Chairman, CSAG
Chairman, Executive Council, NASSCOM
Chairman & Co-founder, NIIT Group
Executive Summary
Cyberspace is emerging as a game changer in the information age. Developed and developing countries are exploiting
cyberspace to leap ahead in the future development and augmentation of critical infrastructure, electronic delivery
of government & business services, increasing productivity, new business models, etc. However, the same cyberspace
is being equally exploited by terrorists, criminals and even adversary nation-states for disrupting critical infrastructures,
stealing secrets, carrying financial frauds, recruiting criminals, etc. What makes cyberspace even more attractive to
criminals is that attribution in cyberspace is difficult, especially given that cyberspace is borderless and cuts across
jurisdictions. It allows criminals to launch attacks remotely from anywhere in the world. Cyberspace is changing the
power equations a bunch of cyber criminals can now take on powerful nations. Whats even worse is that the effects
of cyber attacks can be similar to physical attacks. National security is getting increasingly linked to cyber security.
A nations cyberspace is part of the global cyberspace and no nation can protect its cyberspace in isolation. Cyber
security is a global problem requiring mobilization of action both at national and international levels. Nations are at
cross roads and there are lot of cyber security policy related discussions and debates taking place around the world.
Nations have taken significant efforts to secure their cyberspace and yet they have been repeatedly attacked.
India is leveraging the power of technology to address its social, economic and development challenges. However,
if cyber threats are not addressed through appropriate policy measures, they can disrupt countrys economic
development. Though several initiatives have been taken by the government and industry, these efforts need to
be further augmented, given the gravity of the problem. NASSCOM and DSCI created the Cyber Security Advisory
Group (CSAG), having representation from public and private sectors, to recommend the priority policy action items
for the government based on the global developments and learning.
The key recommendations of the CSAG are listed below:
1.
Create a National Structure for Cyber Security which clearly defines roles and responsibilities for every
stakeholder, establishes coordination & information sharing mechanisms, focuses on building Public Private
Partnership models and creates environment for enhancing trust between the industry and government.
A fully empowered head for Cyber Security should be appointed, positioned at the highest level within
the government.
2.
Design and Implement a Competency Framework for building a competent and adequate Cyber Security
Workforce. The Competency Framework should assess the security skills requirements, identify existing gaps
& challenges, define competency areas across different security roles and devise strategies and programs
for building the required capacity.
3.
Create and maintain an Inventory of Critical Information Infrastructure in the country to provide the
required visibility over the critical information infrastructure and help prioritize deployment and monitoring
of the protection measures.
4.
Establish a Centre of Excellence for Best Practices in Cyber Security to institutionalize the development,
sharing, collation, distribution and implementation of best practices in the country.
5.
Establish a National Threat Intelligence Centre which should integrate all the existing information sources
such as sectoral CERTs, intelligence bodies, security alerts issued by security vendors, threats seen by critical
sectors and industry to enable cross-domain awareness and a comprehensive view of cyber threats at a
national level.
6.
Build Capacity of the Law Enforcement Agencies in Cyber Crime Investigations and Cyber Forensics by
establishing training facilities in every state and union territory.
7.
Build Lawful Interception Capabilities for balancing national security and economic growth by establishing
a national centre for performing research in encryption and cryptanalysis.
8.
Establish a Centre of Excellence for Cyber Security Research to develop solutions that will protect countrys
information infrastructure in the future by defining and executing a research roadmap developed based
on countrys research needs.
9.
Set up Testing Labs for accreditation of ICT products to mitigate security risks arising from procurement
of ICT products especially from foreign vendors and yet take full benefits from the global supply chain that
includes access to world class products, services and expertise at competitive prices.
10. Establish a Cyber Command within the defence forces to defend the Indian Cyberspace. The Cyber
Command should be equipped with defensive and offensive cyber weapons, and manpower trained in
cyber warfare.
The government should implement the above recommendations in parallel through effective public-private
partnerships. The industry should actively support the government in the implementation of these recommendations.
Government and industry cannot overcome the cyber security challenge in isolation; the imperative is to work
together in a trusted and collaborative environment, leveraging each others strengths to strengthen the cyber
security posture of the country and take lead in global cyber security efforts
Contents
1.
Background ..........................................................................................................................................7
2.
Cyber
2.1
2.2
2.3
2.4
3.
Indian Cyberspace and Cyber Security Initiatives............................................................................15

3.1
Indian economy going the e-Way.......................................................................................15
3.2
The Threat Landscape..............................................................................................................17
3.3
Legal Framework Information Technology (Amendment) Act, 2008........................19
3.4
Policy Initiatives......................................................................................................................19
3.4.1 Draft National Cyber Security Policy........................................................................19
3.4.2 Triad of Policies to drive a National Agenda for ICTE ..........................................20
3.5
Cyber Security Initiatives.......................................................................................................22
3.5.1 Government Initiatives...............................................................................................22
3.5.2 NASSCOM and DSCI Initiatives..................................................................................24
4.
Key Learning and Imperatives for India .............................................................................................27

4.1
Key Learning for India.............................................................................................................27
4.1.1 Cyber Security A Top Government Priority...........................................................27
4.1.2 Critical Information Infrastructure Protection Regulate versus Incentivize ...27
4.1.3 ICT Supply Chain Risks Foreign versus Indigenous.......................................... 28
4.1.4 Encryption National Security versus Economic Growth ................................... 29
4.2
Imperatives for India .............................................................................................................30
5.
CSAG Recommendations..................................................................................................................31
5.1
Key CSAG Recommendations..............................................................................................31
5.2
Additional CSAG Recommendations..................................................................................37
6.
Public-Private Partnerships in Cyber Security and Role of DSCI.................................................41
Security A Global Issue.........................................................................................................9

Cyberspace A Game Changer.............................................................................................9
Cyber Threats..........................................................................................................................10
Cyber Security Challenges.......................................................................................................12
The Imperatives.......................................................................................................................13
Epilogue..............................................................................................................................................43
Appendix............................................................................................................................................45
I.
Proposed National Cyber Security Structure.................................................................................47
II.
Global Cyber Security Initiatives......................................................................................................48
United States of America......................................................................................................48
United Kingdom.....................................................................................................................61
Australia..................................................................................................................................65
Japan.......................................................................................................................................69
1. Background
Over the years NASSCOM has played a vital role in the area of public policy through advocacy in India. It works with the
Indian government on a variety of initiatives and issues affecting not only the IT/BPO industry but also infrastructure,
education and manpower development; employment generation through skill development in the country at large.
DSCI, a not for profit company set up by NASSCOM, has also been closely working with the government on a number
of initiatives and issues pertaining to data security, data privacy and cyber security.
Today, given the increasing dependence on information and communication technologies (ICT), especially the
Internet, for delivery of services, one of the biggest challenges the world faces is that of cyber security. Governments
around the world are formulating cyber security strategies and policies to effectively manage the risks, which are
global in nature. Department of Information Technology (DIT), Government of India has launched a number of
initiatives over the last few years, to enhance cyber security; it has also released a draft national cyber security policy
for public consultation. It highlighted Public-Private Partnership (PPP) as a key component as more and more Critical
Information Infrastructure is owned and operated by the private sector.
Given the importance of cyber security because of it being closely associated with national security, and the role
of private sector; NASSCOM and DSCI constituted Cyber Security Advisory Group (CSAG) with representation of
various stakeholders - both from the public and private sectors - to provide recommendations to the government on
PPP in capacity building and policy making. The CSAG was chaired by the Chairman of NASSCOM Executive Council,
with the CEO of DSCI acting as Member Secretary.
The first meeting of the CSAG was held on 4th October, 2011 at DSCI office. As a result of the discussions held, NASSCOM
DSCI formed 7 sub-groups namely - Critical Infrastructure Protection, Best Practices for Cyber Security, Early
Watch and Warning System, Education & Awareness, Law Enforcement Capability Development, Assurance
in ICT Supply Chain and Cyber Warfare. Members in these sub-groups were requested to deliberate on the threats
in their respective areas, study emerging trends and policy evolution and the experience of implementing them in
other countries, and evolve policies of relevance to the Indian context.
DSCI consolidated the preliminary recommendations provided by the CSAG members and also did an extensive study
by studying polices and initiatives of these countries1 and Indias initiatives to develop its own recommendations.
The consolidated preliminary recommendations were brainstormed in the second meeting of the CSAG held on 6th
February, 2012 at NASSCOM office. In this meeting, it emerged that the CSAG group should prioritize the existing
recommendations to provide the government key priority areas for action, detailing the role of the industry in each
such area. As a result, the CSAG group has come out with ten key pragmatic and actionable recommendations
which also detail the role of the government and industry. Other recommendations are also detailed for completeness
of the CSAG Report.
1 The detailed study of cyber security initiatives of US, UK, Australia and Japan have been presented in the Appendix of this report
2. Cyber Security A Global Issue

2.1 Cyberspace A Game Changer
Cyberspace is a global commons, albeit of a new kind, since it is man-made and ever expanding. It comprises IT
networks, computer resources, and all the fixed and mobile devices connected to the global Internet. During the
evolutionary stage of the global digital Internet, the key considerations were interoperability and availability. Moreover,
it was a closed user group involving academics from a few universities. Suddenly, it was thrown open to the world
and has grown exponentially ever since.
Cyberspace is a national asset too, since it enables a host of business and government services to citizens; critical
infrastructure depends on it for its efficient operations. In fact, economies of advanced nations almost entirely depend
upon technology in cyberspace. It has become the lifeline of critical infrastructures such as energy, telecommunication,
banking, stock exchanges, etc. Businesses are leveraging technology to transform their business models; Defence
and Police agencies are making strategic use of technology to modernize.
Social networking platforms a phenomenon that has gripped the entire world - have enabled people to come
together and change the way they interact socially. It has not only initiated connections, but has managed to sustain
the growing interconnect by engaging people in different interests of their choice. Currently, Facebook has around
800 million users, which are expected to reach 1 billion by August 2012. Tweets on Twitter grew from 500 K in 2007 to
more than 4 billion in Q1 of 2010, to over 1 billion tweets every week this year with a community of 225 million users.
The Arab Spring, Jasmine Revolution in China, Occupy Wall Street etc. have exemplified that the growing community
of hundreds of thousands of people can be mobilized for a cause through social media. In contrast, London riots
were supposedly fuelled by social media.
Given the kind of activities being carried out in the cyberspace, cyberspace merges seamlessly with the physical
world. But so do cyber crimes. Cyber attackers can disrupt critical infrastructures such as financial and air traffic
control systems, producing effects that are similar to terrorist attacks in the physical space They can also carry out
identity theft and financial fraud; steal corporate information such as intellectual property; conduct espionage to
steal state and military secrets; and recruit criminals and others to carry out physical terrorist activities. With this
growing threat landscape, cyber-readiness of the security systems has been constantly put to test. While security
systems are increasingly expensive, launching cyber attacks is relatively much economical. This growing imbalance
is a game changer. It has ascertained cyberspace to be offense dominant, wherein defenders have to defend all the
time at a heavy cost, while the attacker needs to succeed only once.
Threats and attack vectors have also been on the rise because most of the vulnerabilities and malicious codes are
easily available on the Internet and provide attackers an easy pathway to operate. Without solving security and
vulnerabilities issues in existing platforms, we have moved to another level - porting of applications to emerging
mobile platforms such as smartphones and tablets, with known vulnerabilities. This has provided cyber criminals
a wide range of basket to operate. The damage inflicted by cyber attackers may not be easily recognizable and in
some cases, may even go unnoticed. Even if an attack is successfully defended, it is possible to cover tracks and thus
attribution of a cyber attack, in some scenarios, becomes very difficult, if not impossible. Tracing a cyber attack is
not easy as Internet has no geographical boundaries and cuts across jurisdictions. There are no international laws/
agreements that could help in tracing cyber attacks. This makes it all the more difficult for the Law Enforcement
Agencies (LEAs) to bring cyber criminals to justice.
On one hand, cyberspace has evolved from a totally unregulated techies domain, where innovation, new technologies,
new services were the only drivers. Indeed its innovations in cyberspace that have led to economic growth and
globalization. On the other, cyber attacks are on the rise, cyber crimes have been fructifying, cyber espionage is
gaining traction and cyber warfare is touted as the realm of next world war.
2.2 Cyber Threats

Security was, and continues to be a bolted on rather than built in feature. This approach has caused a rapid increase
in the vulnerabilities in different platforms, applications, software etc. which are easily exploited by cyber attackers.
Innovative applications are developed without factoring security in. It becomes too late when weaknesses in operating
systems, network stacks, database management systems, web browsers, web apps are discovered.
Traditional viruses, that were meant to change attributes of a file by modifying registry, have come of age. Now a
days, what we see is a much bigger and complex threat landscape. Worms, rootkits, botnets, trojans and other highly
complex malwares are orchestrated to cause irreparable damage to the critical infrastructure.
Cyber threats and attacks typically emanate from a broad range of adversaries, including both state and non-state
actors. These can arise from international syndicates, terrorists, rogue nation states, competitors or disgruntled
insiders.
Millions of devices connected to the Internet, ever increasing bandwidths enabled by broadband, social networking
uses, in particular, have made cyber crimes possible from the hinterland in every country. The long list of cyber crimes
includes identity theft, hacking, financial frauds, child pornography, pornography, data theft, corporate espionage,
defamation, etc. The criminals can be young individuals who do cyber crimes just to hone their hacking skills,
organized national and international gangs who are motivated by easy money, disgruntled employees/ insiders who
want to take revenge on their employers. Non-tech savvy criminals are also entering the realm of cyber crimes because
of easy availability of tools and techniques such as malicious software, malware, botnets, hacking services, etc in a
hidden marketplace operated by syndicates and sophisticated cyber criminals. With access being so easy, there is
no bar to entry to the world of cyber crime because such crimes can be committed from afar, in perfect anonymity,
without fear of being caught by law. Thus it becomes an attractive option for modern criminals.
Cyber criminals are not operating in isolation. They are collaborating from different geographies and regions. Rise of
communities such as Anonymous or Lulzsec are few examples. What brings them together? Common objectives
10
- earning profit or creating havoc unite them. Given their large funding streams and cross-border free flow of
information, existing laws are not able to restrain their growing network community. Unlike criminals, the lawful
agencies require frameworks to operate, and trust in one another, which is relatively difficult.
From a national security perspective, security of critical information infrastructure is becoming a top priority. Over
the years, targeted attacks on critical information infrastructures of nations meant to disrupt and impact normal
functioning with wide economic consequences have been observed. Attacks on power grids, oil rigs and other critical
infrastructures causing heavy outage have made digital nations realize the significance of securing their critical
assets due to their increasing interdependency in digital arena. Be it cyber attack on Irans nuclear reactor by use of
specially crafted stuxnet or attacks on Georgia and Estonia, these attacks have impacted severely and got the nations
think tanks to re-strategize their policies. Possible scenarios that experts are considering as a result of cyber attacks
include: mid air collisions of airplanes, trains bumping into each other due to signal malfunctioning, nuclear reactors
and power plants becoming un-operational, breakdown of stock markets impacting millions of traders and investors,
banking infrastructure coming to a grinding halt, water grids being operated by cyber attackers, unavailability of
telecom services etc. Only an armed attack could have led to such disasters before the Internet. No wonder cyber
security is getting increasingly linked with national security.
In banking and financial sector, most of the operations are now done online. This sector is arguably the most targeted
as the returns are much higher. Millions and billions of dollars, as direct cash cost, have been lost on account of attacks
on financial infrastructure. Stealing financial information, credit card details, financial frauds etc. has been on the
rise. The fact that more and more personal information is crossing the borders in trans-border data flows means that
data breaches often affect people in multiple countries, and may result in financial frauds as in TJX case, a retailer in
the United States. Nearly 100 million credit and debit cards belonging to people from various regions were exposed
when hackers broke into its computer systems and converted some of these into ready-to-use bank cards. Hackers
sold the stolen credit card information to people in the United States of America (US) and Europe via the Internet.
National ICT assets are attacked from cyberspace commons without the fear of being identified. Even though most
of the assets are owned privately, individual countries are finding it difficult to handle the criminals, since the origin
of cyber attack can be camouflaged. Growing instances of cyber espionage for stealing critical information and
intellectual property have been witnessed. Researchers are of the opinion that some of these high profile attacks
may have been carried out by nation-states directly or through non-state actors or working under the direction and
control of the former. Corporate are interested in confidential information such as business plans of their competitors
and nation-states are interested in the military secrets and strategic plans of other nations. In May 2009, President
Obama cited one estimate that a trillion dollars worth of intellectual property is stolen worldwide every year.
In March 2011, hackers penetrated French3 government computer networks in search of sensitive information on
upcoming G-20 meetings. Also in that month, hackers used phishing techniques to obtain data that compromised
RSAs SecureID authentication technology; the data acquired was then used to penetrate Lockheed Martins networks.
Google reported a phishing effort to compromise hundreds of Gmail passwords for accounts of prominent people,
including senior US officials. Approximately 24,000 files were reported to be stolen from Pentagon in a major cyber
attack. In the year 2011 alone, National Aeronautics and Space Administration (NASA) witnessed thirteen major
breaches, which NASA said could compromise US national security.4
To stay ahead of the curve, many nation-states are reportedly developing offensive cyber weapons and are even
known to have raised army of cyber attackers. They engage patriotic geeks and provide them with a career path in
security operations at an early age. On lines of nuclear weapons, an arms race is slowly picking up among nations in
cyberspace. This has been one of the reasons for growing disharmony among nations.
2
3
4
www.washingtontimes.com/news/2011/sep/29/pentagon-seeks-probe-of-the-cost-of-hacking/
List of Cyber Incidents: http://csis.org/files/publication/120313_Significant_Cyber_Incidents_Since_2006.pdf
Source- Reuters
11
2.3 Cyber Security Challenges

