Centre for Internet & Society

Comments to National Security Council on National Cybersecurity Strategy 2020

CIS submitted brief comments to the National Security Council on the National Cybersecurity Strategy within the 5000 character limit provided. CIS will continue producing outputs building on these ideas.

Approach and Key Principles:

India’s 2020 strategy will need to account for key vectors that have come to define cyberspace including:

  • Increased power held by non-state actors - both private corporations and terrorist groups
  • Augmented capacity of states to use cyberspace as a tool of external power projection-both through asymmetric warfare, and alleged interference via the spread of misinformation
  • The progression of norms formulation processes in cyberspace that have failed to attain consensus due to disagreement on the application of specific standards of International Law to cyberspace.
 
The 2020 framework should  be grounded in:
  1. Legality: Capabilities, measures, and processes for cyber security must be  legally defined and backed. 
  2. Necessity and Proportionality: Any measure taken for the purpose of  ‘cyber security’ that might have implications for fundamental rights  must be necessary, and proportionate to the infringement.
  3. Transparency: Transparency must be a key principle with clear standards to resolve  situations where there is a conflict of interests.
  4. Accountability and Oversight: Capabilities, measures and processes must be held accountable through capable and funded bodies and mechanisms.
  5. Human Rights:  Security of the individual, the community, society, and the nation must be achieved through through promoting a ‘feeling of being secure’ that must stem from a rights-respecting framework.
  6. Free and fair digital economy: Pursue both domestic and geo-strategic policies and actions that enable a free and fair digital economy. 

 

The strategy should be based on the following:

  1. Evidence based: Regular audits of the state of cyber security in India to inform action and policy.
  2. Appropriate metrics: Key metrics are needed to measure, track, and communicate  cyber security in India.
  3. Funding: Funding for cyber security needs to be built into the budget.
 

Pillars of Strategy

Secure

Key Defensive Measures: Technical defense measures such as:

  • Testing and auditing of hardware and software
  • Identification of threat intelligence vectors and existing vulnerabilities, particularly in systems designated as Critical Information Infrastructure (CII)
  • Outline scenarios in which retaliatory operations may be taken and their nature,scope and limits

Designing a credible deterrence strategy, which includes:

  • Articulation of the nature, scale and permissible limits of retaliatory or escalatory measures undertaken AND
  • An exposition of how this matches with  the application of key tenets of International Law in cyberspace

Offensive Measures: If India pursues cyber offensive capabilities, this must be done in accordance with the principles  articulated above. This includes ensuring that the surveillance regime in India is inline with international human rights norms.

Emerging Technologies: Emerging technologies must meet high security standards before they are scaled and deployed.  Creation of sandboxes should not be an exception.

Developing attribution capabilities: If India pursues attribution capabilities,  this must be through multi-stakeholder collaboration, should not risk military escalation, and must demonstrate compliance with evidentiary requirements of Indian criminal law and requirements in International Law on State Responsibility.

Process for response: Define clear roles for the response protocol to a cyber attack including detection, mitigation and response.

Strengthen

Regulatory Requirements

  • Legal and Technical Security Standards: Develop harmonised and robust legal and technical security standards across sectors for crucial issues - encryption and breach notifications etc. Promote industry wide adoption of standards developed by BIS and encourage participation at standard setting fora.
  • Cross border sharing of data: Focus on a solution to the MLAT process - potentially including the negotiation of an executive agreement under the CLOUD Act.

Coordinated Vulnerability Disclosure: Improve the processes for disclosing security vulnerabilities to the Government by stakeholders outside the government.

Incentives: Develop incentives for strong cyber security practices such as cyber insurance programmes, certifications and seals, and tax incentives. 

Education and End User Awareness: Develop solutions to aid users to understand and manage their digital security.

Harmonization and interoperability: Harmonize legislation, legal provisions, and department mandates and processes related to cyber security.

Synergise

Engage in processes at the regional and global level to prevent potential misunderstandings, define shared understandings, and identify areas of collaboration. This can take place through:

  • Norms: Clarify India’s understanding of the applicability of international law to cyber space and engage in norms processes and contribute to the articulation of  a development dimension for cyber norms.
  • CBMs: Focus on political and legal  measures around transparency, cooperation, and stability in the region and globally.
 

 

The views and opinions expressed on this page are those of their individual authors. Unless the opposite is explicitly stated, or unless the opposite may be reasonably inferred, CIS does not subscribe to these views and opinions which belong to their individual authors. CIS does not accept any responsibility, legal or otherwise, for the views and opinions of these individual authors. For an official statement from CIS on a particular issue, please contact us directly.

Meta

  • 13 January, 2020

Author

Elonnai Hickok and Arindrajit Basu

Blog

Events

Funded by

 

Offices

Bengaluru: #32, 1st Floor, 2nd Block, Austin Town, Viveka Nagar, Bengaluru, Karnataka 560047.

 

null

 

Support Us

Please help us defend citizen and user rights on the Internet!

You may donate online via Instamojo. Or, write a cheque in favour of ‘The Centre for Internet and Society’ and mail it to us at Ground Floor, No 173, 9th Cross, 2nd Stage, Indiranagar, Bangalore 560038. These charitable contributions will be towards the Institutional Corpus Fund of the Centre for Internet and Society.

Follow our Works

Newsletter: Subscribe

researchers@work blog: medium.com/rawblog

Twitter (CIS): @cis_india

Twitter (CIS-A2K): @cisa2k

Instagram: @cis.india

Youtube: Centre for Internet and Society

Request for Collaboration

We invite researchers, practitioners, artists, and theoreticians, both organisationally and as individuals, to engage with us on topics related internet and society, and improve our collective understanding of this field. To discuss such possibilities, please write to us at communications[at]cis-india[dot]org with an indication of the form and the content of the collaboration you might be interested in.

In general, we offer financial support for collaborative/invited works only through public calls.

About Us

The Centre for Internet and Society (CIS) is a non-profit organisation that undertakes interdisciplinary research on internet and digital technologies from policy and academic perspectives. The areas of focus include digital accessibility for persons with disabilities, access to knowledge, intellectual property rights, openness (including open data, free and open source software, open standards, open access, open educational resources, and open video), internet governance, telecommunication reform, digital privacy, and cyber-security. The research at CIS seeks to understand the reconfiguration of social processes and structures through the internet and digital media technologies, and vice versa.

Through its diverse initiatives, CIS explores, intervenes in, and advances contemporary discourse and regulatory practices around internet, technology, and society in India, and elsewhere.

© Centre for Internet & Society

Unless otherwise specified, content licensed under Creative Commons — Attribution 3.0 Unported.