top of page

Cyber-Security – India's National Force-Buildup


Cyberspace creates countless opportunities alongside complex challenges. India as a technology advanced country, with substantial online services and businesses, is highly dependent on computer communication and control systems. This is not unique to India only but is a global phenomenon. That is, the more countries/organizations rely on developing technology in cyberspace to run, manage and control business operations, the greater their vulnerability and risk of severe disruption of these technologies.

Today, there is a common understanding that Cyber-security threats are one of the most serious national security, public safety, and economic challenges for every nation and for the entire society of the world; there are innumerable examples of cyberspace misuse. Events of recent years show cyberspace to have become an area of much activity and conflict; countries and organizations receive state support to act against other countries, others operate for reasons of intellectual property espionage and theft. Another group of active attackers are terrorists who use the cyberspace to promote their own agenda, exploiting the ability to remain anonymous. Criminals and criminal organizations operate in cyberspace ​​for money theft, blackmail and financial fraud. Finally, cyberspace accommodates ad - hoc individuals and groups of activists operating at any given moment against a common goal. Correlating these developments with India’s National Cyber-security Policy vision as declared in 2013[1] requires India to initiate a process which will transform India to a better secure place to do business and to use services in the cyberspace. Such a process will enhance India’s resilient to cyber-attack and will enhance its abilities to better protect its interests. On-top off these objectives it will help shape an open and stable cyberspace that support India’s economy developments and help building India’s cyber-security knowledge-base, skills and capabilities.

Over a year has passed since India set out its National Cyber-security Strategy. The release of this in 2013 was an important step towards securing India’s cyberspace. However, there are certain areas which need further considerations for its actual implementation.

This article is presenting a force build-up process focusing on high-level defense approach aiming to improve the security and resilience of national information infrastructures and services by discussing conceptual pillars.

The Five Pillars of Cyber-Security National Force Build-Up

The process of national cyber-security force build-up is the product of long term preparation requiring various stakeholders, projects and developments to enable a sustainable systematic and targeted force build up. The process of cyberspace force build-up is a challenge requiring national system sizing. This model comprises five basic pillars; the first pillar is the formulation of national strategy in cyberspace. This component is the foundation upon which rests the entire process of force build-up and thus drafts the nation’s resource and efforts management in order to improve cyberspace abilities and worldwide position. The second is related to technological development of cyber-security capabilities needed to allow the implementation of the above strategy. The third pillar is related to the development of human resources and human capital, which needed to allow the effective use of the developed technology within the strategy framework. The forth pillar is the definition of the organizational structure needed to support the strategy. Lastly the entire above have to be trained, assimilated and drilled to ensure that all systems function properly, and to systematically refine and develop knowledge.

National Strategy

The development of national strategy is the initial phase of the force-buildup and it must address two different perspectives;

  • Offence strategy in cyberspace must be addressed as India needs to responses to large-scale cyber-attacks, carried out by potential rivals. Thus, India needs to have a clear strategy of how it react to hostile action that threaten the government, military, citizen’s health or the country’s economy. As Offense strategy has different mission it should be discussed in a parallel process which is not the focus of this article.

  • A comprehensive defense approach must be developed reflecting India’s cyberspace vision.

The defensive strategy needs to address the security unique different needs of the following sectorial groups:

  • The protection of national security organizations and sensitive defense industries

  • The protection of critical national infrastructure

  • The protection of government services

  • The protection of the civilian sector.

As it is assumed that the first three groups described above are in some extant more secure and regulated, the forth group, however, is the most vulnerable one. This group includes: organizations, businesses and private users and typically has no cyber-security guidance, the entities in this group are not regulated and thus are the most vulnerable to attackers who prefer to target less protected victims. One can only imagine a successful terror attack occurring on one of India’s large food manufacturers or the magnitude of a successful fraud on private financial organization or the effect of Intellectual Property (IP) cyber theft from India’s technological companies. At the same time, changes in the structure of the India’s economy and privatization processes should sharpen the understanding that cyber-security of the civilian sector has to be addressed in greater attention.

One of the key elements of the process of developing cyber-security strategy is a national cyber-security risk assessment, with a specific focus on critical information infrastructures. Based on risk analysis, the strategy should define the minimal defensive measures to be taken in each of the cyber-security national Force Build-Up pillars. India needs to evaluate where it’s standing and where it needs to focus its resources and investments in order to increase the global resilience and security of national ICT assets, which support critical functions of the state. Such an evaluation needs to be done in 4 different threads:

  • The nation’s ability to have accurate early warnings of cyber-security related events.

  • The nation’s cyber incidents prevention capabilities.

  • The nation’s competence to detect and identify security events

  • The nation’s response capabilities. This should be measured for the early warnings and for a particular event or series of events, in order to mitigate the current situation, to take further corrective actions in relation to deficiencies identified and in order to prevent these events from re-occurring in the future.

