Comments to National Security Council on National Cybersecurity Strategy 2020
CIS submitted brief comments to the National Security Council on the National Cybersecurity Strategy within the 5000 character limit provided. CIS will continue producing outputs building on these ideas.
Approach and Key Principles:
India’s 2020 strategy will need to account for key vectors that have come to define cyberspace including:
- Increased power held by non-state actors - both private corporations and terrorist groups
- Augmented capacity of states to use cyberspace as a tool of external power projection-both through asymmetric warfare, and alleged interference via the spread of misinformation
- The progression of norms formulation processes in cyberspace that have failed to attain consensus due to disagreement on the application of specific standards of International Law to cyberspace.
- Legality: Capabilities, measures, and processes for cyber security must be legally defined and backed.
- Necessity and Proportionality: Any measure taken for the purpose of ‘cyber security’ that might have implications for fundamental rights must be necessary, and proportionate to the infringement.
- Transparency: Transparency must be a key principle with clear standards to resolve situations where there is a conflict of interests.
- Accountability and Oversight: Capabilities, measures and processes must be held accountable through capable and funded bodies and mechanisms.
- Human Rights: Security of the individual, the community, society, and the nation must be achieved through through promoting a ‘feeling of being secure’ that must stem from a rights-respecting framework.
- Free and fair digital economy: Pursue both domestic and geo-strategic policies and actions that enable a free and fair digital economy.
The strategy should be based on the following:
- Evidence based: Regular audits of the state of cyber security in India to inform action and policy.
- Appropriate metrics: Key metrics are needed to measure, track, and communicate cyber security in India.
- Funding: Funding for cyber security needs to be built into the budget.
Pillars of Strategy
Secure
Key Defensive Measures: Technical defense measures such as:
- Testing and auditing of hardware and software
- Identification of threat intelligence vectors and existing vulnerabilities, particularly in systems designated as Critical Information Infrastructure (CII)
- Outline scenarios in which retaliatory operations may be taken and their nature,scope and limits
Designing a credible deterrence strategy, which includes:
- Articulation of the nature, scale and permissible limits of retaliatory or escalatory measures undertaken AND
- An exposition of how this matches with the application of key tenets of International Law in cyberspace
Offensive Measures: If India pursues cyber offensive capabilities, this must be done in accordance with the principles articulated above. This includes ensuring that the surveillance regime in India is inline with international human rights norms.
Emerging Technologies: Emerging technologies must meet high security standards before they are scaled and deployed. Creation of sandboxes should not be an exception.
Developing attribution capabilities: If India pursues attribution capabilities, this must be through multi-stakeholder collaboration, should not risk military escalation, and must demonstrate compliance with evidentiary requirements of Indian criminal law and requirements in International Law on State Responsibility.
Process for response: Define clear roles for the response protocol to a cyber attack including detection, mitigation and response.
Strengthen
Regulatory Requirements
- Legal and Technical Security Standards: Develop harmonised and robust legal and technical security standards across sectors for crucial issues - encryption and breach notifications etc. Promote industry wide adoption of standards developed by BIS and encourage participation at standard setting fora.
- Cross border sharing of data: Focus on a solution to the MLAT process - potentially including the negotiation of an executive agreement under the CLOUD Act.
Coordinated Vulnerability Disclosure: Improve the processes for disclosing security vulnerabilities to the Government by stakeholders outside the government.
Incentives: Develop incentives for strong cyber security practices such as cyber insurance programmes, certifications and seals, and tax incentives.
Education and End User Awareness: Develop solutions to aid users to understand and manage their digital security.
Harmonization and interoperability: Harmonize legislation, legal provisions, and department mandates and processes related to cyber security.
Synergise
Engage in processes at the regional and global level to prevent potential misunderstandings, define shared understandings, and identify areas of collaboration. This can take place through:
- Norms: Clarify India’s understanding of the applicability of international law to cyber space and engage in norms processes and contribute to the articulation of a development dimension for cyber norms.
- CBMs: Focus on political and legal measures around transparency, cooperation, and stability in the region and globally.