Jonathan Diamond analyzes recent developments in India’s national cyber security policies.
This summer was a busy period for cyber security in India. Beginning with the release of the country’s first National Cyber Security Policy on July 2, followed shortly by a set of guidelines for the protection of national critical information infrastructure (CII) developed under the direction of the National Technical Research Organization (NTRO), India has made respectable progress in its national cyber security mentality. However, the National Cyber Security Policy, taken together with what little is known of the as-yet restricted guidelines for CII protection, raises troubling questions, particularly regarding the regulation of cyber security practices in the private sector. Whereas the current Policy suggests the imposition of certain preferential acquisition policies, India would be best advised to maintain technology neutrality to ensure maximum security.
According to Section 70(1) of the Information Technology Act, Critical Information Infrastructure (CII) is defined as a “computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety.” In one of the 2008 amendments to the IT Act, the Central Government granted itself the authority to “prescribe the information security practices and procedures for such protected system[s].” These two paragraphs form the legal basis for the regulation of cyber security within the private sector.
Despite this basis, private cyber security remains almost completely unregulated. According to the Intermediary Guidelines, intermediaries are required to report cyber security incidents to India’s national-level computer emergency response team (CERT-In). Other than this relatively small stipulation, the only regulation in place for CII exists at the sector level. Last year the Reserve Bank of India mandated that…