Given unique characteristics of cyberspace as described above, there are numerous challenges in cyber security. One
of the most important challenges is of coordination and cooperation between different stakeholders - at both national
and international levels. Comprehensive framework to ensure coordinated response and recovery, intelligence and
information sharing mechanism, clarity in roles & responsibilities of involved agencies and government units, and
specified role of industry in PPP models is lacking at the national level. At the international level, absence of globally
accepted norms featuring cooperation across jurisdictions to track cyber criminals and their extradition is making
it difficult for the LEAs to bring cyber criminals to justice. There is also lack of adequate training and knowledge
available to LEAs and judiciary in many countries for understanding cyber crimes and relevance of evidence in the
form of cyber forensics.
Protection of critical information infrastructure has emerged as a major challenge. National Security has traditionally
(for air, land and sea) been the sole responsibility of the governments. The new responsibility of securing the
critical information infrastructure against the rising number of cyber attacks has come within the ambit of national
security. This new responsibility, however, does not lie solely with the government; private sector has a major role
to play majority of the critical information infrastructure is owned and operated by the private sector. However,
private sectors investment in security is driven by business requirements and not by national security concerns. So
how can government intervene? By incentivizing or regulating the private sector? There is an ongoing debate on
which direction the nations should take. Many believe that market forces cannot deliver the required investments
and efforts for ensuring public safety and national security. Whereas some believe that too much of government
intervention through regulations can undermine business innovation. No clear universal solution to this problem
has emerged presently.
There is yet another area of global concern, namely the ICT global supply chain. Given the increased dependence
on global ICT products, especially in operating critical sectors and growing realization of cyber risks, countries are
doubting the integrity of these products, fearing that adversaries may introduce malicious codes / functions to
do surreptitious surveillance, disrupt services, or at worst paralyze a nation. Alleviating such doubts and fears to
continue benefitting from global ICT supply chain is one of the biggest challenges the world faces in cyber security
today. Where some countries are trying to address this challenge by building global and national capabilities to
address supply chain risks without undermining the international competiveness and legitimate trade flow; others
are focusing on developing indigenous products to reduce the dependency on foreign players.
Another very important challenge requiring ongoing efforts is poor awareness and education about cyber security
threats and the need to follow best practices, across different levels ranging from school children to top government
officials, and management in the corporate world. Adding to the problem is the non-serious and reactive approach
towards security. Lack of knowledge and awareness among users increases the risk manifold. Because of poor
awareness, we become vulnerable and easy victims of social engineering attacks, phishing sites, spurious email
communications, etc. Many such cyber threats can be easily mitigated if individuals are aware and vigilant.
Other major difficulties in addressing problems related to cyber security at an organizational level include: lack of
high quality software development; treatment of security function as a cost centre; compliance driven approach to
security; lack of multi-departmental coordinated roadmap; treatment of security as merely a technology issue and
not a management issue; and difficulty in calculating Return on Investment (RoI) for security investments.
12
2.4 The Imperatives

Cyber security is a global problem that has to be addressed globally by all governments jointly. No government can,
fight cybercrime or secure its cyberspace in isolation. Cyber security is not a technology problem that can be solved;
it is a risk to be managed by a combination of defensive technology, astute analysis and information warfare, and
traditional diplomacy5. International community should come forward and initiate discussions that will encourage
nations to create PPP models for cyber security. There is an urgent need to have internationally acceptable legal
norms regarding territorial jurisdiction, sovereign responsibility, and use of force, investigation and prosecution of
cyber crimes, data preservation, etc. for dealing with cyber crimes. Globally acceptable norms for dealing with cyber
crimes, and trans-national efforts for effective information sharing will help to secure cyberspace. World bodies such
as United Nation (UN) and North Atlantic Treaty Organization (NATO) should take the lead in this regard.
Critical infrastructure protection should be top most national priority and for this, private players also have a major
role to play. It needs to be more proactive on engaging with the government on cyber policy issues through PPP. It has
to take security seriously by raising it to the Board level and giving security leaders more authority and support.
Development of industry standards and sharing of best practices will better equip organizations to respond to evolving
and perennial threats. It will help organizations align their security initiatives to the security technology and services
market evolution and benchmark against peers. Organizations should be forthcoming to share cyber incidents so
that it helps peers deal with similar situations. Emphasis also needs to be given on developing secure products and
services. Security must be prioritized as an embedded function in every development. Focus should also be given
on end user training and awareness. Cyberspace cannot remain safe unless its users are aware and vigilant.
Specifically, international cooperation is required at following levels6:
National nodal centres on information infrastructure, based on PPP, to cooperate
Global service providers such as Google, Microsoft, Twitter, Yahoo, and Facebook to cooperate with LEAs
in all countries and respond to their requests for investigations
Computer Emergency Response Teams (CERTs) to exchange threats and vulnerabilities data in an
open way to build an early watch and warning system
Incident management and sharing of information with a view to building an international incident response
system
Critical-infrastructure protection: Establishment of an international clearing house for critical-infrastructure
protection to share threats, vulnerabilities, and attack vectors
Sharing and deployment of best practices for cyber security
Creation of continued awareness on cyber threats, and international coordination as part of early-watchand warning system
Acceptable legal norms for dealing with cyber crimes regarding territorial jurisdiction, sovereign
responsibility, and use of force to reconcile differing national laws concerning the investigation and
prosecution of cyber crimes, data preservation, protection, and privacy. Address the problem of existing
cyber laws that do not carry enforcement provisions.
Incident response; and transnational cooperation, including establishment of appropriate mechanisms
for cooperation. Such measures must include provisions to respond to counter cyber terrorism, including
acts of sabotage of critical infrastructure and cyber espionage through information warfare.
Law Enforcement Agencies to Investigate cases, collect forensic evidence at the behest of other countries,
and prosecute cyber criminals to bring them to justice.
5, 6 The Cybersecurity Agenda, Mobilizing for International Action- Dr. Kamlesh Bajaj
13
In the information age, Internet is the engine for global economic growth and the cyber security initiatives of any
country should not impede it, instead these initiatives should create enablers for growth of the Internet and other
technology innovations. The world has to find a way to cooperate so that the cyberspacethe biggest global
commonsremains a driver of economic prosperity of nations and a cloud where people from all countries can
safely interact and exchange goods and services.
14
3. Indian Cyberspace and Cyber

Security Initiatives
3.1 Indian economy going the e-Way
Since liberalization in 1991, India has witnessed steady economic growth, benefiting from globalization and
information revolution. Countrys Gross Domestic Product (GDP) growth rate expected to touch double digits mark
in coming years. Technology is playing a crucial role in this transformation. As per recent Boston Consulting Group
report7 the Internet economy of India in 2010 was USD 70 billion (4.1% of GDP) and is estimated to reach USD 242
billion (5.6% of GDP) in 2016. Technology is contributing in Indias development in following ways:
Development of new infrastructure - airports, metros, highways, etc. and augmentation of existing
infrastructure - power generation, financial services, telecom, transportation, defence, etc. Nations critical
infrastructure is getting increasingly dependent on technology power grids, air traffic controller, industrial
systems, stock exchanges, banking, telecom among others are driven and controlled by ICT.
e-Governance - Government is framing policies that intend to leverage power of technology to address
social, economic and development challenges in the country. Government is envisaging making the Internet
available to every household in India through availability of low cost devices to enable every citizen to
participate in the web economy. Using technology, the government intends to improve governance by
increasing transparency, curbing corruption, time bound delivery of government services and ensuring
financial inclusion. Government is investing more than USD 10 billion on e-Governance through many
projects that would transform government functioning. The National e-Governance Plan (NeGP) takes
a holistic view of e-Governance initiatives across the country. It integrates the initiatives, whether at
the Centre or in States, into a collective vision for a shared cause of delivering benefits to citizens in the
remotest parts of the country. A massive countrywide infrastructure reaching out to the remotest of
villages is evolving, and large-scale digitization of records is taking place to enable easy, reliable access
over the Internet. The ultimate objective is to bring public services closer home to citizens, as articulated
Boston Consulting Report 2012 : The Connected World- The Internet Economy in G-20
15
in the vision statement of NeGP8. The NeGP comprises 27 mission mode projects (MMPs) and 8 common
core and support infrastructure including State Wide Area Networks and State Data Centres.
Aadhaar' is one of the most ambitious projects of the Indian government which is issuing 12-digit unique
number to Indian residents. The number will be stored in a centralized database and linked to the basic
demographics and biometric information photograph, ten fingerprints and iris of each enrolled resident.
The Aadhaar number provides unique identity, which will become acceptable across India. The project
promises that this identity will be robust enough to eliminate duplicate and fake identities through effective
verification and authentication. Many of the governments social benefit programs are envisaged to be
linked with the Aadhaar number. The disbursements of government entitlements like Mahatma Gandhi
National Rural Employment Gurantee scheme, social security pension, handicapped old age pension, etc
are expected to be made through Aadhaar-Enabled Payment Systems (AEPS), using aadhaar number and
associated personal information for authentication. The Aadhaar initiative is also expected to give a boost
to governments efforts for financial inclusion by providing the means for delivery of banking services
through Business Correspondents (appointed by Banks) in rural areas.
e-Commerce this industry is witnessing phenomenal growth; B2C e-commerce is expected to touch USD
10 billion a growth of 47% from 20109. e-payments in India account for 35.3% of the total transactions in
terms of volume and 88.3% in terms of value10, card circulation - both credit and debit - was around 200
million in 201011. The e-commerce is still an untapped potential given that the Internet penetration12 in
India is only around 8% (rising exponentially) with around 120 million Internet users13 and India is projected
to become the third largest Internet user base by 201314. With around 894 million mobile subscribers15 (as
on December 2011), m-commerce market is a big opportunity, especially as it promises to bring rural India
into the realm of e-commerce.
IT/BPO sector India is the preferred global supplier for IT software and services and is emerging as the
knowledge hub of the world with many global companies opening their R&D and innovation centres in
India. The industry has provided job opportunities to over 10 million people through direct and indirect
employment and accounts for 6.4% of Indias GDP. It aims to grow revenues to USD 225 billion by 202016
out of which USD 175 billion will be on account of export of software and services. Domestic IT market,
including telecommunications services and equipment, is expected to touch USD 110 billion by 2012. Cloud
Computing is a huge opportunity for India - next wave of growth for the Indian IT industry as worldwide
cloud services revenue are expected to reach around USD 150 billion in 201417. The Indian cloud computing
market opportunity is expected to reach USD 16 billion by 202018. Data protection (security and privacy)
is perceived to be one of the major challenges in adoption of the cloud.
Modernization of Police and Defence Police agencies and Defence are making strategic use of technology
to modernize. Projects such as Crime and Criminal Tracking Network and Systems (CCTNS) and National
Intelligence Grid (NATGRID) are flagship projects for modernization of police. CCTNS will connect 14,000
police stations and 6,000 police officers to a centralized database. The goal of CCTNS is to facilitate collection,
storage, retrieval, analysis, transfer and sharing of data and information at the police station and between
8
9
10
11
12
13
14
15
16
17
18
16
www.mit.gov.in/content/national-e-governance-plan
Internet and Mobile Association Of India
Reserve Bank of India
Payments in India is going e-way, Celnet report
Google India
http://timesofindia.indiatimes.com/tech/news/internet/121m-internet-users-in-India-by-2011-end-Report/articleshow/10641973.cms
Forrester
TRAI
NASSCOM-Mckinsey Study: Perspective 2020
Gartner
NASSCOM Deloitte Study Deconstructing the CLOUD: The New Growth Frontier for Indian IT-BPO Sector
the police station and the State Headquarters and the Central Police Organizations.19 NATGRID, in its first
phase, will network 21 sets of data sources to provide quick and secure access to information required by
10 intelligence and law enforcement agencies as part of the counter terror-related investigative processes.20
Defence has also taken similar initiatives most notably the creation of an Army Wide Area Network
(AWAN) designed to connect all Army formations, units, training establishments and logistic installations
in the country for secure and direct information exchange.21 Army also launched project Shakti a fully
digitized and integrated Artillery Combat Command and Control System, which is a network of military
grade tactical computers automating and providing decision support for all operational aspects of Artillery
functions from the corps down to a battery level.22
Social Media With around 45 million23 Indians using the social media, and the number increasing every
day, social media is emerging as a very powerful phenomenon in Indian cyberspace. It is revolutionizing the
way society interacts. It is growing rapidly and becoming addictive especially for young Indians who love
to connect with one another, make friends, chat, and publish photographs of family and friends. Personal
Information is becoming the economic commodity on which social networking is thriving. Businesses,
Non-Governmental Organizations (NGOs) and even the governments are using this platform for variety of
reasons communication, marketing, branding, awareness, etc. Whole new communities that encourage
people to discuss important issues and come up with innovative solutions to local problems are emerging.
The social media has also caught the attention of the governments and the regulators worldwide (for
wrong reasons) including the Indian government and there is an ongoing debate on regulating the social
media.
3.2. The Threat Landscape

It is extremely important for us as a nation to continue leveraging technology for overall development of the country
and improving lives of the citizens. For this, it is crucial to comprehensively understand the risks associated with the
use of technology and operating in cyberspace.
Cyber security is getting increasingly linked to national security - the cyberspace is being used by terrorists to
spread their message, hire recruits, do encrypted communication, surreptitious surveillance, launch cyber attacks
on government infrastructure, etc. Sophisticated use of technology was made by 26/11 Mumbai attackers - Global
Positioning System equipment, satellite phones, BlackBerrys, CDs holding high-resolution satellite images, multiple
19
20
21
22
23
http://ncrb.nic.in/cctns.htm
http://blogs.wsj.com/indiarealtime/2011/06/29/qa-natgrid-chief-raghu-raman/
http://www.defenceindustrydaily.com/indias-army-launches-awan-network-02014/
http://pib.nic.in/newsite/erelease.aspx?relid=49161
http://www.watconsult.com/2011/05/45-million-indians-on-social-media-by-2012-are-you-on-it-yet/
17
cellphones with switchable SIM cards, e-mails routed through servers in different locations, which made it harder
to trace them.
Cyber attacks targeted at critical information infrastructures (energy, telecom, financial services, defence, and
transportation) have the potential of adversely impacting a nations economy and public safety, and citizens lives.
These critical infrastructures are mainly owned and operated by the private sector. For example, the telecom sector
is mostly owned by the private players, except Mahanagar Telephone Nigam Ltd. and Bharat Sanchal Nigam Ltd.;
Major stock exchanges - Bombay Stock Exchange and National Stock Exchange are private players wherein most
of the transactions are done through electronic medium; Airline industry is dominated by private players with Air
India being the only the government enterprise; Energy & Utility sector though dominated by government players,
the distribution is largely controlled by private partners; the banking sector has large number of private banks. The
investments made by these private players in securing the infrastructure are driven by business requirements and
not national security concerns. This may leave possible security loop holes. India recently witnessed a cyber attack
on its critical information infrastructure - cyber attack on state-of-the-art T3 terminal at New Delhi airport that made
check-in counters of all airlines non-operational causing public inconvenience. Stuxnet - the deadliest attack vector
that has been designed so far which destroyed a nuclear reactor in Iran has reportedly infected systems in India.24
As the dependency of critical information infrastructure on technology increases in future and if such infrastructures
remain vulnerable, it is possible that adversaries may use cyber attacks on critical information infrastructure to produce
impact similar to that in physical attacks / accidents, at worst leading to physical harm collision of aircrafts because
of manipulation with Air Traffic Controlling system, train accidents due to signal malfunctioning; or could adversely
affect the national economy failure of telecommunication services, power grids, oil production and distribution,
breakdown of stock markets and banking infrastructure.
Given the increased usage of Internet in the country, India is witnessing sharp rise in cyber crimes. Data released by
National Crime Records Bureau (NCRB) in 2010 shows this trend - 966 cyber crimes cases were registered in 2010
under the IT Act across India (an increase of around 128% over 2009 and 235% over 2008) and 799 persons in
2010 were arrested (an increase of around 177% over 2009 and around 349% over 2008) for cyber crimes included
hacking, obscene transmission, tampering, etc.
Cyber attackers have also been repeatedly defacing Indian websites especially government websites. In January
2012 alone, 1425 websites were defaced, with 834 target websites being hosted on .in domain25. Many high profile
cyber espionage attacks targeting systems of senior Indian bureaucrats have been reported in the media.26
24
25
26
18
http://www.tehelka.com/story_main51.asp?filename=Ne261111India.asp
http://www.cert-in.org.in/
http://articles.timesofindia.indiatimes.com/2010-01-16/india/28147357_1_cyber-criminals-pmo-standalone-computers
3.3. Legal Framework Information Technology (Amendment)

