India’s National Cybersecurity Strategy Awaiting ApprovalLt. Gen. Pant: Why India Needs a Cybersecurity Strategy; What It Plans to Accomplish
India’s new cybersecurity strategy is about to be rolled out, according to Lt. Gen. Rajesh Pant, national cybersecurity coordinator at the Prime Minister's Office in the Government of India, who made the announcement on Microsoft's "Expert Speak" last Friday.
"We've been working on framing the new strategy for the last two years. The strategy is now in the cabinet for the final stamp," Pant said.
During Information Security Media Group's Fraud and Breach Summit 2019, Pant stated that the security framework required for India's cybersecurity strategy had been created and all that remained was the rollout and implementation.
In his discussion on "Expert Speak" with Keshav Dhakad, who is Microsoft India's general counsel, the retired Indian Army lieutenant general said what the country needs first is a governance structure. "By and large, the framework is in place, but there's no apex organization that oversees the allocation of roles and responsibilities," he said.
According to Pant, one of the major deliverables of the new cybersecurity strategy is to identify and appoint regulatory authorities for different entities, such as the Computer Emergency Response Team, or CERT-In, the Cyber Crime Coordination Center, the Defense Cyber Agency and the National Critical Information Infrastructure Protection Center, or NCIIPC.
Pant said that although India has a national cybersecurity policy in place, what the country needs is a cyber strategy. "The difference between a strategy and a policy is that the former is an action-oriented plan. It defines the objective. It tells us who will deliver the objective and the funding and timeline for achieving the objective," he said.
Moreover, growing internet penetration in rural India is making citizens who are less aware of cyberthreats vulnerable to newer forms of cyberattacks and cyber fraud. "A large number of private entities which are part of India's critical infrastructure - like power and telecom sectors - are also being targeted by nation state cyberattacks," Pant pointed out. And this is another reason the government needs to step in to help protect the industry, he said.
Highlighting the current threat landscape in India, Pant said that government entities face nearly 20% of all cyberattacks in India. Banking and finance comes in at a close second, followed by the IT sector.
India's Cybersecurity Road Map
In addition to establishing an apex regulatory body, Pant said the new strategy also addresses the various architectural requirements needed to achieve the objectives defined by the strategy.
Pant said that, for example, if one were to report malware today, people would go to the private sector-owned VirusTotal website. The problem, he explained, is that VirusTotal now has all the data about malware in India and the target organizations. This, he believes, is not good for national security.
"So, we've created our own national malware report. It's in the final phase of beta-testing and we've already got 75 million samples in the repository, so it's going to be as good as VirusTotal," he said.
Pant stated that the government is working toward creating a national threat intelligence exchange, with the objective of gathering all threat intelligence in a single place and distributing it among various organizations and government bodies.
In addition, Pant explained how the National Cyber Coordination Center project will be able to provide security at the gateways: "If there are 200 internet gateways from all the service providers, there will be probes at each of these gateways which will be reading only the metadata. The metadata will reveal the IPs and data packets and their source and destination. With this information, threats can be predicted."
So, he suggested, if there are many packets going to one particular IP address, one can presume it's likely a distributed denial-of-service - or DDoS - attack.
Recent Accomplishments in Cyber
Pant said that Indian cyber agencies have made significant achievements in the recent past.
He said that CERT-In is doing an excellent job in incident response. "The Indian Cyber Crime Coordination Center, in the last year, has also done a fantastic job in dealing with cybercrime through threat analytics and digital forensics," he added.
Pant talked about how the Ministry of Electronics and Information Technology is providing educational awareness. He said the Ministry of External Affairs has established a division on cyber diplomacy, a defense cyber agency has been created to secure Indian defense establishments, and the NCIIPC has been set up to protect the country's critical assets.
Pant revealed that CERT-In has recently become a CVE-numbering authority after being accredited by the MITRE ATT&CK Framework.
He also said that in addition to the telecom sector, the Ministry of Power deserves credit for establishing a Security Operations Center in each of its sectors, from power generation to distribution.
"The two super critical sectors have been able to tackle and mitigate a lot of targeted attacks in the recent past," he said.
In addition, India's Central Electricity Authority recently issued Cyber Security in Power Sector Guidelines 2021 for organizations in the power sector to secure OT systems, create a cyber assurance framework, strengthen cyber risk assessment and improve incident response and reporting.