Alongside, there are two key phases in the development of a national cyber-security strategy: developing and executing the strategy and evaluating and adjusting the strategy. A lifecycle approach needs to be adopted, i.e. the output of the evaluation phase will be used to maintain and adjust the strategy itself, the national strategy should be able to quickly respond to emerging cyber-security issues and emerging threats.The strategy objectives need also to be priorities, this is of paramount importance for the successful implementation and for constant improvement.

The success of the Implementation of India’s national cyberspace strategy relay on the following four pillars of the cyberspace force build-up.

Technology and means

A country retaining cyber-security technology leadership enjoys economic advantages as well as cyberspace geo-political domination. On top of that, the application of constantly evolving defense tools is required to achieve India’s cyberspace vision today and in the future. It brings innovation in protecting critical infrastructures, enhanced command and control capabilities, and high quality of intelligence and so on. Obviously, there are also advantages of precise and rapid attack capabilities in the offense realm. These capabilities contribute to a nation’s power, and strengthen its national security and international position.

Some of the challenges India is facing today are the level of its cyberspace hygiene, the lack of cyber-security information sharing tools and best practice, lack of internal cyber monitoring, and the lack of proactive cyber defense capabilities within the country’s critical infrastructure.

It is important that India will invest in acquiring the proper technology and means both by internally developing new technologies and by purchasing form the private sector or from allies governments. A coordinated national effort to encourage the private sector by funneling R&D investments to develop new defense cyber-security related tools and defense operations concepts should be part of this phase. Investing in R&D and putting in seed money in new technological companies is one of the of the country’s tool to make sure new technologies and cyber-security products are synchronized with the strategy requirements. It will also serve India in two objectives: better customized product to defense itself and will promote India as an exporter of technology. For example, one of the components of India’s cyberspace strategy shall probably be the establishment of an integrated national CERT[2] for India. Thus it may require funding the R&D of dedicated early warning technologies.

It is important that India will strengthen its cyber defense R&D programs and will further support and prioritize the cyber defense industry. The government needs to coordinate cooperation between security and defense organizations such as military and intelligence agencies and between high-tech R&D companies.

The Development of Designated Human Resources

Human resource and human capital development, together with the technological development of tools and methods must be fully integrated and synchronized between them, so as to maximally utilize all national resources for the fortification of India's cyber capabilities.

For example, cyber-security workforce needs to stay up-to-date with emerging risks and threats, and with cyber-security technologies that typically require frequent knowledge acquisition and extension of studies.

Another issue to be considered is innovation around cyber-security, both from offensive and defensive perspective and in order to be among the world’s leaders. This can be achieved by inter-sectorial partnerships and by providing flexibility to cyber-security talents to move and integrate easily between sectors like high-tech, academia, government agencies, and private sector to constantly develop skills and advance India’s knowledge base for future opportunities development

On a long term view it is important to define the overall cyber-security workforce requirements, in order to ensure that the country is investing in educating the right types of workforce and keeping in pace with the workforce demand.

The development of cyber Workforce need to address the typical duties and skill required. The National Institute of Standards and Technology – U.S. Department of Commerce (NIST) released in 2013 its workforce framework[3] identifying seven cyber-security workforce categories:

  • Securely provision workers who are responsible for conceptualizing, designing, and building secure Information Technology (IT) systems (i.e., responsible for aspect of systems development).

  • Operate and maintain workers who specialize in areas of providing support, administration, and maintenance necessary to ensure effective and efficient IT system performance and security.

  • Protect and defend workers who are responsible for identification, analysis, and mitigation of threats to internal IT systems or networks.

  • Investigation workers – who specialize in investigation of cyber events and cybercrimes.

  • Collect and operate personnel who are responsible for specialized denial and deception operations and collection of cyber-security information that may be used to develop intelligence.

  • Analysts who are responsible for highly specialized review and evaluation of incoming cyber-security information to determine its usefulness for intelligence.

  • Oversight and development who are responsible for providing leadership, management, direction and advocacy so that individuals and organizations may effectively conduct cyber-security work.

These categories as were presented by the NIST may not be fully in-lined with India’s cyber-security strategy. India should identify its professional cyber-security needs in a way that would support the technological advances India encourages. It requires a staff work and long term educational planning which will include efforts in all level of education from early schools to advanced academia programs and across all relevant cyber-security mentioned above categories. For example: The need to develop civil cyber defense requires the academic development of designated human resources; these will fill positions in the civil defense sector in technology development, security consumer organizations, as well as the country's national regulatory positions that will take part in the civil defense regulation formulation.

