By Shuchita Thapar
The Telangana government has over the past year made information technology (“IT”) a major focus area for development. It aims to double IT exports within a period of five years. It has, to this end, created a single-stop online clearance mechanism for companies. Amongst other activities, it has also signed MoUs and letters of understanding to develop smart cities, data centres and digital platforms with various multinational companies and governmental bodies.
These industry advances are in addition to strong push towards creating a robust regulatory framework for IT in India’s youngest state. The state government released its Cyber Security policy (“the policy” or the “CS policy”) on the 15th of September 2016, along with policies on data analytics, data centres and open data. These follow the April release of policies and incentives relating to Information and Communication Technology (ICTs), rural technology centres, innovation, electronics and gaming. The Telangana government has also announced that policies regarding the Internet of Things (IOT) and smart technologies, and e-waste will be released within two months.
The release of this policy makes Telangana India’s first state to have its own cybersecurity policy, following the central government’s National Cyber Security Policy of 2013. This post intends to set out the major features of the policy. These will be comprehensively critiqued in the second post of the series.
The CS policy has been introduced in the backdrop of increasing cybersecurity and cyber war threats worldwide. The policy specifically references the 2016 Bangladesh Bank cyber-heist. In the Bangladesh heist instructions to withdraw nearly USD 1 billion were issued by hackers (of which instructions of over USD 100 million went through). It also mentions the 2015 attack on Ukraine’s critical information infrastructure which disabled electricity for over 230,000 people. The IT Minister of Telangana speaks of creating an army of “cyber warriors” to combat such threats. The policy however, remains mainly trade and export focused, as is perhaps appropriate for a state policy. According to the state government the policy is a statement of intent from Telangana government, which is actively seeking interested partners to work on cyber security issues and further deploy tools developed worldwide.
The four main focus areas of the policy are:
- The legal and regulatory framework
- Compliance and enforcement framework
- Compliance building and cybersecure culture framework
- Business development framework
This post will briefly cover the government’s suggestions under each of these focus areas, as well as incentives promised for the growth of the cybersecurity industry.
Legal and Regulatory Framework
The government has expressed its intent to create more robust legislation in the area of cybersecurity, after seeking assistance from domestic and international legal experts. This includes expanding non-cyber specific legislation to include the possibility of cyber activity in fields such as copyright, defamation, national security/sedition and anonymity. To this end, Telangana has already established the Telangana Intellectual Property Crime Unit (“TIPCU”) to act specifically on concerns relating to IP crime. The government has also indicated its intent to strengthen its current cybercrime cell, as set up under the IT Act, 2000.
The government has expressed its intent to create a cyberspace free of pornography (which may be a cause of concern generally, following last year’s large-scale blocks by the central government under Section 79 of the IT Act). It has conflated this category with child pornography, cyber bullying and sexual harassment.
A digital forensics lab is to be set up to analyse and investigate cybercrime, in addition to a data recovery lab and a digital evidence preservation facility. This will be accompanied by capacity building to create data experts who can work with digital forensics.
Compliance and Enforcement Framework
Recognising that absolute cyber-safety is an impossibility, the government has sought to institutionalise a risk-based approach to critical information infrastructure protection, where response to a threat is based on the risk posed by the threat. The government also intends to formulate a critical information infrastructure protection plan as well as set up a think-tank with the help of private and other stakeholder participation.
The policy sets out the aim of the state to create an apex nodal agency T-CERT (on the lines of CERT-IN) to act as the state’s contact point in relation to cybersecurity, with the ability to respond to major incidents, analyse threats, and exchange information. T-CERT will be responsible for liasing with stakeholders, and setting up an emergency response division to run around the clock and monitor the cybersecurity situation in the state.
The state will seek to formulate an appropriate business continuity plan as well as issue and procure cyber insurance. An information sharing and analysis centre is to be set up to share actionable information and analyse trends, and promote open standards and procurement of safe ICT products. The government will support (and may, for SMEs, facilitate) implementation of information security and management systems statewide. In addition to this, an ICT Security Assessment Facility will be set up to assist in product certification and compliance assessment of all ICT products linked to critical information infrastructure using the common criteria for information technology security evaluation.
Capacity Building and Cybersecure Acculturation Framework
The government will focus on creating capacity at multiple levels, by training auditors, policy workers, data management experts, cyber experts and forensic experts to provide cybersecurity related services. Various Centres of Excellence are to be set up to boost research, in addition to research projects to address day-to-day issues faced by the government. The cybersecurity curriculum at the master’s level is also to be revamped. As part of the cybersecurity acculturation process, a comprehensive awareness campaign, as well as school-time cybersecurity education will be undertaken.
Business Development Framework
The business development framework includes creating a start-up incubator for cybersecurity startups. The framework also suggests establishing a venture capital structure for the government to invest in such startups. An annual exhibition will be held to promote indigenously developed products, and SMEs will be awarded a certain percentage of cybersecurity products. The government also intends to enter into several strategic partnerships with the private sector, international agencies and various service providers.
In addition to various incentives designated for all IT companies, a number of specific cybersecurity incentives have been designated. These include subsidized technology, assistance in procurement, lease subsidies, exhibition subsidies, matching grants to those provided by the government of India, recruitment assistance, R&D grants, internet costs and patent-filing costs.
Although Telangana’s cybersecurity policy is nascent, it is ambitious in vision, with multiple bodies to be established and cities around the state to be utilized for development of the IT industry. It remains to be seen whether these efforts are successful and Telangana succeeds in branding itself the cybersecurity hub of India. The significant incentives given to the industry are likely to invite at least some initial investment. However, whether this first-mover’s advantage can be sustained, and whether the promises of the policy can be fulfilled (especially in light of the political instability that has been an unfortunate feature of the creation of the state) will be revealed over time.
Shuchita Thapar is a Project Manager at the Centre for Communication Governance at National Law University Delhi