Act, 2008
Information Technology Act (IT Act) was enacted in year 2000 to provide legal recognition for transactions carried
out by means of electronic data interchange and other means of electronic communication. The IT Act was amended
in year 2008, resulting in establishment of a robust cyber security and data protection regime in the country. The IT
(Amendment) Act, 2008 provides a comprehensive definition of the computer system, and tries to ascertain liability
based on the type of cyber crime committed hacking, spamming, tampering, identity theft, impersonation, cyber
terrorism, pornography, child pornography, etc. It introduces the concept of sensitive personal information, and
fixes liability of the body corporate to protect the same through implementation of reasonable security practices.
In case a body corporate fails to do so, it can be fined upto Rs. 5 crore (approx. USD 1.2 million) by the Adjudicating
Officer. Fines greater than Rs. 5 crore can be imposed by the civil court. The rules issued under the Act, also require
body corporates to follow privacy principles such as notice, choice & consent, access & correction, disclosure to third
party, etc. On the other hand, the amended Act provides provision for legal action against a person for the breach
of confidentiality and privacy, under lawful contract. Critical systems can be declared as protected systems under
the Act; security breaches of such systems attract higher prison sentences.
The amended Act also enables setting up of a nodal agency for critical infrastructure protection, and strengthens the
role of CERT-In. This Act creates provision for the central government to define encryption policy for strengthening
security of electronic communications. Presently, encryption of upto 40 bits is allowed under the telecom policy.
Cyber Appellate Tribunal, which is now operational, is expected to expedite legal proceeding of cyber crime cases.
The cyber security and data protection provisions in IT (Amendment) Act, 2008 are also supported by various
other enactments, namely, (i) The Indian Telegraph Act, 1885, (ii) The Indian Contract Act, 1872, (iii) The Specific
Relief Act, 1963, (iv) The Public Financial Institutions Act, 1983, (v) The Consumer Protection Act, 1986 and (vi)
The Credit Information Companies (Regulations) Act, 2005. Overall, the IT (Amendment) Act, 2008 is an omnibus
and comprehensive legislation which includes provisions for digital signatures, e-governance, e-commerce, data
protection, cyber offences, critical information infrastructure, interception & monitoring, blocking of websites and
cyber terrorism.27
3.4. Policy Initiatives

3.4.1. Draft National Cyber Security Policy
The draft version of National Cyber Security Policy was released by the DIT in March 2011 for public consultation. The
draft policy has been aimed to enable secure computing environment and adequate trust and confidence in electronic
27
http://www.dsci.in/sites/default/files/India-Building%20an%20New%20Ecosystem_Vinayak%20v4.pdf
19
transactions. The draft policy tries to layout the cyber security ecosystem for the country. It covers the following:
Based on the key policy considerations and threat landscape, the draft policy identifies priority areas for
action
Identifies PPP as a key component
Identifies key actions to reduce security threats and vulnerabilities
Establishment of a National Cyber Alert System for early watch and warning, information exchange,
responding to national level cyber incidents and facilitating restoration
Defines role of sectoral CERTs and establishment of local incident response teams for each critical sector
organization
Implementation of best practices in critical information and government infrastructure protection through
creation, establishment and operation of Information Security Assurance Framework
Establishes framework for Crisis Management Plan for Countering Cyber Attacks and Cyber Terrorism
Identifies priorities for action for legal framework and law enforcement capability development
Defines priorities for international cooperation for information sharing
Identifies indigenous Research & Development as an essential component of cyber security and enlists
thrust areas for R&D
Identifies major actions and initiatives for user awareness, education, and training (capacity building)
Defines responsible actions for network service providers, large corporates and small/medium & home
users to secure information and systems
Identifies various stakeholders (ministries and government departments only) in cyber security and their
responsibilities
The final version of the National Cyber Security Policy, post public consultation is yet to be announced by the
government.
3.4.2 Triad of Policies to drive a National Agenda for ICTE

The Ministry of Communications and Information Technology (MCIT), Government of India, is formulating a
combination of three interdependent and synergistic policies for IT, Telecom and Electronics - Triad of Policies to
Drive a National Agenda for Information & Communications Technology and Electronics (ICTE). The three policies
are as below:
National Policy on Electronics, 2011
National Policy on Information Technology, 2011
National Telecom Policy, 2011
The integrated policy has twin goals:
To facilitate the application of new, technology-enabled approaches to overcome developmental challenges
in education, health, skill development, employment generation, financial inclusion, governance etc. and
to enhance efficiency, convenience and access; and
To harness the power and capability of India in ICT to meet global demand
20
All the three draft policies address cyber security, in line with draft National Cyber Security policy. From cyber
security perspective, the focus of the triad policies is on indigenous development of ICT products, services
and techniques to reduce dependence on imports of such products for national security reasons. These draft
policies include following policy items on cyber security:
National Policy on Information Technology, 2011

Compliance to international security best practices and conformity assessment (products, processes,
technology and people) and creation of incentives for the same
Indigenous development of suitable security techniques & technology
Creation of a culture of cyber security
To create, establish and operate an Information Security Assurance Framework
National Telecom Policy, 2011

Regulate telecom service providers to take adequate security measures by adopting contemporary security
standards
Provide communication assistance to LEAs . Develop and deploy a state of the art system for providing
assistance to LEAs
Create an institutional framework to ensure that safe-to-connect devices are inducted into the telecom
network
Build national capacity in all areas including security standards, security testing, interception and monitoring
capabilities and manufacturing of critical telecom equipment
Provide preferential market access for domestically manufactured products to address the security needs
of the country
Undertake a comprehensive review of critical issues such as encryption, security, privacy, interconnection,
etc. keeping in view emerging technologies and unique needs of the sector
Adopt best practices to address the issues related to cloud services and Machine-to-Machine (M2M) for
example privacy, network security, law enforcement assistance, inter-operability, preservation of crossborder data flows to promote a global market for India
Mandate testing and certification of all telecom products for conformance, performance, interoperability,
health, safety, security
Indigenously manufactured multi-functional SIM cards with indigenously designed chips incorporating
specific laid down standards are considered critical
Promote creation of robust, reliable and resilient communication networks
Develop a rational criterion for sharing of costs beyond a threshold limit between government and the
service providers in implementing security measures
National Policy on Electronics, 2011

The priorities for action are design and develop indigenous appropriate products through frontier
technology/product oriented research, testing & validation of security of products
Provide preferential market access for domestically manufactured/ designed electronic products to address
the security needs of the country
21
3.5. Cyber Security Initiatives

Government and industry have taken various initiatives in cyber security. However, much more needs to be done in
this area. Major initiatives are summarized below:
3.5.1. Government Initiatives

CERT-In
Government set up a the Indian Computer Emergency Response Team (CERT-In) under DIT, MCIT in 2003 as a nodal
agency for responding to cyber security incidents. The IT (Amendment) Act, 2008, recognizes CERT-In as a nodal
agency for security incident management and provides it the authority it to call for information on security incidents
from organizations. CERT-In, through a dedicated infrastructure, collects, analyzes, disseminates information on cyber
security incidents. It monitors and investigates threats that affect computer systems and forecasts and generates
alerts for cyber security incidents. It collaborates internationally for the incident response, tracks incidents affecting
both public and private sector and issues security guidelines and advisory on vulnerabilities. It provides technical
assistance to organizations in resolving security incidents. It has helped establish sectoral CERTs in defence and
banking sectors. To test preparedness of organizations operating critical information infrastructure, CERT-In conducts
cyber security drills in partnership with the public and private sector. To help LEAs solve cyber crimes, CERT-In has
developed standard operating procedures for cyber crime investigations. It organizes regular trainings and funds
research and other projects in security to academic institutes and industry. It also engages with its counterparts in
other countries for increased collaboration and information sharing. CERT-In has developed 12th five year plan on
cyber security. Following figure summarizes the responsibilities of CERT-In:
Information Security Education and Awareness

To address the shortfall of cyber security professionals in the country, DIT initiated the Information Security Education
Awareness (ISEA) program in 2005. This program aims at building the capacity by introducing information security
courses at graduate, post-graduate and doctoral levels, establishing education exchange programs, training
22
system administrators and government officers and spreading awareness on cyber security in the country. The current
status of this program can be found at ISEAs website.28
LEA Capacity Building Programs

To address the challenges that Indian LEAs face in handling cyber crimes such as poor knowledge of technology
and cyber crime investigation techniques/ tools and cyber forensics, lack of state-of-the-art technical infrastructure,
insufficient training facilities & forensics labs in the country, government has taken some key initiatives. These initiatives
are aimed at building the capacity of LEAs in cyber forensics and cyber crime investigation to curb rising cyber
crimes and ensure speedier trials. Ministry of Home Affairs (MHA) will be launching the Cyber Crime Investigation
Program (CCIP), which will establish a Cyber Crime Police Station and a Cyber Crime Investigation and Forensic
Training Facility in each State and Union Territory, and a central National Centre of Excellence for Cyber Forensics
Services. The CCIP has been conceptualized based on the detailed project proposal submitted by DSCI. The program
will create a network of cyber police stations across the country, equipped with state-of-the-art technology and
well trained police officers, which can collaborate to benefit from each others experiences. The National Centre of
Excellence will act as the guiding force, providing thought leadership to the Cyber Crime Police Stations and Cyber
Crime Investigation and Forensic Training Facilities by conducting advanced research & development. This initiative
will have active support of the industry through DSCI and NASSCOM-DSCI will act as the knowledge partner of MHA
for this program.
Under the Directorate of Forensic Science, under MHA, three Central Forensic Labs (CFSLs) have developed capabilities
in cyber forensics. Also, there are 28 State Forensic Labs (SFSLs) that are acquiring capabilities in cyber forensics
techniques and skills. Resource Centre for Cyber Forensics (RCCF) at Thiruvananthapuram, Kerala under Centre for
Development of Advanced Computing (CDAC) has been established to develop cyber forensic tools and to provide
technical support and necessary training to LEAs in the country.29
Security in e-Governance projects

The National e-Governance Division (NeGD), under DIT, is the Program Management Office of NeGP. Among its various
activities, including facilitating implementation of NeGP by various Ministries and State governments, the agency is
also responsible for issuing cyber security and data security standards and guidelines for all the e-Governance projects
under NeGP. For securing e-Governance projects, Standardization Testing and Quality Certification Directorate (STQC)
has developed e-Governance Security Assurance Framework (e-SAFE), which provides list of security controls based
on the risk categorization of particular assets.
Common Criteria Certification Scheme

This scheme has been set up by DIT to evaluate and certify IT Security Products and Protection Profiles against the
requirements of Common Criteria Standards ver 3.1 R2, at Evaluation Assurance Levels EAL 1 through 4. Presently,
the scheme provides national certification. The scheme would also provide a framework for international certification
through the National Mutual Recognition Arrangement with the other member countries of Common Criteria
Recognition Arrangement (CCRA). Along with 24 other countries, India has already become a member of CCRA as
a certificate consuming nation and soon will be recognized as a certificate producing nation. STQC is a certification
body of the country with STQC IT, Kolkata centre as the Common Criteria Test Lab.30
Sectoral Security
Critical sectors such as banking and telecommunication are strongly regulated through Reserve Bank of India (RBI)
28
29
30
http://www.isea.gov.in/isea/isea/currentstatus.jsp
http://www.dsci.in/sites/default/files/India-Building%20an%20New%20Ecosystem_Vinayak%20v4.pdf
http://www.commoncriteria-india.gov.in/Pages/CCSOverview.aspx
23
and Department of Telecommunications (DoT)/ Telecom Regulatory Authority of India (TRAI) respectively. The
regulators keep issuing security guidelines, mandating the companies to implement the same. For example, RBI
constituted a working group on information security, electronic banking, technology risk management, and cyber frauds,
which provided a set of guidelines to banks, covering areas such as IT governance, information security (including
electronic banking channels like Internet banking, ATMs, cards), IT operations, IT services outsourcing, information
system audit, cyber frauds, business continuity planning, customer education and legal issues. These guidelines
serve as a common minimum standard for all banks to adopt.31 DoT made amendments to the Unified Access Service
License Agreement (UASL) in 2011, incorporating security related measures and made the Licensee (Telecom Service
Providers) completely and totally responsible for security.
3.5.2. NASSCOM and DSCI Initiatives

NASSCOM Trusted Sourcing Initiative
To promote India as a trusted outsourcing destination, NASSCOM initiated a 4E initiative for outsourcing industry for
promotion and enforcement of security. It relies on Engagement with all stakeholders involved, Education of service
providers, Enactment to create a policy environment, Enforcement of standards and constant checks. This initiative
resulted in establishment of:
DSCI as a Self-Regulatory Organization with a vision to harness data protection as a lever for economic
development of India through global integration of practices and standards conforming to various legal
regimes. To achieve this vision, DSCI works closely with the Indian government, foreign governments,
regulators, industry, clients, LEAs, think tanks and academic institutes in the areas of public advocacy,
thought leadership, capacity building, cyber crime investigations and dispute resolution.
Cyber Labs Program under which Cyber Labs were established in four major cities to build capacity of
LEAs by training police officers in cyber crime investigations and cyber forensics.
National Skills Registry (NSR) to build a robust and credible information repository on the knowledge
professionals in the IT/BPO sector via background checks and verification
Worldwide Cyber Security Summit

NASSCOM and DSCI have partnered with EastWest Institute (EWI) - a global think-and-do tank to host the 3rd
Worldwide Cyber Security Summit in New Delhi on October 30-31, 2012. It will be Indias first major international
summit of cyber security experts from government, business, technology and civil society from around the world.
The summit process will comprise forming three high-level working groups of Indian and international experts,
each taking on a crucial cyber security issue. One group will develop ways to secure the global ICT supply chain.
Another will focus on agreements, standards, policy and regulations to secure the increasing share of our digital
world powered by cloud computing. The third will focus on payload security. The first two working groups will be
led by NASSCOM and DSCI.
31
24
http://www.rbi.org.in/scripts/BS_PressReleaseDisplay.aspx?prid=23789
DSCI Initiatives
Since its inception, DSCI has developed strong linkages with the Indian government, industry and global think
tanks and provided platforms to bring all the stakeholders in cyber security together for discussing cyber security
issues and solutions. It has emerged as a thought leader in cyber security DSCI has developed best practices in
data security and data privacy, published studies and surveys, contributed in development of global standards/
frameworks, represented India at various international forums, trained Indian LEAs and provided advisory/ policy
inputs to government/ industry. It has strengthened the government-industry interactions and has developed the
operational capability to deliver cyber security projects in PPP mode. Following are some of the major initiatives
undertaken by DSCI:
DSCI Security Framework: To overcome the checklist based and compliance based approach to security
which fails to address the evolving threats, DSCI has developed DSCI Security Framework (DSF) which
focuses on bringing dynamism in security. It is an improvement over existing security standards and
frameworks as it enables an organization to focus on real threats in its environment, without worrying
about compliance. It enables assessment of organizations maturity in implementing security in different
areas with a view to continually improve the same. Such an assessment further helps organization draw
a strategic plan based on evolution of different disciplines of security, and their interdependencies, with
continuous focus on protecting data. DSCI is promoting the implementation of DSF in the industry. DSCI
has also developed DSCI Privacy Framework (DPF) which helps organizations design, implement and
monitor privacy program.
LEA Capacity Building Programs: Augmenting NASSCOMs efforts to build the capacity of LEAs in India,
DSCI has expanded the Cyber Labs program. Presently, 4 out of 8 cyber labs have been funded jointly by
DIT, respective state and DSCI. Through these labs over 9,000 police officers and other officials in the LEAs,
including judiciary and public prosecutors for investigation and prosecution of cyber crimes, are being
trained annually. The knowledge developed, over a period of time, has been systematized in the Cyber
Crime Investigation Manual and distributed to police stations across India. Based on its experience of
running cyber labs, DSCI submitted a detailed project report to the MHA, which has been accepted by the
ministry and the program will be extended to the entire country in the form of CCIP. This initiative will
25
have active support of the industry through DSCI and NASSCOM. The DSCI core team on cyber forensics
will liaise with the National Centre of Excellence (CoE), and contribute knowledge inputs to all their areas
of work; it will mentor and guide the State agencies to operationalize the cyber crime police stations and
training centres. DSCI will track cyber crimes, cyber forensic tools, emerging curricula, conferences and
other developments to continuously develop the training material and update the content.
DSCI Excellence Awards: To reward organizations and individuals who have shown high level of
preparedness and have excelled in the area of information security, DSCI has institutionalized DSCI
Excellence Awards. Among various categories, it also has India Cyber Cop Award category to recognize,
reward and honour a police officer who has done the most outstanding investigation in solving a cyber
crime to encourage the police officers who have put in extra efforts to learn cyber forensics to solve cyber
crimes.
DSCI Chapters: To create a network of security professionals in the country, DSCI has established DSCI
Chapters across major cities in India. Presently, over 1200 security professionals are connected together
through these chapters. The chapters provide a platform to security professionals in India to collaborate
and share best practices. It also provides a mechanism for DSCI to engage with the security experts in the
country.
Cyber Security Awareness Program: Under the DIT-NASSCOM funded Cyber Security Awareness Program
(Nov08 Dec10), DSCI conducted Cyber Security Awareness Campaigns across the country, published
Security Surveys and Publication, conducted Training for over 700 government officials, developed
Computer based Trainings, developed a national security portal, among other activities.
26
4. Key Learning and Imperatives for