Organization – Utilizing National Potential

Most of the organizations in India have naturally developed some preoccupation in the cyberspace and it is assumed that security organizations are building their own capabilities in cyberspace to support their basic tasks. However, there is a work to be done in two dimensions:

The first is the need to have a macro analysis of the nation’s cyber-security needs and accordingly building the nation’s cyber-security eco-system and define the various entities roles and responsibilities. As a good starting point, India’s government has already initiated the National Critical Information Infrastructure Protection Centre (NCIIPC) which is becoming more active and relevant. This should be followed by other bodies and initiatives which need to be established or enhanced:

  • National Computer Emergency Response Team (CERT India) for the benefits of improved national co-ordination of cyber incidents and to act as a focus point for international sharing of technical information and feeds on cyber-security. A CERT unit also needs to include a national Security Operation Center (SOC) which will function as a hub for monitoring the network and detecting anomalies. A SOC is also responsible for issuing alerts to users and providing advice on best security practice. Such an entity has a great impact on the defense strategy iterative cycle i.e. early warning, prevention, detection and responds as stated above. Establishment of a national CERT will promote India’s resiliency to cyber-attack and will keep up with its interests over the cyberspace.

  • National cyber-crime Unit which will further develop India’s capabilities to combat the threat from cyber criminals. Such a unit will make India a better secure place to do on-line business.

  • India also need to consider to develop initiatives which partner collaborations between government, industry, academia and law enforcement agencies to better coordinate efforts of reducing cyber-crimes. Such collaborations will raise awareness, improve reporting and help the industry become more resilient to the threats.

  • Law enforcement capabilities need to be further developed to tackle cyber-crime and enhance the society confidence required to do online business and to use online services.

  • Initiatives for International cooperation will promote India’s objectives in cyberspace. This should include cooperation with UN committees, regional South Asia and Asia Pacific politico-economic unions, the Commonwealth of Nations and so. India also needs to promote international cyber conferences. Such initiatives may help to shape an open, vibrant and stable cyberspace that supports the nation’s needs and the world society.

  • It is advisable to regulate who shall be responsible for the protection guidance of the government ministries and authorities and the exposed civilian sector.

  • India need to run an awareness campaign reaching out the private sector in order to raise awareness of the threat and to encourage business and to embed effective cyber-security risk management practices.

  • The above are few examples of required cyber-security bodies and initiatives and missions on a nation level. It is highly important to plan India’s cyber-security organization structure mapped by the cyber-security strategy objectives. This will make sure all activities and cyber-security operations are aligned with the strategy.

The second dimension is the need to set the relationship between the organizations and each organization exact authority. Development of this area is the culmination of the force build-up process. This may be illustrated in the following schematic diagram:

Drills, Training and Assimilation

Drills are core component of cyber-security force-buildup. They generate know-how and enable organizations to better prepare themselves for various scenarios. Though operational drills usually address specific scenarios (such as: BSP readiness, cyber-attacks, IT incidents and equipment failure and more), the know-how developed as a result of these drills always exceeds the narrow limits of the specific scenario. Typically, operational drills are conducted in all levels of the organization, up to the supreme command level. Security organizations routinely carry out training, exercises and drills. It is important to adopt the concept among the civilian sector which is known to be the most exposed to damage cause by cyberspace.

National Training programs should be established and focus on improving the civilian sector and the individual’s knowledge of risks and vulnerabilities in the cyberspace and to help the public learn how to deal with intrusions on their computers and devices and to encourage and promote the use of cyber-security resources and tools.

In addition, there should be an annual national cyber protection exercise featuring a scenario of several cyber-security incidents in a stimulate environment, with clear objectives of testing escalation process and national level coordination procedures. The exercise must challenge all pillars of the force build-up in order to regularly improve and enhance the national response. In addition, the exercise will serve as a basis for the development of operational plans that will improve India's readiness.

An Overall View

National Cyber-Security Strategy is the Keystone of the national force build up. Ones this has been formulated two main efforts need to be launched and synchronized: The development of technology and means and the development of the human resource. Those two are funneled into organizations; each has a predefined responsibility (and authority) and is allocated with resources such as: budget, tools and people. Drills and exercises both in the local and the national arena, shall be part of the strategy implementation. Of course, the government has to continuously monitor and synchronize the force build-up national process and to take the required measures and make the necessary corrections.

In July 2013, India has declared its National Cyber-Security Strategy. Now it is time to move to the next phase and develop a comprehensive force build-up process. India needs to set key elements of planned activities over the short, intermediate and long term in support of the strategy. Strategy assessment process should be held to verify progress and make adjustments as necessary in response to changes in the technological and threat environment. This should be done on an iterative base to make sure a constant enhancement of level of cyber-security is achieved. Implementation of such a process may move India to the next generation of cyber-security readiness and will position with the top leading nations of cyber-security.

[1] Drafted by the Department of Electronics and information Technology, Ministry of Communication and IT, Government of India. Full version can be found here

[2] See Organization – Utilizing National Potential paragraph for further elaboration.

[3] The National Cybersecurity Workforce, NATIONAL INITIATIVE FOR CYBERSECURITY EDUCATION (NICE), 2013

http://csrc.nist.gov/nice/framework/national_cybersecurity_workforce_framework_03_2013_version1_0_for_printing.pdf


Featured Posts
Recent Posts
Search By Tags
Archive
Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square
bottom of page