The Telangana IT industry has been facing hostilities recently, with news reports suggesting that over fifty technology companies have been faced with cyberattacks over the past month. This has been subsequent to the surgical strikes carried out near the Pakistan border by the Indian Army. The Society for Cyberabad Security Council, (“SCSC”) a collaborative venture between the Cyberabad Police Commissionerate and the IT industry has reported a spate of ransomware attacks through various international servers, with the source of the attacks being traced to Pakistani hackers. The SCSC also noted that while there had been few direct reports of security breaches, information was received from private cybersecurity firms approached by the companies.
These incidents, coming as they do in the wake of increased cyberattacks throughout India, (including the recent hacking of the National Green Tribunal’s website) highlight the need for both a comprehensive cybersecurity legislation as well as practical measures to safeguard India’s internet communication technology (“ICT”) resources. Telangana, India’s newest state, recently released a cybersecurity policy to this end, making it India’s only state with such a policy.
Part I of this two-part series focused on the features of Telangana’s Cyber Security policy (“the policy” or the “CS policy”), released on the 15th of September 2016. This policy was released as part of a suite of ICT policies and other initiatives targeting the growth of the IT sector in the state. This post seeks to critically analyse the CS policy, as well as to understand necessary forthcoming developments in the regulatory framework for cybersecurity around India.
The Telangana government introduced the CS policy citing increased cybersecurity needs in the context of global cyber warfare. As seen from the recent attacks on Telangana’s IT companies, this is a pressing concern.This issue is especially important given the clear skepticism around approaching governmental bodies with cybersecurity issues – as revealed by the fact that in the attacks referenced above, the affected entities chose to approach private cybersecurity companies rather than government bodies. The reluctance to engage with official mechanisms on cybersecurity is a problem that also has major repercussions for IT users. This is because, given the lack of data breach notifications in India, communications may be compromised without news of any problems ever reaching the public domain or the government. A strong and reliable governmental monitoring agency which can offer assistance in case of such attacks is an imperative need, along with protections for users whose data has been compromised.
Cyber law and related legislation
The CS policy seeks to create strengthened grievance redressal mechanisms for crimes against women. While this is admirable, the suggestion that the aim of the State is to create an internet free of pornography (where not child pornography) is an impingement on the freedoms of adult users. This debate has already been conducted at the Central level, where large-scale blocks of pornographic websites were rolled back following public uproar.
The policy addresses school-level training in cybersecurity issues and general cybercrime awareness, as well as individual certification programmes and research centres for specific areas of cybersecurity. However, it does not address the issue of actually creating cybersecurity experts through broad-based training in specific courses at the tertiary education level. The failure to create cybersecurity as an arena of professional specialization at the bachelor’s degree level, and relying instead on short-term certifications/narrowly focused research may create shallow knowledge pools in this area. This is problematic given the state’s focus on developing cybersecurity expertise, and the forecasted countrywide requirement for over a million cybersecurity experts by 2025.
Integration with other policies
The CS policy has been released alongside a host of other ICT policies, many of which refer to issues that will have direct bearing on the cybersecurity – notably, smart cities and the internet of things. However, the CS policy does not explicitly discuss the linkages between itself and the other frameworks sought to be put in place, and there appears to be no overarching body which would co-ordinate between the various policies. There is also relatively little engagement with the central regulatory framework on cybersecurity, including the IT Act and the National Cyber Security Policy 2013.
Policy framing and realization
The draft CS policy was not opened out to public comments (although news reports suggest that expert opinions were sought) and there is no indication that general public participation will be solicited in the operationalization of the policy. Further, no timeline for policy implementation has been provided. Given the number of cybersecurity initiatives being undertaken in the state, a lacking regulatory framework and non-existent coordinating nodal agency (i.e. the proposed T-CERT) may prove detrimental to the structured development of the cybersecurity industry.
The CS policy is ambitious in scope and vision, and has the potential to create a robust cybersecurity culture. However, concerns about the implementation of the policy and its integration with national and other state policies remain. Nevertheless, in terms of industry incentives, the CS policy looks favorable and the state focus on IT makes it likely that the industry will flourish.