NASSCOM and DSCI welcome the National Cyber Security Policy (NCSP), 2013 as an affirmative step in the right direction. The policy will enable integration of ongoing and new activities and programs under an umbrella framework with a cohesive vision and a set of sustained and coordinated strategies for implementation. The policy points out a complete ecosystem by virtue of which a secure computing environment can be created in India. The NCSP takes holistic view of various challenges and risks of operating in cyberspace and details out strategies for addressing them to a great extent even though it avoids going into specifics. The challenge, however, is in implementation of the policy and defining the specifics.
It is heartening to find that many of the recommendations of the NASSCOM-DSCI report ‘Securing Our Cyber Frontiers’ are incorporated in the policy. The key recommendations of the Joint Working Group (JWG) report on ‘Engagement with Private Sector on Cyber Security’ are also covered by the policy. The emphasis of these two reports was on formulation of public-private partnerships to address cyber security issues and the NCSP rightly gives prominence to public-private partnerships for implementation of strategies in many of the identified areas.
While the policy has provisions that encourage organizations to adopt security measures through various incentives, many other provisions mandate security measures esp. in critical sectors and e-governance. Though regulations may be necessary they should not add to cost without necessarily improving security of critical information infrastructure. Too much of government intervention through regulations can also undermine business innovation; it can make it uncompetitive. Therefore, provisions which are mandatory in the policy need deeper analysis based on the experience of other countries and the Indian context.
Another focus area of the NCSP is indigenous development of cyber security products through cutting edge R&D. The key objective of developing indigenous security technologies is to enhance security levels especially to address national security concerns. We believe that giving preference to indigenous products for national security reasons may not be the right policy direction. To effectively address such risks without affecting business competitiveness and country’s image as a promoter of global trade and market, India should build its capacity to mitigate ICT supply chain risks. And, NCSP rightly focuses on building testing infrastructure and facilities for IT security product evaluation. The focus on developing indigenous products must be there but for the reasons of economic growth, targeting the global security market, and not solely driven by national security concerns.
The policy is expected to boost the cyber security products and services market in India, providing significant opportunities to security product and services companies and auditing firms. It is also likely to give impetus to the domestic security industry esp. the startups offering niche and innovative security products. The policy items once implemented would create direct and indirect jobs as many new infrastructures would be established. Overall, the policy implementation can be expected to contribute positively to the economic growth of the country, but this contribution should not come at the cost of policy becoming a hurdle for businesses and that too without necessarily improving or strengthening security posture. To avoid such risks, a well thought out implementation plan that is practical and relevant, which balances the desired goals and on ground realities and takes into account the interests of concerned stakeholders including the industry will be crucial. NASSCOM and DSCI look forward to working with the government in preparing a detailed action plan to implement strategies identified in NCSP.
An in-depth analysis of the policy is available at http://www.dsci.in/node/1474.