India
Cyber security is a global problem, requiring mobilization of action both at national and international levels. Study of
cyber security initiatives of different countries, especially the US reveals how nations are grappling with the challenges
of cyber security. Though cyber security problem is a common thread, the approaches taken by nations to address
this problem may vary depending on various factors including national priorities, level of dependency of nations
critical infrastructure on technology, penetration of technology in citizens daily lives, number of major cyber related
incidents in the past, etc. And yet there are some common trends in cyber security which are emerging worldwide
esp. in democratic and progressive countries. Nations such as the US have been spearheading cyber security efforts
for a fairly long time and the lessons learnt by such nations provide valuable inputs to other nations such as India,
which are starting to ramp up their cyber security initiatives. But even today, nations like US are not fully secured.
They are getting repeatedly attacked. In the year 2011 alone, NASA witnessed 13 major breaches, which NASA said
could compromise US national security.32 This shows the seriousness and magnitude of the cyber security problem,
which is difficult to contain despite phenomenal efforts and investments, as made by the US.
Nations are at cross roads and there are lot of cyber security policy related discussions and debates taking place
around the world, and India, in its own context, can learn from these when finalizing its national cyber security policy.
This report tries to capture such global developments and through its recommendations, presents the priority policy
action items for the government.
4.1 Key Learning for India

4.1.1 Cyber Security A Top Government Priority
There is a growing realization that cyber security is getting increasingly linked to national security and therefore
nations are treating cyber security as a national priority. Consequently, the positioning of the cyber security
office/ function is being done at the highest level within the government to give cyber security initiatives the
required impetus and help to address inter-agency concerns to improve coordination, given the multi-stakeholder
involvement required to address cyber security. Internationally - cyber security has been designated as one of the
US Presidents key management priorities and a cyber security coordinator has been appointed in the White House;
In the United Kingdom, the Office of Cyber Security and Information Assurance reports to the Cabinet; In Australia,
the lead agency for cyber security reports to the Prime Ministers Office.
4.1.2 Critical Information Infrastructure Protection Regulate versus Incentivize

From a national security perspective, security of critical information infrastructure is a top priority of the governments.
Government of India too has identified such critical information infrastructure, namely Defence, Finance, Energy,
Transportation and Telecommunications. National Security has traditionally (for air, land and sea) been the sole
responsibility of the governments. But as the world has moved into the information age, with increased dependence
32
Source- Reuters
27
on information infrastructure for production and delivery of products & services, the new responsibility of securing
the critical information infrastructure against the rising number of cyber attacks has come within the ambit of national
security. This new responsibility, however, does not lie solely with the government; private sector has a major role
to play since more than 80% of the critical information infrastructure is owned and operated by the private sector.
However, private sectors investment in security is driven by business requirements and not by national security
concerns. So how can government intervene? By incentivizing or regulating the private sector? Though strong and
effective PPPs are obviously essential, such questions need to be debated and discussed in detail.
US policy focus since Clinton Administration (1998) has been on voluntary PPP and information sharing, with market
driven approach to address the problem of critical infrastructure protection. The policy has emphasized on assessing
available alternatives to direct regulation including providing economic incentives to encourage the desired behaviour
and to regulate only in case of market failure. However, this US policy approach has been criticized primarily for
following three main reasons:33
underestimating antitrust, liability and competition related issued in information sharing by private
organizations
undermining issues in sharing of classified information by the government with the private sector; and
wrongly assuming that organizations will take action if they are made aware of the threats.
The existing policy approach, advocates believe, fails to understand that the market forces cannot deliver the required
investments and efforts for ensuring public safety and national security voluntary efforts will always be inadequate.
To this extent, the cyber security legislation proposal released by the US government last year focuses on improving
cyber security for the citizens, critical infrastructure, and the Federal governments own networks and computers. For
critical information infrastructure protection the proposal aims at establishing a regulatory framework to enhance
cyber security of critical infrastructure which includes: owners and operators of critical infrastructure to develop cyber
security plans; third party audit of the cyber security plans and reporting to Security & Exchange Commission of the
US. Also, to improve voluntary information sharing, it provides industry, state and local governments the required
immunity to share cyber security related information with the Department of Homeland Security.
So which approach should India take? Regulate or incentivize the private sector? Though regulations are necessary
they should not add to cost without necessarily improving security of critical information infrastructure. Too much of
government intervention through regulations can also undermine business innovation; it can make it uncompetitive.
The better approach would be to incentivize the private sector to invest in security beyond what is required by business
requirements through appropriate instruments such as the government funding, tax reliefs, awards & recognition,
liability protection, cyber insurance, etc. Only when such market driven approach fails, should the government think
of bringing light weight legislation for critical information infrastructure protection that is developed in partnership
with the industry.
4.1.3 ICT Supply Chain Risks Foreign versus Indigenous

There is a growing trust deficit in the global ICT supply chain. Countries fear that their adversaries could plant attack
vectors in the imported ICT products and services which could be used against them. Many countries, including India,
are responding to this threat by emphasizing on development of indigenous ICT products and services especially
for critical sectors and government departments, even though the Internet technology and services are the result of
global innovation, and the laissez faire spirit is spawning new products, services and companies which is required
for continued growth of economies. The Indian draft National Telecommunication Policy reflects Indias approach
to the ICT supply chain problem - To provide preferential market access for domestically manufactured products with
special emphasis on Indian products for which IPRs reside in India to adequately address the strategic and security needs
33
28
Cybersecurity Two Years Later: A Report of the CSIS Commission on Cybersecurity for the 44th Presidency
of the country consistent with international commitments. The US policy, on the other hand, emphasises on building
global and national capabilities to address supply chain risks without undermining the international competiveness
and legitimate trade flow:Understand threats, vulnerabilities, and consequences associated with acquisition decisions
Develop and employ tools to technically and operationally mitigate risk across the lifecycle of products
Develop new acquisition policies and practices that reflect the complex global market place
Develop partnership with industry to develop and adopt supply chain and risk management standards
and best practices
India should be able to mitigate security risks arising from procurement of ICT products especially from foreign
vendors and yet take full benefits from the global supply chain that includes access to world class products, services
and expertise at competitive prices. Giving preference to domestic vendors for national security reasons may not be
the right policy direction, primarily for two reasons Firstly, deploying domestically developed products may not
necessarily reduce the supply chain risks, since these need to be tested globally in real life environment. Secondly if
other countries take such an approach to this problem, it will adversely impact Indias outsourcing industry, which
will be set to lose out to domestic companies in such countries. Therefore, to effectively address such risks without
affecting business competitiveness and countrys image as a promoter of global trade & market, India should build
its capacity to mitigate ICT supply chain risks.
4.1.4 Encryption National Security versus Economic Growth

Use of strong encryption is a must for fostering trust in electronic transactions and to ensure continued growth of
e-Commerce, e-Governance, etc. However, Indias telecom policy allows only 40 bit encryption, primarily because
the Indian LEAs have the capability to break such level of encryption strength. Though section 84A of the IT
(Amendment) Act, 2008 has the provision to prescribe encryption strength - The Central government may, for secure
use of the electronic medium and for promotion of e-governance and e-commerce, prescribe the modes or methods for
encryption, the same has not been notified. Lawful interception is a genuine national security requirement, given
the increased usage of technology by criminals and terrorists. At the same time, encrypted communication is a must
for economic growth of India. Not allowing strong encryption usage in the country terrorists are using strong
encryption anyways since products are available freely online - in the interest of national security does not enhance
security; it only hampers the growth and progress of the country. Other countries are responding to this challenge
by building lawful interception capabilities, without restricting use of strong encryption for legitimate purposes - In
United Kingdom, for example, a National Technical Assistance Centre has been established to perform research in
encryption and cryptanalysis to build interception capabilities. A Cryptologic Support Group exists within National
Security Agency in US. Recently, The NSA opened a new Cryptologic Centre in Georgia, US which will provide
cryptologic professionals with the latest state-of-the-art tools to conduct signals intelligence operations, train the
cryptologic workforce, and enable global communications similar centre needs be established in India to cater to
national security requirements without hindering economic growth.34 To facilitate technology enabled economic
growth by building similar lawful interception capabilities without putting restrictions on use of strong encryptions
is the way ahead for India.
34
http://www.nsa.gov/public_info/press_room/2012/new_facility_georgia.shtml
29
4.2. Imperatives for India

Cyber security is a complex global issue and requires collaboration at all ends. Indian government and organizations
need to take global leadership in cyber security as there is lot at stake for us as a nation. We need to have a robust
cyber space - our government, businesses, LEAs, residents, etc, must build capabilities to address the challenges
of cyber security through development & implementation of robust security practices, establishing an efficient
& effective national model for coordination & intelligence sharing, leveraging the strengths of public and private
sectors through PPP initiatives, building capacity of LEAs and judiciary in cyber crimes & forensics, strengthening
international linkages, conducting path breaking research in cyber security, imbibing the culture of security in
our daily lives through continuous education and awareness and creating world class security workforce. Detailed
recommendations around each of the areas identified in the figure below have been provided in the next section
of this report.
30
5. CSAG Recommendations
5.1. Key Recommendations
1. Create a National Structure for Cyber Security35
The Indian government should lay down a well structured and positioned organization for designing, implementing,
driving, monitoring and coordinating cyber security initiatives in the country. The structure should enable effective
and efficient decision making which involves consultation across multiple stakeholders policy makers, various
ministries, state governments, defence, intelligence, LEAs, private sector among others. The structure should clearly
define roles and responsibilities for every stakeholder, establish coordination and information sharing mechanisms,
focus on building PPP models and create environment for enhancing trust between the industry and government.
Given the increasing linkage between cyber security and national security and the involvement of multiple
stakeholders, it is very crucial that the cyber security in India is positioned at the highest level within the
government. This will give cyber security the much needed impetus and will help address inter-agency concerns
and improve coordination.
2. Design and Implement a Competency Framework for building a competent and adequate Cyber
Security Workforce
India has a dearth of cyber security manpower required to defend corporate and government ICT infrastructure and
this shortage is expected to grow in future as the digitization of processes increases, resulting in increased number
of cyber attacks and crimes. To prepare for the future, a competent cyber security workforce needs to be created.
To start with a Competency Framework that assesses the security skills requirements, identifies existing gaps &
challenges, defines competency areas across different security roles (leaders, auditors, managers, administrators,
developers, etc.) and devises strategies and programs for building the capacity such as security certifications, cyber
security courses and specialization in schools, graduate and post graduate programs, career path in government,
etc. should be created and implemented.
35
A proposed National Structure for Cyber Security has been detailed in the Appendix of this document
31
3. Create and Maintain an Inventory of Critical Information Infrastructure

An inventory of Critical Information Infrastructures in the country should be created and maintained. The inventory
could capture various characteristics of the critical information infrastructure such as sector mapping, location,
make & model, hardware & software details, owner, custodian, interdependencies, Internet exposure, etc. Such an
inventory will provide the required visibility over the critical information infrastructure in the country and
will help prioritize deployment and monitoring of the protection measures. In case of a cyber attack/ crisis,
such an inventory will prove instrumental in determining its possible impact and relevance on different information
infrastructures and containing the attack. However, maintaining (keeping it up-to-date) such an inventory at the
national level is a herculean task, and therefore the process of collation and maintenance needs to be automated
through an efficient system, which can be accessed over a secure network.
In addition to the building critical information infrastructure inventory, a Digital Architecture for each critical sector
should be created and analyzed. This digital architecture of each critical sector will help develop a Sector Profile from
a security perspective that can provide a top level view of a sector and thus enable government / regulator/ industry
to understand the sector specific security issues and take appropriate measures for addressing such issues.
32
4. Establish a Centre of Excellence for Best Practices in Cyber Security

Compliance with particular standards or guidelines does not demonstrate that a companys security practices are adequate
across the board. While voluntary adoption of best practices would not supplant existing regulatory enforcement regimes,
greater adoption of best practices would likely significantly improve security beyond the baseline required by existing
law.36
The statement above very appropriately highlights the importance of development, collation, sharing and
implementation of security best practices in organizations especially those owning and operating critical information
infrastructure.37 Though standards and regulatory prescriptions are definitely required, the problem arises when
organizations start channelizing investments and resources to demonstrate compliance to standards and regulations
instead of addressing the real risks. Taking the best practices approach better equips organizations to respond to
evolving & perennial threats. It helps organizations align their security initiatives to the security technology and
services market evolution and benchmark against peers.
The best practices enable organizations:
to focus on real threats in their environment instead of creating extensive documentation
to assess organizations maturity in implementing security in different areas with a view to continually
improve the same
draw a strategic plan based on evolution of different disciplines of security, and their interdependencies,
with continuous focus on protecting data
To institutionalize the development, sharing, collation, distribution and implementation of best practices,
a Centre of Excellence for Cyber Security should be established. This centre will build a national knowledge
repository on cyber security. The best practices could be specific to a sector (e.g. energy, transport), technology/
system (e.g. Supervisory Control and Data Acquisition (SCADA), Programmable Logic Controller (PLC), process (e.g.
patch management), discipline (e.g. application security), etc.
36
37
Cybersecurity, Innovation and the Internet Economy, The Department of Commerce, Internet Policy Task Force
The PricewaterhouseCoopers, The Global State of Information Security, found that organizations that followed best practices had
zero downtime and zero financial impact, despite being targeted more often by malicious actors.
33
5. Establish a National Threat Intelligence Centre for Early Watch and Warning
Information sharing on cyber threats, vulnerabilities, cyber incidents / attacks is one of the most critical elements of
cyber security. To facilitate information sharing and situational awareness across different stakeholders industry
to industry, government to government, government to industry, intelligence-government, intelligence-industry,
intelligence-LEAs, etc, an Information sharing environment should be created by establishing a National Threat
Intelligence Centre (NTIC), enabled by a real time 365X24X7 network, wherein different stakeholders can access
the information through a secure connection, based on the authorization granted. The NTIC should integrate all the
existing information sources such as sectoral CERTs, intelligence bodies, security alerts issued by security vendors,
threats seen by critical sectors and industry to enable cross-domain awareness and a comprehensive view of cyber
threats at a national level. NTIC may also be given the responsibility of closing botnets, phishing sites, etc. through
a lawful process.
6. Build Capacity of the Law Enforcement Agencies in Cyber Crime Investigations and Cyber
Forensics
To curb the increasing number of cyber crimes and ensure speedier trial of cyber crimes, LEAs need to build their
capacity in cyber crime investigation and cyber forensics. Presently, Indian LEAs face the following challenges in
handling cyber crimes:
34
Poor knowledge and awareness of technology

Poor knowledge of cyber crime investigation techniques / tools and cyber forensics
Insufficient training facilities in the country
Insufficient cyber forensic labs in the country
Poor awareness of IT (Amendment) Act, 2008
Lack of state-of-the-art technical infrastructure
Lack of a national LEA network for collaboration in solving / preventing cyber crimes
To overcome the above challenges, the LEAs and the industry need to collaborate and invest in establishing training
centres across the country. NASSCOM and DSCI with the help of the government have established such facilities in
eight major cities in the country through the Cyber Labs program. Such initiatives need to be further augmented
with active participation from government, industry and the LEAs.
7. Build Lawful Interception Capabilities for Balancing National Security and Economic Growth
The Indian Law Enforcement and Intelligence Agencies should build lawful interception capabilities to monitor
electronic communications including encrypted communications in real time. Lawful interception is a genuine
national security requirement, given the increased usage of technology by criminals and terrorists. At the same
time, encrypted communication is a must for economic growth of India as it fosters trust in electronic transactions
including e-commerce, e-governance, online banking, etc. Not allowing strong encryption usage in the country,
to fulfill national security concerns will hamper the growth and progress of the country. Instead, the Indian Law
Enforcement and Intelligence Agencies should build capabilities in cryptanalysis & encryption technologies. For
this purpose, a National Centre for performing research in encryption and cryptanalysis to build interception
capabilities should be established in India. Such a centre will help to national security requirements without hindering
economic growth.
8. Establish a Centre of Excellence for Cyber Security Research

A Centre of Excellence for Cyber Security Research should be established to develop solutions that will protect
countrys information infrastructure in the future. This centre will work closely with the government, industry and
academia to (not limited to):
Identify critical research needs
Identify gaps in present research initiatives
35
Align existing research initiatives

Define the research roadmap / agenda for near, medium and long term
Allocate research work to various interested agencies based on their capabilities
Allocate funds and resources
Monitor progress
Ensure application of research in real world scenario (market driven research)
Promote development of indigenous security products and services for the global market
Coordinate between government, industry and academia
9. Set up Testing Labs for Accreditation of ICT Products to Manage ICT Supply Chain Risks
Testing Labs for accreditation of ICT products that are to be deployed in critical sectors should be established across
India. Through these labs, the country should be able to mitigate security risks arising from procurement of ICT
products especially from foreign vendors and yet take full benefits from the global supply chain that includes access to
world class products, services and expertise at competitive prices. Giving preference to domestic vendors for national
security reasons may not be the right policy direction, primarily for two reasons Firstly, deploying domestically
developed products may not necessarily reduce the supply chain risks, since these need to be tested globally in real
life environment. Secondly, if other countries take such an approach to this problem, it will adversely impact Indias
outsourcing industry, which will be set to lose out to domestic companies in such countries. Therefore, to effectively
address such risks without affecting business competitiveness and countrys image as a promoter of global trade &
market, India should build its capacity to test ICT products through testing labs. Also, active participation should be
taken in the ongoing global efforts for mitigation of ICT supply chain risks.
10. Establish a Cyber Command to defend the Indian Cyberspace

India should recognize cyberspace zas the fifth domain after land, sea, air and space that the country needs to defend.
For this purpose, a Cyber Command38 within the defence forces with cyber warfare capabilities should be established.
Appreciating that cyberspace is offense dominant, the Cyber Command should be equipped with defensive and
offensive cyber weapons, and manpower trained in cyber warfare. The command needs to build capabilities in
countering cyber espionage, and deny the enemy any benefits if it succeeds in breaking defences.
38
36
Some countries around the world including US, South Korea have already established and others are in the process of establishing such
command centres.
5.2. Additional Recommendations

