The government has developed a new cyber security policy in response to an increase in malware attacks on critical sectors such as hospitals and oil companies.
On Monday, the national cyber security coordinator, Lt Gen (Retd) Rajesh Pant, announced that the National Cyber Security Reference Framework (NCRF) 2023 has been approved and will be made public.
Pant stated at an event that the NCRF policy will provide “strategic guidance” to critical sectors such as banking, energy, and others to address cybersecurity concerns.
“At the moment, there is no system in place to advise organizations, particularly those in critical sectors, on the best practices for developing cyber secure systems.” Recently, there have been large-scale attacks, such as those on Oil India, a group in Nagpur, and a Tata Power plant. “These are all critical sector entities,” he said.
He went on to say that the government has designated seven sectors as critical: telecom, power and energy, banking and financial services, transportation, strategic enterprises, government enterprises, and healthcare.
NCRF “has been created to provide organizations with strategic guidance to help them address their cyber security concerns in a structured manner,” he said.
Pant announced at the India Digital Summit 2023 on February 20 that the framework, formerly known as the National Cyber Security Strategy 2023, would be published soon. He also stated that the policy will be based on the concept of shared but differentiated responsibility (CBDR).
According to industry experts, NCRF 2023 is the first follow-up to the Ministry of Electronics and Information Technology’s (Meity) National Cyber Security Policy 2013, which was due for an update and sought to provide enterprises with best practices and guidelines for preventing cyber attacks.
“The 2023 National Cyber Security Strategy is a broad policy document that will lay out the entire legal framework, as well as other aspects.” It will not only provide legal guidelines but will also represent the position that India wishes to take — taking into account all aspects, whether operational or technical,” said NS Nappinai, Supreme Court lawyer and founder of Cyber Saathi.
Nappinai added that the policy will differ from directives issued by the Indian Computer Emergency Response Team (Cert-In), which Meity published on April 28. The latter is Meity’s most recent cybersecurity regulation, which imposed a six-hour deadline for companies to report cyber incidents, failing which companies would face penalties under Section 70B of the Information Technology Act, 2000.
According to Pawan Duggal, a Supreme Court lawyer, the Framework document may not have any legal implications in terms of improving India’s cyber security environment.
“A framework, in general, is nothing more than a collection of good practices that, for the most part, do not carry any kind of penal consequences.” As a result, the crux is that if you don’t follow a framework, nothing happens. “This may not be a good approach to begin with if legal ramifications with cyber security best practices are not imposed,” Duggal said.
In light of incidents such as the cyber attack on All India Institute of Medical Sciences (Aiims) on 23 November last year, and the reported data breach on the Center’s covid-19 vaccination platform, Cowin, on Monday, he added that approaching dedicated regulations for cyber security is critical.
“As a data economy, we’re constantly bleeding, and if we can’t come up with appropriate legal frameworks, we can’t enforce the rule of law.” Any other approach is unlikely to have a significant impact in the absence of a legal implication,” Duggal added.
