Centre for Internet & Society
Information security policy on govt agenda

Former minister of state for communications and information technology Sachin Pilot told Parliament recently that between December 2011 and February 2012, a total of 112 government websites had been hacked. Photo: Pradeep Gaur/Mint

As an increasing quantity of sensitive information is transmitted through electronic channels, the government is considering putting in place an internal information security policy to reduce the risk of leaks and counter possible cyber attacks, said three government officials involved in discussions on the proposal.

Information security policy on govt agenda

Former minister of state for communications and information technology Sachin Pilot told Parliament recently that between December 2011 and February 2012, a total of 112 government websites had been hacked. Photo: Pradeep Gaur/Mint


Surabhi Agarwal's article was published in LiveMint on November 6, 2012. Sunil Abraham is quoted.


The policy will include new guidelines on top of the standards set out by the Official Secrets Act, 1923, and mandate safeguards for each category of information on how it should be transmitted, stored and preserved. The categories are “top secret”, “secret”, “confidential”, “restricted” and “official use only”.

Experts argue that given the easy portability of such information and its vulnerability to hackers, the policy should have been in place much sooner.

The Official Secrets Act seeks to protect sensitive information including official communications, sketch plans, documents and other information pertaining to government functioning. Gaining wrongful access to information deemed to be an official secret or unauthorized use of such information are regarded as offences.

Given that the law was enacted almost a quarter century before independence, it had no provisions to deal with electronic transmission of such information made possible by technological advances in subsequent decades, said cyber expert Pawan Duggal.

One of the three government officials cited above said the aim of the proposed internal information security policy is to protect classified information that’s transmitted electronically much as it is done currently in the paper format.

"As more information is getting transmitted in the electronic format, we have to put in place procedures, guidelines, policies and standards for protecting that information in the electronic format," the official said.

A third government official, who also didn’t want to be identified, said that every government official would have to follow standard procedures in electronic transmission of information.

“The moment one’s computer is connected to the Internet, it is part of a global network, so attackers in the cyber space know which information can be stolen from where if the necessary deterrents are not in place,” the official said.

Sensitive information such as tax matters and intellectual property issues are part of the information that’s transmitted electronically by government offices, which if leaked can have market implications as well as an impact on governance, experts said.

“The government leaks like a sieve,” said B.G. Verghese, a visiting professor at New Delhi-based Centre for Policy Research.

“This is a step and they are trying to lay some ground rules to regulate a process that fits in with concepts of law, good governance, Constitution, privacy and prevents any wrongdoing,” Verghese said.

The proposed policy, when put in place, will be a step forward so long as it does not dilute the powers available to citizens under the Right to Information Act, said Sunil Abraham, executive director of Bangalore-based research organization Centre for Internet and Society.

Currently there are several concerns centred on electronic transmission, including questions about who is responsible for information, especially its unauthorized use. “This could help establish an audit trail,” Abraham said.

The first government official quoted above stressed that although cyber security and information security cut across each other, the two concepts are different.

“Cyber (security) is basically about devices and networks, whereas information security is very particularly about the information which travels on the net,” this official said. Reinforced cyber security will be an additional benefit once the information security policy comes into force, he said.