Critical Information Infrastructure Protection
1.
Each critical sector, through appropriate PPP, should develop and implement a Sectoral Critical Information
Infrastructure Protection Plan which should include Risk Management Framework, Mitigation Plan,
Incident Response, Crisis Management, Education & Awareness, etc along with clearly defined responsibilities
and implementation deadlines. These sectoral plans should be based on a National Critical Information
Infrastructure Protection Framework, which aligns different sectoral plans to meet cyber security
requirements of the country. Through sectoral specific plan, it will be possible to address the sector security
requirements, nature and complexity of operations, security maturity, challenges, technology adoption,
applicable laws and regulations, past incidents and trends, etc.
2.
A zero tolerance audit process should be established for critical information infrastructure, to ensure that
no risks are accepted in critical sectors, as even a single vulnerability, if left unaddressed, can be exploited by
adversaries. Critical information infrastructures such as SCADA and PLC systems should be tested regularly
to find vulnerabilities in such systems.
3.
Consolidate government networks for better security by deploying common robust security solutions,
facilitating the reduction of external access points, establishing baseline security capabilities and centralized
monitoring.
4.
Government should subject its infrastructure to independent third party security audits and testing
regularly, given the rising number of cyber attacks against government infrastructure. This will help in the
early identification of vulnerabilities and taking corrective actions well in time. It is important to realize that
the national infrastructure including government infrastructure is exposed in cyber space and it is better
to get audited by a competent external agency, howsoever damaging the findings may be, than being
easily attacked by cyber criminals or non-state actors.
Best Practices
5.
Promote adoption of security automation protocols to enable efficient and accurate collection, correlation,
and sharing of security relevant information including software vulnerabilities, system configurations and
network events across disparate systems including government, industry, critical sectors, etc.
Early Watch and Warning System

6.
Develop and implement a regularly tested National Cyber Incident Response Plan that establishes a
strategic framework for institutional roles & responsibilities, and actions to prepare for, assess, respond
to and coordinate recovery from a cyber incident. Such a plan will ensure a unified and well coordinated
response to a cyber incident.
37
7.
Create a National Vulnerability Database and a National Cyber Threat Database and correlate them
to provide effective guidance to critical sectors on cyber risks at a national level. Such a mechanism will
optimize organizational efforts on risk management and more importantly provide the much needed risk
intelligence from a central authentic source.
8.
Authorize an agency for monitoring critical information infrastructure networks through Intrusion
Detection & Prevention Systems or other mechanisms to enable proactive defence and collation of threat
related data across networks to generate threat intelligence. However, adequate steps should be taken to
ensure that privacy and civil liberties are not compromised in such surveillance.
9.
Consolidate Internet gateways for better monitoring including identification and curbing of malicious
activities at the gateway level to enable proactive defence and optimization of security efforts.
10. Promote security testers community to share existing vulnerabilities in critical information infrastructure.
There are a lot of youngsters, known as ethical hackers, in the country who have passion for security and
want to contribute in countrys cyber security initiative. It is in the interest of the country to tap this talent
pool by offering them incentives and legal protection.
Education & Awareness

11. Celebrate National Cyber Security Week for increasing public awareness on cyber security through radio,
print, TV, social media, conferences, etc. Given the increasing importance and dependency on technology
esp. the Internet on citizens daily lives, ongoing education and awareness through various media is a
must.
12. Fund / Incentivize not-for-profit organizations / NGOs running cyber security awareness campaigns.
Through such NGOs a national network for spreading cyber security awareness can be created, to ensure
better public outreach and awareness. Some of them could be used as the extended arms of the government
through institutionalized arrangements.
13. Create National Centres of Excellence in cyber security education & research in leading universities in
India to promote graduate and post graduate level research and development in cyber security and to
address evolving cyber security problems / needs of the government and industry.
Legal Capability Development

14. Establish a separate cadre in LEAs for cyber crime investigations; as such investigations require specific
set of skills and orientation. Aspirants only from technical background such as engineering should be made
eligible for joining this cadre. In the defence forces, for example, technical arms such as Signals only recruit
aspirants from technical background.
15. Develop a platform such as a cyber cop portal for real time collaboration and coordination between LEAs
across the country. Such a portal could be made accessible through a secured connection. Through such a
platform, LEAs across India could share best practices, post queries and problems, share latest techniques
and tools, share information about cyber criminals and crimes, etc. Such a portal can augment the efforts
for building the capacity of LEAs through efficient and effective information sharing.
16. Compile and share cyber crime cases and judgments across the globe and in India within the Indian LEA
and judiciary community for better understanding on global practices and procedures, laws & regulations,
investigation techniques, nature, characteristics & handling of cyber crimes, etc.
38
17. Take effective steps to efficiently operationalize Mutually Legal Assistance Treaty (MLAT) with maximum
possible number of countries. This will help in expediting the prosecution of cyber criminals, by increasing
collaboration and information sharing with LEAs of other countries and reducing the legal and procedural
delays in cyber crime investigations.
18. Actively participate in international efforts on framing conventions, agreements, laws and collaboration
mechanisms on curbing cyber crimes. Given the global nature of cyber crimes, it is impossible for any
particular country alone to curb cyber crimes. India, having a huge stake in cyber space, needs to ensure
that its interests are represented at such international forums.
19. Establish Memorandum of Understanding (MoU) with the LEAs of other countries to learn global best
practices. LEAs of many advanced countries have made significant progress in the handling cyber crimes.
India has started to develop its capabilities and can immensely benefit from the practices followed by LEAs
and learning of other such countries.
Assurance in ICT Supply Chain

20. Establish a National Strategy for managing the ICT Supply Chain risks, which should focus on
streamlining/ standardizing security related aspects of the procurement processes in government and critical
sectors, integrated risk management approach, international collaboration, coordination & collaboration
within government and between buyers and suppliers among other factors.
21. Encourage development of secure products and services through government procurement policy. Given
the amount of investment expected to be made on ICT Infrastructure in e-Governance projects in India
(around USD 10 billion), the government should lay emphasis on robust security design, security features,
etc. in the products and services it plans to procure. This will incentivize the industry to invest in security
by creating security as a differentiator in project bids.
22. Create an Information Assurance Analysis Centre with the help of private sector to study information
assurance issues in existing and emerging technologies. Given the ever evolving technology landscape,
such a centre will help proactively identify the underlying security and privacy risks and how these risks
can impact the critical information infrastructure of the country.
23. Establish a Software Assurance Program to reduce software vulnerabilities by encouraging software
developers to raise the standard on software quality and security. The emphasis should be on conceptualizing,
planning and embedding security in the product / service design phase itself, as presently security, in most
cases, is an afterthought. If this proactive approach is adopted, it will considerably reduce the number of
vulnerabilities in ICT products and services, making it difficult for cyber criminals to launch cyber attacks,
conduct cyber frauds, etc.
24. Improve and augment security assurance by working with the private sector through mechanisms such
as establishing a rating framework against which security products and services can be rated on various
maturity levels of security. This approach will help make security a market driven phenomenon by creating
distinction between various products from security perspective.
25. Participate actively in international efforts to mitigate global supply chain risks such as Common Criteria
Recognition Arrangement (India is already a member). Such efforts are aimed at establishing increased level
of assurance in ICT products and services, which can be accepted internationally and opposing creation
of non-tariff barriers by making it difficult for foreign companies to access domestic markets. India has a
huge stake in such initiatives because of its booming outsourcing industry which serves the global market
and the domestic industry which leverages global ICT products and services for increased digitization.
39
Cyber Warfare
26. Define cyber warfare policy, objectives, doctrines, rules, etc that lay down offensive and defensive contexts
and actions, capability development, roles and responsibilities of different agencies, coordination and
collaboration mechanisms, etc.
27. Expand cyberspace cooperation with allies and partners to increase collective security - participate actively
in international efforts for establishing global watch and warning system and mechanism for sharing cyber
threat intelligence. Also, build and enhance existing military alliances to confront potential threats in
cyberspace.
28. Create and implement standards and best practices to secure military networks in partnership with the
private sector, which has developed the required expertise and capability by managing majority of the
critical information infrastructure over the years. Also, establish .mil domain, and operate it professionally
for email, and hosting of military server.
40
6. Public-Private Partnerships in
Cyber Security and Role of DSCI
Building successful PPPs in cyber security is critical for India to ensure a secure cyberspace. Majority of the
recommendations identified in this report can be effectively implemented only through such PPPs. To enable the
partnerships, an interfacing agency which brings the government and industry together through an institutionalized
framework is required. DSCI, which has worked very closely with the government and the industry since its
inception, can play a pivotal role in cyber security initiatives of the country including implementation of the CSAG
recommendations by facilitating PPPs. The following credentials validate DSCIs interfacing role:
Thought Leadership - DSCI is a not for profit company, working specifically in the area of cyber security,
data security and data privacy. It has created best practices in security and privacy through DSF and DPF
and has published various study and survey reports in data protection. It is engaged with global think tanks
and institutions through various programs.
Industry Linkage- DSCI is an industry body having representation across sectors IT/BPO, Banking,
Financial Services & Insurance, Telecommunication, Energy, etc. It has around 600 corporate members and
is connected to over 1200 security and privacy professionals across 10 cities in India.
Government Linkage - DSCI works with different government agencies - DIT, MHA, Ministry of External
Affairs, Department of Commerce, Department of Personnel & Training, and Planning Commission on data
protection initiatives undertaken by these ministries / departments.
Experience in PPP projects DSCI has rich experience of executing PPPs in cyber security. It successfully
delivered DIT-NASSCOM Cyber Security Awareness Program and is running the DSCI Cyber Labs
program for training LEAs through establishment of cyber labs, jointly funded by DIT, respective State and
DSCI.
DSCI can leverage the above credentials to deliver the following services (not limited to) to enhance cyber security
in the country and specifically with respect to the implementation of the CSAG recommendations:
Advisory and Consultation DSCI can provide strategy, policy and program related inputs to the
government after consulting the industry on specific subjects.
Define Partnership Models For implementing specific cyber security initiative or program in PPP mode,
DSCI can consult both the government and the industry and recommend best possible partnership model
that is capable of meeting the strategic goals of such a project / initiative. As a section 25 not-for-profit
company, it can develop approach for executing projects with government funding, through industry that
is acceptable by the government.
Program Management and Execution For a particular PPP project, DSCI can provide the program
management services defining governance mechanisms, monitoring performance and completion,
managing budgets & resources, communication, etc. DSCI can also be appointed as the agency for end to
end project execution requirement definition & consensus, deployment of in-house resources or sourcing,
procurement of infrastructure (IT & non-IT), development of content, distribution, etc.
Knowledge Partner- DSCI can act as a knowledge partner in PPP projects to provide the required expertise
during conceptualization and implementation.
41
Create Platforms DSCI can create platforms for bringing together the government and industry for
discussions on specific issues and concerns.
Establish Centres of Excellence DSCI can build and operate Centres of Excellence (CoE) on different
subjects that are of mutual interest to the government and the industry. Such CoEs can be established for
creation, sharing, compilation and dissemination of Best Practices in security, Research in cyber security,
Technology trends, among others.
Trainings DSCI can conduct ongoing trainings for identified set of audiences in government and / or
industry by arranging relevant experts in security and establishing the required training environment,
which can be repeatedly used for conducting training sessions.
Outreach To increase education and awareness level within the country, DSCI can conduct cyber security
campaigns across the country bringing together government, industry, LEAs, academia, school children,
home users, etc.
Information Sharing Environment Being a third party, DSCI can act as an Information Clearing House
for enabling information exchange within industry and between industry and government.
Based on the activities identified above, DSCI will act as Single Point of Contact for both the government and industry
in PPP, helping government and industry save efforts to identify right people, institutions, expertise, channels, etc. The
knowledge and learning of running PPP projects will get consolidated at DSCI and can be leveraged to design and
run PPP projects in future. Also, a common infrastructure (IT & non-IT) can be created through DSCI, which may be
reused for PPP projects, resulting in cost and resource optimization. Very importantly, DSCI, as an interfacing agency,
can solve the who will do what problem which is very common in a multi-stakeholder environment and more so
when government and industry both cannot afford to allocate resources on full time basis for executing projects.
42
Epilogue
Cyber security, as part of national security, is, and will continue to be on the governments policy agenda. As the
threat scenario evolves, critical information infrastructure protection, government services delivery, public sector
services along with industry and national defence will have to respond with appropriate cyber security policies that
will involve implementation, and testing of security practices. LEAs will require upgradation of training and cyber
forensics tools; R&D in cutting edge security technology will be essential. All of these and many other projects of
national importance will be conceptualised and implemented in PPP. The policy scenario will evolve too. This calls
for a vibrant relationship between the government and the industry.
To address this challenge, it is proposed to convert the CSAG to DSCI Cyber Security Policy Forum (CSPF), which
will act as a standing committee of PPP. It will institutionalise the cyber security initiative of the industry and its
engagement with the government. As the focal agency for data protection and cyber security, DSCI will anchor and
spearhead CSPF.
43
44
Appendix
45
46
Proposed National Cyber Security Structure
47
II
Global Cyber Security Initiatives
United States of America

Cybersecurity threats represent one of the most serious national security, public safety, and economic challenges
we face as a nation. US National Security Strategy 2010
The CSAG studied the cyber security journey of the US over three administrations Clinton Administration, Bush
Administration and Obama Administration, as depicted in the figure below:
Clinton Administration
The starting point of the major US cyber security initiatives dates back to 1996, when the Presidents Commission on
Critical Infrastructure Protection (CIP) was set up under the administration of President Bill Clinton. The Commission
released its report to President Clinton in October 1997, making the following key recommendations:39
facilitate greater cooperation and communication between the private sector and appropriate government
agencies by: setting a top level policy-making office in the White House; establishing a council that
includes corporate executives, state and local government officials, and cabinet secretaries; and setting
up information clearinghouses;
develop a real-time capability of attack warning
establish and promote a comprehensive awareness and education program
streamline and clarify elements of the legal structure to support assurance measures (including clearing
jurisdictional barriers to pursuing hackers electronically); and
expand research and development in technologies and techniques, especially technologies that allow for
greater detection of intrusions
Subsequent to the Commissions Report, Presidential Decision Directive No. 63 (PDD-63) was released in 1998,
with a national goal to build the national capability to defend nations critical infrastructure from intentional physical
#
A detailed study of cyber security initiatives of US, UK, Australia and Japan was conducted by the CSAG, based on the publically available resources.
NASSCOM and DSCI does not guarantee, and accept no legal liability whatsoever arising from or connected to, the accuracy, iability,
relevance or completeness of any content presented in this study.
39
48
Congressional Research Service- Critical Infrastructures: Background, Policy and Implementation
and cyber attacks in five years. To achieve this goal PDD-63 established the necessary structure and programs, based
on the recommendations of the Presidents Commission on CIP. The Directive40 focused on the following policy items,
reflecting the policy direction taken by the country in cyber security:
Genuine, mutual and cooperative public-private partnerships
Voluntary participation of the private sector
Market driven approach to address the problem of critical infrastructure protection; regulation to be used
only in case of market failure
Identifying and assessing available alternatives to direct regulation including providing economic incentives
to encourage the desired behavior
Government to act as a role model for private sector
Based on the above policy items, following structure and programs were created by PDD-63:
Assignment of duties to National Coordinator for Security, Infrastructure Protection and CounterTerrorism with reporting to the President through the Assistant to the President for National Security Affairs,
including responsibility for implementation of PDD-63, interagency coordination for policy development
and implementation, review crisis activities among others.
Assignment of a Lead Agency (government department) for each critical sector for sector liaison. Each lead
agency was directed to appoint a Sector Liaison Official to coordinate with appropriate private sector
organizations, through Sector Coordinator.
Creation of National Infrastructure Assurance Council comprising major infrastructure providers and state
40
http://www.fas.org/irp/offdocs/pdd/pdd-63.htm
49
and local government officials to enhance the partnership of the public and private sectors in protecting
critical infrastructures.
Creation of Critical Infrastructure Coordination Group comprising senior representatives from Lead
Agencies, as well as representatives from other relevant departments and agencies, for interagency
coordination for implementation of PDD-63.
Sector Liaison Official and Sector Coordinators to work together to create a Sectoral National Infrastructure
Assurance Plan.
Establishment of Critical Infrastructure Assurance Office to integrate sectoral plans to develop
National Infrastructure Assurance Plan which covers vulnerability assessment, remedial plans to reduce
vulnerabilities, warning requirements and procedures, response strategies, reconstitution of minimum
required capabilities, education and awareness programs, research and development needs, intelligence
gathering and sharing, needs and opportunities for international cooperation and legislative and budgetary
requirements.
Appointment of Critical Infrastructure Assurance Officer in each federal agency with the responsibility
of securing agencys critical infrastructure.
Establishment of National Infrastructure Protection Center (NIPC) to be the focal point for federal threat
assessment, vulnerability analysis, early warning capability, law enforcement investigations, and response
coordination.
Creation of ISACs (by encouraging the private sector to establish the same) for gathering, analyzing,
appropriately sanitizing and disseminating private sector information to both industry and the NIPC.
Through the establishment of above identified structures, institutions, councils, plans, etc., the PDD-63 laid the
foundational framework for cyber security in the US. The following governments built on this framework to further
augment the countrys cyber security initiatives.
Bush Administration
Policy direction and approach of the Bush Administration for critical infrastructure protection was evolutionary
expansion of the previous administration. The primary effort was directed at working collaboratively and voluntarily
with the private sector. However, the focus of Bush Administrations efforts was more oriented towards physical threats
esp. post 9/11 terrorist attacks, whereas the focus of PDD-63 was more towards cyber threats.
Organizationally, following changes were made during the Bush Administration:
Department of Homeland Security (DHS) was established post 9/11 attacks with a mission of preventing
terrorist attacks, reducing the vulnerability of the nation to such attacks, and responding rapidly should such
an attack occur. Its responsibilities include safeguarding and securing countrys cyberspace - securing civilian
government computer systems, and work with industry and state, local, tribal and territorial governments to
secure critical infrastructure and information systems.41 Since its creation, DHS has played much more active
role in identifying critical assets, assessing vulnerabilities, and recommending and supporting protective
measures. Also, the manpower and resources devoted to these activities have greatly increased.
The Sector Liaison and Sector Coordinator model of PDD-63 was expanded into Government Coordinating
Councils and Sector Coordinating Councils for each critical sector, as depicted below, for increased
representation within all the sectors.
41
50
http://www.dhs.gov/xabout/gc_1240609042614.shtm
Homeland Security Council, supported by the Critical Infrastructure Protection Policy Coordinating
Committee acting as an Interagency coordination group.
National Infrastructure Advisory Council comprising private sector executives, academia, state & local
governments to advise the President on enhancing PPP, monitoring development of ISACs and encouraging
private sector to perform vulnerability assessments of critical systems.
Appointment and then abolishment of Special Advisor to the President for Cyberspace Security and
Presidents Critical Infrastructure Protection Board (consisting of federal officials to recommend policies
and coordinate programs for protecting information systems for critical infrastructure).
Operational units created by PDD-63, such as Critical Infrastructure Assurance Office and National
Infrastructure Protection Centre were moved and restructured within DHS.
In addition to the above identified organizational changes, following major developments took place during Bush
Administration:
Development of National Infrastructure Protection Plan (NIPP) covering (a) strategy to identify, prioritize
& coordinate critical infrastructure protection (b) activities to achieve strategy (c) initiatives for information
sharing (d) coordination with other federal emergency management agencies.42 Creation of Sector Specific
Plans, utilizing processes outlines in NIPP43.
Enactment of Federal Information Security Management Act (FISMA) in 2002 which requires each federal
agency to develop, document, and implement an agency-wide program to provide information security for
the information and information systems that support the operations and assets of the agency, including
those provided or managed by another agency, contractor, or other source.44
Release of National Strategy to Secure Cyberspace in 2003, which outlined an initial framework (as
depicted in the figure below) for both organizing and prioritizing cybersecurity efforts. It provided direction
to the federal government departments and agencies that have roles in cyberspace security. It also identified
steps that state and local governments, private companies and organizations, and citizens could take to
improve nations collective cybersecurity.45
42
43
44
45
Final version of NIPP was approved in 2006. It was revised in early 2009.
Sector Specific Plans for all the identified critical sectors were developed and reviewed in 2006-2007
http://csrc.nist.gov/groups/SMA/fisma/overview.html
The National Strategy to Secure Cyberspace, February 2003
51
Release of Comprehensive National Cybersecurity Initiative (CNCI), which formalized a series of

