Policy Recommendations 1. Annual Revision of National Cyber Security Policy (NCSP) 2013. NCSP 2013 should be reviewed on annual basis in view of the rapid pace of technology development and dynamic cyber threat scenario. This policy should be translated to a time bound action plan in consonance with the National Cyber Security Doctrine and specify clearly the responsibility for its execution and accountability.
The policy, action plan, organisation and assured budgetary support must be discussed and approved by the Parliament to avoid any unaccounted delays. 2. Cyber Threat Intelligence Centre. India needs to have cyber analysis centres which collects attack data on various infrastructures, financial systems, web sites and services; correlate “big data” generated from government with financial and commercial data to create patterns and suggest anomalies, for advance preventive actions.
3. Cyber Workforce Development. There is an urgent requirement to have a national plan to develop cyber security workforce and an associated cadre. NCSP 2013 has set up a target of five lakhs skilled cyber resource in the non-formal sector for cyber security and also to exploit the business opportunity of providing services to global customers by 2018.
However, the same is way beyond execution. India also must lay emphasis on developing “Science of Cyber Security”. 4. Cyber R&D. India needs focused R&D in the development of safe products; discovery and analysis of vulnerabilities, fixing attribution and design of cyber weapons.
Manufacturing and export of cyber security products presents a very attractive opportunity for India. There is also a need to establish a Cyber Policy Research Centre, a think-tank funded by the government/Industry, for studying all facets of cyberspace and making policy recommendations to the government. 5. Security Standards and Frameworks, Audit. India needs to develop and promulgate the cyber security standards and frameworks for development, and audit processes for assurance of protection of our NCII. Enabling Policy measures are required to encourage establishment of testing labs for managing ICT Supply Chain Risks. Organisational Level Changes 1. Raising Cyber Command.
(a) In order to effectively fight the cyber threat in general and as part of the Pakistan’s hybrid war on India, it is essential that the raising of the triservices cyber command is completed at the earliest. The goal of the Cyber Command must be to ensure that India achieves and maintains a Strategic Cyber Deterrent. For the Defence Services a Cyber command on the lines of SFC is a must, which will coordinate the cyber activities of the three services. It will have three services components suitably structured to carry out both defensive & offensive operations. The command should have lateral linkages with the National level Cyber Structures & ought to function in close coordination with them during peace & war.
(b) The Cyber Command should not only comprise elements of all three services but also personnel’s from DRDO and scientific and technological communities with forensic and R&D capabilities. Cyber Command should work in close concert with NTRO, CERTs and other leading cyber security agencies already working in India. It should also endeavour to work with space command because many aspects which may overlap, therefore to economise the effort during peacetime and building of battlefield environment it is prudent to work with synergy, coordination and integration.
34. Architecture. Cyber Command may be organised directly under the MoD as sub part of Integrated Defence Staff, headed by a three star general due to the decisions of national importance and policy making involved at the apex level of national security in India. The previously organised and existing DIARA may be expanded to form the nucleus of Cyber Command. 75. Personnel. The Cyber Command will be the nucleus with specialist Cyber Warriors of tri-service duly selected trained and may recruit specialised personnel from civil world.
The civilians will also form part of the organisation but will be strictly under command and control of Armed Forces officers and brought temporarily under Army Act. Assistance may be taken from the group of ethical hackers in India when required. 67. Recommended Structure of the Organisation. 66. The role of various sub departments should be defined as under:- (f) Joint Information Warfare (IW) Group.
This group should be mandated to carry out various activities under the Information Warfare domain less the Cyber Warfare to include Psychological warfare,… etc. It should have both offensive and defensive capabilities.
(a) Cyber Protection Group. The group should be mandated to develop the cyber defence capability incorporating the existing CERT-ARMY, CERT-AF , CERT-Navy and DIARA. (b) Cyber Deterrence Group. This group should be mandated with cyber offensive capabilities employing specially trained Cyber Warriors or Ethical hackers. (c) Cyber Forensics Group. DRDO may be incorporated to form the hub of Cyber Forensic department.
(e) Cyber R & D Group. Cyber R & D may be formed by DRDO in collaboration with certain private owned companies initially but later may fully develop independent R & D department. 2. Defence Cyber Agency (DCyA). In the interim pd till the realisation of the Cyber Command, it is proposed that a Jt Cyber Agency with representatives from Triservices as also the Civilian personnel be formed at the IDS level.
The organisational structure at the IHQ of MoD level should remain the same with Cyber Def Teams deployed at Command and Corps level till such time the Offensive Capabilities are developed in-house. 3. Anti-Insider Threat Measures. Insider threats arise when a person with authorized access to Defence Forces resources, including information, networks, systems, equipment and facilities, uses that to harm the cyber-footprint of the Forces. Proactive compliance should protect against these threats, provided it is based on threat detection programs that can identify the source of the attack before it matures. Audit trail of network operations can also be used to identify how the threat is operating, and can be used to make better compliance policies in the future. 5.
User Awareness. Though there is an increased awareness amongst the armed forces on the issue of cyber security, there is still lot desired in the