continuous efforts designed to further safeguard Federal government systems and reduce potential
vulnerabilities, protect against intrusion attempts, and better anticipate future threats.46 It describes twelve
initiatives, which have been summarized47 below:
46
47
52
http://www.dhs.gov/xnews/releases/pr_1207684277498.shtm
The Comprehensive National Cybersecurity Initiative
Creation of National Asset Database which contained the list of critical infrastructure across the country.
This database has now been automated by DHS through web-enabled Automated Critical Asset
Management System (ACAMS).
Creation of Homeland Security Information Network (HSIN) a national secure and trusted web-based
portal for information sharing and collaboration between federal, state, local, tribal, territorial, private
sector, and international partners. It comprises Communities of Interest, which are organized by state
organizations, federal organizations, or mission areas such as emergency management, law enforcement,
critical sectors, and intelligence. Users can securely share within their communities or reach out to other
communities as needed. HSIN provides secure, real-time collaboration tools, including a virtual meeting
space, instant messaging and document sharing. HSIN allows partners to work together instantly, regardless
of their location, to communicate, collaborate, and coordinate.48
48
http://www.dhs.gov/files/programs/gc_1156888108137.shtm
53
Obama Administration
Digital infrastructure to be treated as a strategic national asset; Protecting this infrastructure will be a national
security priority; Americas economic prosperity in the 21st century will depend on cybersecurity.
Remarks by President Obama on Securing Americas Cyber Infrastructure
Obama Administration retained the policy and organization of the preceding administration, but directed
comprehensive, clean-slate review to assess US policies and structures for cybersecurity, soon after President
Obama assumed office (in Feb09). Based on the recommendations of the policy review following actions have
been taken:49
Appointment of Cybersecurity Coordinator in the White House.
Cybersecurity designated as one of the Presidents key management priorities and establishment of
performance metrics through CyberStats program.50
Updation of metrics for FISMA which is used for grading federal agencies on cybersecurity. Shifting
the Federal approach from a static, paper-based certification to a dynamic, relevant process based on
continuous monitoring and risk assessment.
Privacy and civil liberties official designated to the National Security Council cybersecurity directorate
to ensure privacy of citizens is duly considered during development and implementation of cyber security
initiatives.
Development of a formal interagency process that clarifies roles, responsibilities, and application
of authorities across the federal government and identified additional authorities required by the
government to fulfil its mission.
Creation of National Initiative for Cybersecurity Education (NICE) for cyber-savvy citizens and building
cyber-capable workforce. The draft NICE strategic plan released in Aug11 defines strategic goals and
objectives, identifies partners, defines cybersecurity knowledge stages and a cybersecurity workforce
capability & development model, communication & outreach activities, among other things to achieve
NICE mission. The strategic outcomes of this initiative have been depicted in the figure below:
49
50
54
FACT SHEET: The Administrations Cybersecurity Accomplishments

Details of CyberStats program are not available publicly
Release of International Strategy for Cyberspace, which provides a unified foundation for the Americas
international engagement on cyberspace issues. The policy priorities laid down by this strategy have been
summarized51 below:
51
International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World (May 2011)
55
Release of Cyber Research and Development Framework Trustworthy Cyberspace: Strategic Plan for
the Federal Cybersecurity Research and Development Program to replace the piecemeal approaches
to research with a set of coordinated research priorities. It provides for a framework for prioritizing
cybersecurity R&D in a way that concentrates research efforts on limiting current cyberspace deficiencies,
precluding future problems, and expediting the infusion of research accomplishments into the marketplace.
52
The framework also defines the national structure for cybersecurity R&D coordination.
Release of National Strategy for Trusted Identities in Cyberspace which envisions establishing a national
level Identity Ecosystem an online environment where individuals and organizations will be able
to trust each other because they follow agreed upon standards to obtain and authenticate their digital
identitiesand the digital identities of devices. 53 This ecosystem is an attempt to overcome the existing
shortcomings in the online authentication of individuals and devices that make identity theft and online
fraud easier. The strategy emphasizes on collaboration between public and private sectors for creating
such an ecosystem.
Release of Cybersecurity Legislation Proposal54 focused on improving cybersecurity for the citizens,
critical infrastructure, and the Federal governments own networks and computers by:
Establishing regulatory framework to enhance cybersecurity of critical infrastructure which
includes: owners and operators of critical infrastructure to develop cyber security plans; third party
audit of the cybersecurity plans and reporting to Security and Exchange Commission.
Simplifying and standardizing the existing patchwork of 47 data breach notification state laws
Synchronizing penalties for computer related crimes with other crimes
Enabling DHS to quickly help organizations (private-sector company, state, or local government) when
they solicit help and also defining the type of assistance that can be provided by DHS
Providing industry, state and local governments the required immunity to share cybersecurity related
information with DHS.
Updating FISMA to shift focus from a static, paper-based certification to a dynamic, relevant process
Giving DHS more flexibility in hiring highly qualified cybersecurity professional and permitting
the government and private industry to temporarily exchange experts, so that both can learn from
each others expertise
Creating a new framework of privacy and civil liberties protection designed expressly to address the
challenges of cybersecurity
Development of an interim National Cyber Incident Response Plan which has been tested during
CyberStormIII (national cyber exercise). It defines organizational roles and responsibilities for cyber incidents,
incident response cycle, national cyber risk alert levels, coordination & collaboration mechanisms among
other elements required for preparing, responding and recovering from a cyber incident.
52
53
54
56
Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity Research and Development Program, December 2011
National Strategy for Trusted Identities in Cyberspace, April 2011
http://www.whitehouse.gov/the-press-office/2011/05/12/fact-sheet-cybersecurity-legislative-proposal
The following figure depicts the coordination of cyber incident management:
57
In addition to implementing the recommendations of the policy review, following major developments have been
made / are in the pipeline:
Release of Department of Defense Strategy for Operating in Cyberspace which lays down following
five strategic initiatives55 for enabling the defence to operate in cyberspace:
Treat cyberspace as an operational domain to organize, train, and equip to take full advantage of
cyberspaces potential
Employ new defence operating concepts to protect defence networks and systems
Partner with other US government departments and agencies and the private sector to enable a wholeof-government cybersecurity strategy
Build robust relationships with US allies and international partners to strengthen collective
cybersecurity
Leverage the nations ingenuity through an exceptional cyber workforce and rapid technological
innovation
To effectively operate within cyberspace, through an appropriate organizational structure, a US Cyber
Command has been created. It is single four-star command which consolidates defenses cyber organizations
and operations A single chain of command runs from the head of Cyber Command to individual units around
the world, enabling the command to oversee all cyber operations and to direct the training and equipping of
our force.56
Release of National Strategy for Global Supply Chain Security to achieve following two goals57:
Promote efficient and secure movement of goods by resolving threats early, improving verification
and detection capabilities, enhancing security of infrastructure and maximizing the flow of legitimate
trade
Foster a resilient supply chain by mitigating systemic vulnerabilities and promoting trade resumption
policies & practices
Establishment of National Cybersecurity and Communications Integration Centre (NCCIC) a national
Early Watch and Warning Centre which works closely with the government at all levels and with the
private sector to coordinate the integrated and unified response to cyber and communications incidents
affecting homeland security. It integrates DHS, Department of Defence, Intelligence Community, Law
Enforcement and Private sector and non-governmental partners. It is a 24x7 operations centre that provides
both situational awareness and analysis, and significant cyber incident response capabilities.58
Introduction of Cybersecurity Enhancement Act (yet to become a law) which would allocate USD 396
million for cybersecurity research and USD 94 million for providing scholarships to students pursuing
cybersecurity studies, over a period of four years. The Act also focuses on increasing public awareness
through various campaigns.59
Policy Issues and Criticisms

During three administrations discussed above, the policy focus (till date) has been on voluntary public-private
partnership and information sharing. However, this approach has been criticized primarily for following three main
reasons60 (a) underestimating antitrust, liability and competition related issued in information sharing by private
55
56
57
58
59
60
58
Department of Defense Strategy for Operating in Cyberspace, July 2011

Speech by Deputy Secretary of Defense William J. Lynn, III, Council on Foreign Relations, New York City, Thursday, September 30, 2010 http://www.defense.gov/speeches/speech.aspx?speechid=1509
National Strategy for Global Supply Chain Security, Jan12
http://www.dhs.gov/xabout/structure/gc_1306334251555.shtm
http://www.scmagazine.com/cybersecurity-enhancement-act-passed-by-us-house/article/163176/
organizations (b) undermining issues in sharing of classified information by the government with the private sector;
and (c) wrongly assuming that organizations will take action if they are made aware of the threats. The existing policy
approach, advocates believe, fails to understand that the market forces cannot deliver the required investments and
efforts for ensuring public safety and national security voluntary efforts will always be inadequate. To overcome
this, Center for Strategic and International Studies (CSIS) advocates creation of a light weight regulatory framework,
developed in partnership with the industry.
Other main criticisms of the policy include:
Outdated and incoherent legal framework, given the advancements in technology. To overcome this,
the policy review recommended development of a new legislative framework to rationalize the patchwork
of overlapping laws that apply to information, telecommunications, networks, and technologies, or the
application of new interpretations of existing laws in ways to meet technological evolution and policy
goals, consistent with U.S. Constitutional principles.61
Lack of integrated cybersecurity strategy which aligns priorities, programs, actions, etc. across agencies
and stakeholders for well coordinated, unified response to cyber threats.
DHS defends the government systems and DoD defends military and intelligence networks, however,
there is no particular agency for defending private networks. The policy relies on voluntary efforts and
market forces for defending private networks, which has been inadequate.62
More focus has wrongly been placed on preventing physical damage though the main motive of cyber
attacks has been to steal intellectual property and secrets. It's been estimated that in year 2008 alone cyber
criminals stole intellectual property from businesses worldwide worth up to $1 trillion. 63
Former Special Advisor to the President Bush for Cyberspace Security, who was also the National Coordinator to
President Clinton - Mr. Richard Clarke, has also criticized the Obama Administrations cybersecurity policies. As per Mr.
Clarke, the Obama administration so far has failed to do the necessary with regard to cyberwar; DHS cybersecurity
programs are underfunded and the department has done nothing about cyber threats to critical infrastructure such
as the electric grid; and the Administration has failed to engage public on cybersecurity matters.64
Policy Implementation Issues and Challenges

The policies and programs designed during the three administrations faced following implementation
challenges:65
Government Sector coordination: The PDD-63 called for appointment of a Lead Agency represented by
a Sector Liaison Officer to work with the respective private sector, which was encouraged to appoint a Sector
Coordinator for this purpose. However, during implementation it took time to identify Sector Coordinators,
though the Sector Liaison Officers were readily identified. Then there were coordination issues pertaining
to the diversity of sectors some sectors were more organized than others and had more experience of
working with the government (through other regulatory frameworks). Also, since some of the sectors such
as transportation included different diverse industries such as rail, highways, airlines, waterways, ensuring
that all the relevant players were represented was a challenge. This challenge, however, was addressed by
the Bush Administration by expanding the Sector Liaison Officer and Coordinator model to government
coordination and sector coordination councils.
61
62
63
64
65
Cyberspace Policy Review

http://www.whitehouse.gov/the-press-office/remarks-president-securing-our-nations-cyber-infrastructure
http://blogs.wsj.com/washwire/2010/09/21/former-nsc-official-criticizes-cyber-security-policies/
Congressional Research Service - Critical Infrastructures: Background, Policy, and Implementation, July 2011
59
Internal Agency plans for protection of federal systems were too general and lacked understanding of
what constitutes critical asset and their interdependencies. To overcome this issue, a new program called
Project Matrix was launched, which provided the required guidance to the federal agencies to identify
critical assets, identify their interdependencies and prioritize.
There were communication gaps leading to confusion over applicability of the PDD 63 directive. Many
agencies believed that they were not covered under the PDD 63 directive and hence were not required to
develop internal agency plans. These issues were later clarified.
There were enforcement issues as many internal agency plans developed by federal agencies were found
to be incomplete many did not identify critical assets and their interdependencies and had not conducted
vulnerability assessments; Homeland Security Presidential Directive (HSPD 7) and FISMA helped overcome
such enforcement issues.
The Sector Specific Plans created utilizing the processes outlined in the NIPP were inconsistent some
were more developed and comprehensive than others.
FISMA implementation laid too much focus on documentation, which wrongly channelized the efforts
of the federal agencies towards compliance to FISMA by documentation creation rather than addressing
the real risks.
While creating the National Asset Database for critical infrastructure, there were many infrastructures
included that were claimed to be of local importance rather than national importance. There was
confusion on what this database should contain an inventory of assets from which the list of critical
assets could be derived or an inventory containing only the prioritized assets.
There were issues when it came to information sharing between different agencies including private
and government because of bureaucratic reluctance, legal restraints, lack of trust and confidence, fears of
information misuse, technological difficulties, among others.
60
United Kingdom
The Digital Britain, a policy document published in 2009 by the UK government, described the potential of
cyberspace - Only a Digital Britain will secure the wonders of an information revolution that could transform every part
of our lives.66 To achieve the full potential of the cyberspace, UK realizes the importance of securing the cyberspace.
Announcing the UKs first cyber security strategy, alongside updates on national security strategy, UK Prime Minister
David Cameron said, Just as in the nineteenth century we had to secure the seas for our national safety and prosperity,
and in the twentieth century we had to secure the air, in the twenty first century we also have to secure our position in
cyberspace in order to give people and businesses the confidence they need to operate safely there.67
The first Cyber Security Strategy launched in 2009 highlighted
the need for government, organizations across all sectors,
international partners and the public to work together to meet
strategic cyber security objectives by:68
Reducing risk from the UKs use of cyberspace
Reduce the threat of cyber operations by reducing
an adversarys motivation and capability;
Reduce the vulnerability of UK interests to cyber
operations;
Reduce the impact of cyber operations on UK
interests;
Exploiting opportunities in cyberspace
Gather intelligence on threat actors;
Promote support for UK policies; and
Intervene against adversaries;
Improving knowledge, capabilities and decision-making
Improve knowledge and awareness;
Develop doctrine and policy;
Develop governance and decision making;
Enhance technical and human capabilities.
The UK Cyber Security Strategy has been republished by the government in 2011 with a broader perspective and
coverage, formulating many new initiatives, collaboration mechanisms and creating of new institutions / groups along
with the operationlization of tasks identified in the first strategy document. This strategy was framed to address the
cyber security challenges and risks by:
Enhancing the level of knowledge and awareness of the field of cyber security
Developing a set of guidelines, policies, doctrines for legal & regulatory issues
Developing & defining governance model, roles & responsibilities
Encouraging knowledge & skills development at technological & personal front
Promoting innovation in the field of cyber security with additional funding
Establish a cross-government program
Safe secure & resilient systems
66
67
68
http://www.official-documents.gov.uk/document/cm76/7650/7650.pdf
http://c4i-technology-news.blogspot.in/2011/11/uk-cyber-security-strategy.html
http://www.official-documents.gov.uk/document/cm76/7642/7642.pdf
61
Exploitation of cyberspace for creating opportunities

Encouraging International engagement
Work closely with the wider public sector, industry, civil liberties groups, the public and with international
partners
To operationalize the strategy, government established an Office of Cyber Security (OCS) under the Cabinet Office,
with the primary task of providing strategic leadership and maintaining coherence across the government,
with respect to cyber security. OCS became Office of Cyber Security and Information Assurance (OCSIA) in 2010
and coordinates cyber security programs run by the UK government. Under the oversight of the Minister for Cabinet
Office, OCSIA looks after fund allocation for National Cyber Security Program (NCSP).69
The NCSP identifies following key action points: 70
Enhance the skill levels of information assurance and cyber security professionals by establishing programs
for certified specialist training by the first quarter of 2012.
Continue to support the Cyber Security Challenge, which organizes competitions for a diverse range of
entrants to help identify talented individuals, for addressing the shortage of cyber security experts.
Strengthen postgraduate education to expand the pool of experts having in-depth knowledge of
cyberspace.
Strengthen UKs academic base by developing a coherent cross-sector research agenda on cyber security,
building on work done by the government office for science. Also, establish a research institute in cyber
security.
Commissioning research to clarify the extent, pattern and nature of the demand for cyber security skills
across the private sector.
NCSP is also looking after the investments to ensure a more proactive approach for tackling cyber threats. Together
with NATO allies, UK is establishing a common understanding on how best to defend itself against cyber attack, and
the role of NATO in the collective defence.
When the OCS was created, a Cyber Security Operations Center (CSOC) was also established to keep an eye on the
strength of national cyber security, coordinate the incident response, inform the industry about the risks associated
with cyberspace, and provide analysis and overarching situational awareness of cyber threats. CSOC is positioned
in the Government Communication Headquarter (GCHQ). GCHQ is a part of the National Intelligence Machinery
and works closely with the Security Service and the Secret Intelligence Service for protecting UKs national security
interests. It also includes Communications Electronics Security Group (CESG) to provide advice on information
security and support government, defence and key infrastructure clients with a range of information assurance
services.71
To reduce the risks to the national infrastructure, an interdepartmental organization - Centre for the Protection of
the National Infrastructure (CPNI) - has been established. It engages with CESG, Security Service, police, business
/organizations security specialists, international partners and respective departments (Communication, Energy,
Finance, Transport, Emergency Services, Health, Food, and Water) responsible for national infrastructure sectors for
taking an integrated approach for security of national infrastructure. The CPNI delivers advice that aims to reduce
the vulnerability in the national infrastructure. It has built up strong partnerships with private sector organizations
owning and operating national infrastructure, creating a trusted environment where information can be shared for
mutual benefit. For identifying and managing threats by sharing information with a wider group, a new operational
69
70
71
62
http://www.cabinetoffice.gov.uk/content/office-cyber-security-and-information-assurance-ocsia
UK cyber security strategy 2011
www.gchq.gov.uk/
partnership in the form of a joint public-private sector Cyber Security Hub is being established. It will pool the
government and private threat information and pass that out to nodes in key business sectors, helping them identify
what needs to be done and providing a framework for sharing best practice.
To make security a market differentiator and thereby incentivize industry to develop standards and provide guidance
to customers when they buy products, Department for Business, Innovation and Skills (BIS) is working with the
users, industry and appropriate standards organizations (domestic, European and international) to develop security
kitemarks. The kitemarks will ensure that customers are able to differentiate various products based on security.
Government is developing a community of ethical hackers to minimize the existing vulnerabilities that could be
exploited to perform cyber crimes and to ensure that UKs infrastructure is robustly protected. Supported by GCHQ
and Scotland Yards e-crime unit, UK organizes exercises - the Cyber Security Challenge with intent to help bridge
the talent gap in cyber security. The exercise draws thousands of participants who spend weeks shoring up vulnerable
home networks, cracking weak codes and combing through corrupted hard drives in a series of tests.72 The government
is also planning to develop cyber specialists by setting up a cyber crime unit within the National Crime Agency.73
This will help police departments across the country in tackling cyber-crimes and will also support cyber crime
investigations. Given the global nature of cyber crimes, UK is encouraging adoption of international convention on
cyber crimes and creation & implementation of compatible frameworks of law that enable effective cross-border law
enforcement. It also denies safe havens to cyber criminals and encourages other countries to join the 24/7 Network
for cross-border law enforcement that ensures availability of urgent assistance when required.74 UK has established
a twenty-four hour centre called National Technical Assistance Centre (NTAC), which is under the control of the
Home Office,75 to address the problem of usage of encryption by criminals and terrorists. NTAC facilitates LEAs in
complex processing of encrypted material derived from lawfully intercepted computer communications.
To ensure proactive defence against cyber attacks and securing military networks, a new UK Joint Forces Command
is envisaged from April 2012 which will develop and integrate defence cyber capabilities. As a part of this initiative,
UK is setting up a new Defence Cyber Operations Group to bring together cyber capabilities from across defence
services. This group will include a Joint Cyber Unit, hosted by GCHQ, to develop new tactics, techniques and plans to
deliver military effects, including enhanced security, through operations in cyberspace. To have a focused system of
cyber defence for the armed forces, a new Global Operations and Security Control Centre has been recently started
by UK. There is another Joint Cyber Unit embedded within this centre with the primary purpose of developing and
using a range of new techniques, including proactive measures, to disrupt threats to UKs information security.
While it is important to build capability to defend and protect the country from the cyber attacks, it is equally important
to keep an eye on emerging threats. With this in view, government is monitoring the most significant emergencies
that UK and its citizens could face over the next five years, and has published it in the form of the National Risk
Register (NRR).76 For the identified frauds there is an Action Fraud tool that helps people report them online. This
online tool is also going through various improvements for its functionality and accessibility. To raise awareness on
online security among general public and small businesses, a joint public-private sector campaign - Get Safe Online
has been launched. It is sponsored by government and private companies. It works with a range of community groups
and aims to give people the confidence and know-how to use the Internet securely. It combines marketing and PR
activities with a comprehensive website (www.getsafeonline. org) giving up-to-date advice, tools and guidance on
cyber good practice. It includes advice on topics such as online shopping, social networking sites, data theft and
identity fraud.77
72
73
74
75
76
77
http://timesofindia.indiatimes.com/home/science/Amateurs-roped-in-to-fight-malware-hackers/articleshow/12241559.cms
http://www.cabinetoffice.gov.uk/sites/default/files/resources/uk-cyber-security-strategy-final.pdf
http://www.cabinetoffice.gov.uk/sites/default/files/resources/uk-cyber-security-strategy-final.pdf
http://www.cyber-rights.org/documents/ntac.htm
www.cabinetoffice.gov.uk/resource-library/national-risk-register
UK cyber security strategy 2011
63
UKs vision for 2015 is to help shape an open, stable and vibrant cyberspace which the UK public can use safely and
which supports open societies with crosscutting knowledge, skills and capability it needs to underpin all the cyber
security objectives. UK is planning to derive huge economic and social value from a vibrant, resilient and secure
cyberspace, where actions, guided by its core values of liberty, fairness, transparency and the rule of law, enhance
prosperity, national security and a help build a strong society.
64
Australia
The Australian Prime minister, in a statement has indicated that cyber security is top tier national priority. To tackle
cyber crimes and related issues, Australian government has taken several initiatives. As a major step, the Australian
Cyber Security Strategy was released in 2009. It aims to create a safe and secure digital space for government
and private networks. The strategy document has identified seven strategic priorities, namely: developing threat
awareness and response, changing civilian security culture, promoting publicprivate partnerships, securing
government systems, pursuing international engagement, creating an effective legal framework and building a
skilled cyber workforce. Emphasis was also placed on international collaboration & focused efforts for development
of global standards, expansion of the international legal systems capacity to combat cyber crime, engagement in
bilateral or multilateral agreements to strengthen cooperation on cyber security and active participation in regional
forums such as the UN, International Telecommunication Union (ITU), Asia-Pacific Economic Cooperation (APEC)
etc.; and international working groups such as the Forum of Incident Response and Security Teams (FIRST) and the
International Watch and Warning Network (IWWN).
Below is the description of Australian cyber space and security structure. It discusses the responsible departments &
agencies, Australian governments initiatives in efforts to secure cyber space, special attention to critical infrastructure
protection, existing legal framework and other important parameters.
Attorney-Generals Department (AGD)78 is the lead agency for cyber security policy and chairs the Cyber
Security Policy and Coordination (CSPC) Committee. It is responsible for providing government wide
coordination on cyber security policy, including crisis management and international collaboration, and
providing cyber security guidance to owners and operators of critical infrastructure.
The CSPC79 Committee is the Australian government interdepartmental committee that coordinates the
development of cyber security policy for the Australian government. The CSPC Committee:
provides whole of government strategic leadership on cyber security
determines priorities for the Australian government
coordinates the response to cyber security events, noting that its coordination and policy functions
do not extend to the oversight of operations, and
coordinates Australian governments cyber security policy internationally.
Australian Communications and Media Authority (ACMA) is responsible for the regulation of broadcasting,
the Internet, radio and telecom. It gathers evidence and assists in computer fraud and identity theft cases.
It also ensures that ISPs and Telecom Service Providers are meeting their regulatory obligations regarding
misuse and illegal content. It has also encouraged and played a vital role in the development of cyber
security Code of Practice, known as iCode, which provides a consistent approach for Australian ISPs to
help inform, educate and protect their clients in relation to cyber security issues. It works with ISPs for the
identification of compromised computers and investigates & acts against those involved in the distribution
of spam.
The Australian Internet Security Initiative (AISI) collects data from various sources on computers exhibiting
bot like behaviour on the Australian Internet space. Using this data, ACMA provides daily reports to
participating ISPs who in turn inform their customer that their computer appears to be compromised and
provide advice on how they can fix it.
Australian Federal Police (AFP) enforces criminal law and ensures its enactment. In relation to cyber
security, the AFP provides a specialized investigative capacity to support investigation and prosecution of
78
79
http://www.ag.gov.au/Cybersecurity/Pages/default.aspx
http://www.ema.gov.au/www/agd/agd.nsf/Page/OrganizationalStructure_E-SecurityPolicyandCoordinationBranch
65
complex technology enabled crime offences. It actively engages in the implementation of crime prevention
strategies and cooperates with international agencies to solve cyber crime.
Australian Security Intelligence Organization (ASIO)80 has the responsibility of investigating electronic
attacks conducted for purpose of espionage, sabotage, terrorism or other forms of politically motivated
violence, attacks on the defence system. It collects intelligence both domestically and internationally. It
produces threat assessments and protective security advice for government and critical infrastructure.
According to media news, a new cyber espionage watchdog has been created within the ASIO. The reason
cited for its setup is to monitor espionage attempts against Australian critical infrastructure assets and
releases alerts to agencies and critical infrastructure owners in a manner similar to the Computer Emergency
Response Team (CERT) Australia. ASIO has reportedly also established a specialist cyber investigations unit
to investigate and provide advice on state-sponsored cyber attacks against, or involving, Australian interests.
The unit operates under the supervision of the First Assistant Director-General for Counter-Espionage and
Interference.
CERT Australia81 was established in January 2010 and is the national coordination point within the
government for the provision of cyber security information. It assists the owners and operators of critical
infrastructure and systems of national interest. CERT Australia is also Australias official point of contact in
the global CERTs to support international collaborations.
Defence Signals Directorate (DSD) is the national authority responsible for the security of ICT across
government. It ensures that sensitive government electronic information systems are not susceptible to
unauthorized access, compromise or disruption. DSDs functions and responsibilities include:
providing material, advice and other assistance to State authorities on security issues
providing assistance in relation to cryptography and communications technologies and
through Cyber Security Operations Centre (CSOC), it is responsible for maintaining a comprehensive
national picture of cyber security threats, through monitoring and analysis of all information sources and
rapidly respond to cyber attacks. It provides a central point for sharing information across government
and coordinates with other agencies on response activities to enhance Australian governments
ability to prevent cyber attacks. The CSOC provides cyber situational awareness and an enhanced
ability to facilitate coordinated responses to, and management of, cyber security events of national
importance.
Joint Operating arrangements (JOA) were established by the Australian government whereby operational
cyber security agencies (DSD, AFP and ASIO) identify, analyze and respond to cyber events of serious national
consequence. The JOA agencies determine which agency has primary carriage of a security event response
on the basis of the nature of the event and individual agency responsibilities.
Department of Broadband, Communications and the Digital Economy (DBCDE) has responsibility of
working with the ACMA and Internet industry and collaborating internationally ensuring that its international
activities align with whole of government objectives.
Australian Government Information Management Office (AGIMO) works with government agencies
to ensure that Australian government ICT proposals have adequately considered cyber security risks. It
preaches adoption of a government wide approach to the management of common assets and data
sharing. It also promotes security and resilience as essential requirements of e-Government initiatives. One
of the major tasks carried out by AGIMO is to develop government strategies to help match demand for
increasing requirements of skilled cyber security practitioners. Also, it coordinates a strategy with ACMA
for managing Internet gateways for the Australian government agencies.
80
81
66
http://www.asio.gov.au/
http://www.cert.gov.au/
OnSecure is a cooperative project between DSD and AGIMO with the aim of improving the collection of
information security event reports in the government and improving the analysis capabilities of such events.
Important information on potential threats, vulnerabilities and mitigation derived from the analysis is then
disseminated via OnSecure to all government agencies. OnSecure is the central Australian government
Internet site for information security material provided by DSD.
Other than the above mentioned agencies and initiatives, Department of Prime Minister & Cabinet has set up
National Security and International Policy Group Executive which is supported by various functions such as:
National Security Advisor provides a high level of leadership, direction and coordination amongst
national security and intelligence agencies. The NSA is the principal source of advice to the Secretary of
the Prime Minister and Cabinet on all policy matters relating to the security of the nation and oversees the
implementation of all national security policy. Dy. NSA supports the function of NSA.
National Security Chief Information Officer (NSCIO) provides strategic direction and coordination
for information sharing across the national security community. This includes harmonizing the broad
policy, governance and legislative arrangements currently in place so as to improve interoperability and
collaboration, and provide oversight of the national security information management environment.
Cyber Policy Coordinator (CPC) coordinates the whole-of-government approach to cyber policies and
activities. The CPC provides strategic leadership and coordination on matters of cyber policy and strategies
across the entire cyber spectrum, from online consumer protection to cyber defence.
In the context of Australian cyberspace, a total of 17 sectors have been labeled as critical infrastructure sectors. CIP
is a top priority for Australian government. Since the creation of the Program in 2003, its primary focus has been
to share information & best practices with the owners and operators of critical infrastructure and to strengthen &
improve their security measures and to help prioritize their risk management. Under this program, they have also
developed resilience strategy to protect critical infrastructure. As part of strategy, they have:
Trusted Information Sharing Network (TISN) comprising 7 critical infrastructure Sector Groups (SGs),
2 Expert Advisory Groups (EAGs), Communities of Interest (CoI) and the Critical Infrastructure Advisory
Council (CIAC). TISN members include owners and operators of critical infrastructure, government agency
representatives and peak national bodies. The TISN, through its SGs and EAGs , seeks to promote the need
for investment in resilient, reliable infrastructure with market regulators. It also builds up risk management
framework for infrastructure such as SCADA and prepares protective security risk reviews for critical
infrastructure.
Critical Infrastructure Program for Modelling and Analysis (CIPMa) is a computer modelling program
that uses a vast array of data and information from a range of sources (including the owners and operators of
critical infrastructure) to model and determine the consequences of different disasters and threats (human
and natural) to critical infrastructure. CIPMa also helps government shape policies on national security and
critical infrastructure resilience.
The Australian government has established a new company to build and operate a National Broadband Network
(NBN)82 to deliver superfast broadband access for all Australians. In the 200708 Budget, the Australian government
allocated funds over four years to implement a range of initiatives (listed below) designed to enhance the protection
of home users and small businesses from electronic attacks and fraud. Few of these are:
National Cyber Security Awareness Week is organized each year in partnership with industry, community
organizations and all levels of government. The Awareness Week aims to educate users on the simple steps
they can take to protect their personal and financial information online.
82 http://www.minister.dbcde.gov.au/media/media_releases/2009/022
67
Cyber security website named Stay Smart Online provides information for Australian internet users on
cyber security issues and necessary measures. It offers information on a wide variety of topics including
securing computer, tips to safely bank & shop online and links to resources for parents and teachers to
help them protect their children online. Users can also subscribe to free alerts via e-mail, sms and RSS feeds
about the latest cyber security threats & vulnerabilities and possible solutions to address them.
Budd:e cyber security education package is a key component of the Australian Governments commitment
to raising the cyber security awareness among school going children. These modules are interactive and
self learning and are designed to help students adopt secure online practices and behaviours in a fun way.
Cyber security topics covered in the modules include malicious software, securing personal information
online and social networking.
National Identity Security Strategy aims to combat the misuse of stolen/assumed identities and fight
identity crime. Measures adopted include a new system for the electronic verification of documents used as
evidence of identity thereby improving registration and enrolment procedure, enhanced security features
and Strong authentication standards, ensuring accuracy in the identity information held by government
agencies and Biometric interoperability, to confirm the identity of individuals.
Cyber White Paper: A Cross agency team will develop Cyber White Paper which will bring together and
describe the important relationships in the cyber environment between social well-being, economic
prosperity and broader national interests. It will provide a framework for interaction across intra government
agencies & departments and between government and industry. The first version will be released sometime
around June 2012.
Other than the above mentioned programs/initiatives, one of the major initiatives taken by the government is for
engaging resources capable of undertaking security practice from an early age. Multi level executable career path
is designed to cater to national security requirements and retain the skilled professionals for protection of national
assets. The Australian Qualifications Framework is the national policy for regulated qualifications in Australian
education and training. Specially tailored security training programs contribute to a number of career pathways
like protective security, security risk management, government investigation and specialist security practitioners,
including physical security, ICT security.
Australia has a comprehensive cyber security legal framework, comprising Commonwealth and State legislation.
At the Commonwealth level, the key elements of this framework include Australian Security Intelligence Organization
Act 1979, Telecommunications (Interception and Access) Act 1979, Criminal Code Act 1995 (as amended by the
Cybercrime Act 2001), Telecommunications Act 1997, Intelligence Services Act 2001, Spam Act 2003 and Surveillance
Devices Act 2004.
Australia has partnered with allies under Cyber Storm with US, UK, Canada and New Zealand (Five Eye Countries) in
cyber storm initiative, to conduct cyber security mock drill exercises for both public and private sector organization
that helps them assess their security preparedness simulating crisis as would occur under cyber attack on national
critical infrastructure. Cyber storm also conducts regular online war games with organizations and shares online
defence and critical information across designated agencies within the DSD and the AGs Department. It is in news that
US and Australian officials have decided to include cooperation on cyber security as part of their defence treaty.
From the analysis above, it can be clearly seen that significant steps have been taken by the Australian government
to secure its digital ecosystem. Departments and offices have well defined functions and roles to play with respect
to cyber security.
68
Japan
Japan was one of the first countries to formulate a national cyber security strategy. The Government of Japan started
to address IT security issues in 1999. Prior to this, Security Measures for Computer Networks in Large Industrial
Facilities and Countermeasures against Cyber Terrorism & Cracking was released in March 1998.
It was followed by the Action Plan for Building Foundations of Information Systems Protection from Hackers
and Other Cyber threats which was adopted by the Interagency Director-Generals Meeting on IT Security on 21
January, 2000. This plan highlighted the need for a governmental structure to respond to cyber threats. It established
the need for a national IT security policy. Developing cyber-terrorism countermeasures to protect critical infrastructures
and putting the government in-line with the transition to an e-government were also prioritized. Also, raising private
sector awareness and enhancing international cooperation were stressed upon. Based on this plan, the Cabinet
Secretariat came up with Guidelines for IT Security in July, 2000 and Special Action Plan on Countermeasures
to Cyber terrorism of Critical Infrastructure in December, 2000.
The Cabinet Secretariat IT Security Office was established in February, 2000. Following that, in April, 2000, Branch
for IT Security was established in Cabinet Office for National Security Affairs and Crisis Management in order
to better coordinate the policy and measures among ministries and agencies. The branch is composed of experts
from ministries, agencies concerned and from private sector. It proposed the following administrative structures for
strengthening IT security:83
Inter-ministerial Coordination Body
Established by the Prime Minister's Decision on February, 29, 2000 under the auspice of the Advanced
Information and Telecommunication Society Promotion Headquarters.
Composed of Director General level officers
Wisemen Committee for IT Security
Composed of academia, experts and representatives of the private critical infrastructure
2 Working Groups were created under this committee - IT security & Cyber terrorism
In March 2001, IT Strategy Headquarters established e-Japan Priority Policy Program. As a result of this program, an
action plan to secure IT infrastructure of the government was created which included establishment of Government
- Private Sector Partnerships and National Incident Response Team.
In 2005, as a major step, National Information Security Centre and Information Security Policy Council were setup to
strengthen the cyber security posture in Japan. Following that, the first National Strategy on Information Security
(NSIS) was published in 2006.
Next to follow were the annual plans, focusing on specific themes:
Secure Japan 2006 First step toward a trustworthy society
Secure Japan 2007 - Upgrading of information security measures for safe and secure cyberspace
Secure Japan 2008 - Intensive efforts for enhancing information security infrastructure
Secure Japan 2009 - All entities should assume they may be subject to accidents
Information Security Strategy for Protecting the Nation (May 2010)
Information Security Research and Development Strategy (July 2011)
83
http://www.kantei.go.jp/foreign/it/security/2000/0519taisei.html
69
70
In February 2009, the Japanese government adopted the second NSIS for the years 2009 through 2011. The three year
plan includes four subjects: central and local governments, critical infrastructure, business entities, and individuals.
As part of the NSIS process, the Japanese government adopted Secure Japan 2009. During this period, large- scale
cyber attacks in the US and South Korea, particularly alerted Japan. On 11th May 2010, Information Security Policy
Council came up with Information Security Strategy for Protecting the Nation. This Strategy is a compehensive
approach that inlcudes the 2nd NSIS and applies for four years (FY2010 to FY2013). Based on this strategy, two annual
plans for information security have been devised - 2010 & 2011.
71
Responsible Ministries and Agencies

List of Ministries responsible for Cyber security in Japan:
Ministry of Internal Affairs and Communications (MIC)
Ministry of Economy, Trade, and Industry (METI)
Ministry of Defence (MOD)
Other than above mentioned ministries, few important agencies that have been tasked to handle the cyberspace
are listed below:
National Police Agency (NPA) is an agency administered by the National Public Safety Commission of the Cabinet
Office in the cabinet of Japan, and is the central coordinating agency of the Japanese police system. It has the task
of regulating cyber security strategy and provides investigation support in this matter.
National Information Security Center (NISC) was setup in Cabinet Secretariat in April 2005. The head of the NISC
is one of three Assistant Chief Cabinet Secretaries. This official has dual responsibilities for national security and
emergency response systems, including physical security and cyber security. The main ministries that serve under
the NISC are the MIC, METI, NPA and MOD.
Information Security Policy Council (ISPC) was formed under IT strategic headquarters in May, 2005. It is chaired
by a Chief Cabinet Secretary. Under the ISPCs formal direction and in cooperation with the NISC, policies are carried
out by the ministries and agencies.
Japan Computer Emergency Response Team Coordination Center (JPCERT/CC)84 is the first CSIRT (Computer
Security Incident Response Team) established in Japan. The organization coordinates with network service providers,
security vendors, government agencies, as well as the industry associations. Its activities include incident response
and analysis, generating security alerts via a weekly report containing potential threats and advisory message,
coordination and collaboration with other CSIRTs, vendor coordination
Information Technology Promotion Agency (IPA)85 has the responsibility to solve diverse IT issues and create
an IT-based society where people can live their lives feeling secure. IPA is an independent administrative agency
promoting Japans IT strategies through improving the quality of software development and nurturing IT human
resources. Three missions of IPA are:
Assuring the security & reliability of IT in Social Infrastructure
Strengthening international competitiveness
Cultivate highly skilled world class IT human resource
The Information Technology Security Center (ISEC) is the leading unit for promoting Japanese IT security
countermeasures, including raising security awareness to the Japanese citizens, providing alert information on latest
security vulnerabilities and publishing security guidelines for enterprises and home users.
National Incident Response Team (NIRT)86 is a sub-agency of Japans Cabinet Secretariat; NIRT is responsible for
protecting the civilian computer networks from attack and intrusion, primarily at the Cabinet level of the Japanese
government.
84
85
86
72
About JPCERT/CC : http://www.jpcert.or.jp/english/about/

http://www.ipa.go.jp/english/pdf/OrganizationProfile2011.pdf
http://www.ists.dartmouth.edu/projects/archives/japanese-cybersecurity-training.html
Japan Network Security Association (JNSA)87 is to promote standardization related to network security, and to
contribute to greater technological standards in the field, enhancing the public welfare through awareness, education,
research and information-dissemination activities related to network security.
Information Security Operation providers Group Japan (ISOG-J)88 has been established to encourage familiarizing
the security operation services to improve their service-level through improvement of security operation technologies,
training organizations, to contribute to the realization of the IT environment which is safe and can be used with
ease.
Information Security Education Providers Association (ISEPA)89 coordinates with NISC, METI & MIC on various
education and awareness initiatives. Its activities include information sharing with multiple agencies, providing
consultancy and advisory services to organizations and governments, promoting information security as a concept,
career map development program, training content development among others. Members include Japan Information
Security Audit Association, JNSA, CompTIA, Information Systems Audit and Control Association (ISACA) Tokyo
Chapter, International Information Systems Security Certification Consortium (ISC)2, SysAdmin, Audit, Network,
Security (SANS) etc.
National Institute of Information and Communications Technology (NICT)90 is the sole national research institute
in the information and communications field. It works for advancement of national technologies, contributes to
national policies and promotes research and development by cooperating with and supporting outside parties.
Japan Information Security Audit Association (JASA) 91 was established to maintain the prevalence and penetration
of the Information Security Audit based on the Authorized Information Security Audit System.
Internet Association Japan (IAJapan)92 is a non-profit and industry-based organization which was established by
the consolidation with Internet Association of Japan and Electronic Network Consortium and was legally permitted
by Ministry of Internal Affairs and Communications MIC and METI. It provides leadership in promoting advanced
systems of the Internet and in solving problems which ISPs encounter to when they operate services.
Government Security Operations Centre (GSOC) was established in April 2008 and has the responsibility of
monitoring and responding to attacks on government and critical infrastructure.
In total, 10 sectors have been identified as critical based on the first national strategy on information security namely:
Telecom, Finance, Civil aviation, Railways, Electricity, Gas, Administrative Services, Medical Services, Water works,
Logistics.
Capability for Engineering of Protection, Technical Operation, Analysis and Response (CEPTOAR)93 was created
in each of the 10 critical infrastructure fields. CEPTOAR is the function for sharing and analyzing information to
improve the ability to maintain and recover services of critical infrastructures. Critical infrastructure companies
communicate and share information provided from governments for prevention of IT-malfunctions, prevention of
expansion of suffering, rapid resumption from suffering and prevention of recurrence.
87
88
89
90
91
92
93
http://www.jnsa.org/en/aboutus/index.html
http://www.jnsa.org/isog-j/e/about_overview.html
http://www.nca.gr.jp/jws2008/WS6-07-isepa.pdf
http://www.nict.go.jp/about/charter-e.html
http://www.jasa.jp/
http://www.iajapan.org/
http://www.soumu.go.jp/main_sosiki/joho_tsusin/eng/presentation/pdf/070522_1.pdf
73
All these agencies collaborate and coordinate by sharing information based on the following structure:
74
Cyber Security Advisory Group

Chair
Mr. Rajendra Pawar
Chairman, Executive Council, NASSCOM

Chairman & Co-founder, NIIT Group
Member Secretary
Dr. Kamlesh Bajaj
Chief Executive Officer, DSCI
Members
(Listed in alphabetical order)
Public Sector
Mr. Anil Kumar
Chief Information Security Officer, Oil & Natural Gas Cooperation Limited
Mr. M. D. Agrawal
Head- IT, Refinery Division, Bharat Petroleum Corporation Limited
Mr. M.M. Oberai
Deputy Inspector General of Police, Central Bureau of Investigation, Economic Offences
Mr. R. K. Sharma
General Manager-IT, Bharat Sanchar Nigam Limited
Mr. S.P. Mukhopadhyay
Chief Information Security Officer, State Bank of India
Private Sector
Mr. Adapa Raja Vijay Kumar
Vice President & Global Information Security Leader, Genpact
Mr. Ameet Nivsarkar
Vice President, NASSCOM
Mr. Arijit Sengupta
Chief Executive Officer, BeyondCore
Col. Arun Kumar Anand
Vice President & Chief Information Security Officer, NIIT Technologies
Mr. Felix Mohan
Senior Vice President & Global Chief Information Security Officer, Bharti Airtel
Mr. Mukesh Aghi
Chairman & Chief Executive Officer, Steria India
Mr. Murali Krishna
Senior Vice President and Head of Global IT, Infosys
Ms. Nandita Jain Mahajan
Chief Privacy Officer and Director, IBM Global Process Services
Mr. Pankaj Agrawal
Chief Information Security Officer & Head IT Governance, Aircel
Mr. Pazhamalai Jayaraman
Chief Information Security Officer & General Manager Information Risk Management & Policy Compliance, Wipro
Mr. Rajesh Dalal
Vice President - Technology, MakeMyTrip India Private Limited
Mr. Rohan Mitra
Manager -Corporate Affairs, Yahoo India Private Limited
Col. Sameer Anukul
Director- Risk Prevention, Carrefour
Mr. Sanjay Bahl
Chief Information Security Officer, Microsoft India
Mr. Suhaan Mukerji
Partner, Amarchand Mangaldas
Mr. Vishal Salvi
Chief Information Security Officer, HDFC Bank
Mr. Yazad Patel
Managing Director & Head- IT , Deutsche Bank
DSCI Team
Mr. Vinayak Godse
Director-Data protection
Mr. Rahul Jain
Senior Consultant -Security Practices : Principal Author
Mr. Vikram Asnani
Senior Consultant - Security Practices
Mr. Mayank Lau
Consultant- Security Practices
Mr. Rahul Sharma
Consultant- Security Practices
Mr. Atul Kumar
Security Analyst
DATA SECURITY COUNCIL OF INDIA
A NASSCOM Initiative
L: Niryat Bhawan, 3rd Floor, Rao Tula Ram Marg, New Delhi - 110057, India
P: +91-11-26155071 | F: +91-11-26155070 | E: info@dsci.in | W: www.dsci.in

NASSCOM-DSCI Cyber Security Advisory Group (CSAG) Report

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NASSCOM-DSCI Cyber Security Advisory Group (CSAG) Report

Uploaded by

Copyright:

Available Formats

NASSCOM

PROMOTING DATA PROTECTION

NASSCOM-DSCI CYBER SECURITY ADVISORY GROUP REPORT

DATA SECURITY COUNCIL OF INDIA

Published in March 2012

Designed & Printed by

he whole world suddenly appears to be waking up to the cyber security

NASSCOM-DSCI CSAG REPORT

NASSCOM-DSCI CSAG REPORT

Indian Cyberspace and Cyber Security Initiatives............................................................................15

Key Learning and Imperatives for India .............................................................................................27

Public-Private Partnerships in Cyber Security and Role of DSCI.................................................41

Security A Global Issue.........................................................................................................9

SECURING OUR CYBER FRONTIERS

NASSCOM-DSCI CSAG REPORT

SECURING OUR CYBER FRONTIERS

NASSCOM-DSCI CSAG REPORT

2. Cyber Security A Global Issue

SECURING OUR CYBER FRONTIERS

2.2 Cyber Threats

NASSCOM-DSCI CSAG REPORT

SECURING OUR CYBER FRONTIERS

2.3 Cyber Security Challenges

NASSCOM-DSCI CSAG REPORT

2.4 The Imperatives

SECURING OUR CYBER FRONTIERS

NASSCOM-DSCI CSAG REPORT

3. Indian Cyberspace and Cyber

SECURING OUR CYBER FRONTIERS

NASSCOM-DSCI CSAG REPORT

3.2. The Threat Landscape

SECURING OUR CYBER FRONTIERS

NASSCOM-DSCI CSAG REPORT

3.3. Legal Framework Information Technology (Amendment)

3.4. Policy Initiatives

SECURING OUR CYBER FRONTIERS

3.4.2 Triad of Policies to drive a National Agenda for ICTE

NASSCOM-DSCI CSAG REPORT

National Policy on Information Technology, 2011

National Telecom Policy, 2011

National Policy on Electronics, 2011

SECURING OUR CYBER FRONTIERS

3.5. Cyber Security Initiatives

3.5.1. Government Initiatives

Information Security Education and Awareness

NASSCOM-DSCI CSAG REPORT

LEA Capacity Building Programs

Security in e-Governance projects

Common Criteria Certification Scheme

SECURING OUR CYBER FRONTIERS

3.5.2. NASSCOM and DSCI Initiatives

Worldwide Cyber Security Summit

NASSCOM-DSCI CSAG REPORT

SECURING OUR CYBER FRONTIERS

NASSCOM-DSCI CSAG REPORT

4. Key Learning and Imperatives for

4.1 Key Learning for India

4.1.2 Critical Information Infrastructure Protection Regulate versus Incentivize

SECURING OUR CYBER FRONTIERS

4.1.3 ICT Supply Chain Risks Foreign versus Indigenous

NASSCOM-DSCI CSAG REPORT

4.1.4 Encryption National Security versus Economic Growth

SECURING OUR CYBER FRONTIERS

4.2. Imperatives for India