This is an edited excerpt of Part V and Annexure ‘C’ of CCG’s Comments to the National Security Council Secretariat on the National Cyber Security Strategy 2020 (NCSS 2020). The full text of the Comments can be accessed here.
Note on Research Methodology
CCG compiled the data on allocations (budgeted and revised) and actual expenditure from the Demands for Grants of Ministries as approved by Parliament and presented in the Annual Expenditure Budget of various ministries and their respective departments which are related to cybersecurity from FY 2013-17 to FY 2019-20.
The departments have been identified from publicly available information represented in the organograms presented as Annexure ‘B’. We understand a ‘relevant department’ to mean those departments which are either directly related to cybersecurity and/or support the functioning of the technical and security aspects of internet governance at large.
We have then identified those budget heads under the Union Budgets for FY 2013-14 through FY 2019-2020, which correspond most closely to the departments identified and highlighted in Annexure ‘B’ to calculate the total allocation to ministries for cybersecurity-related activities. We then analyse this data in under four broad categories:
(I) Department Wise Allocation: The departments that are directly related to the expenditure for cybersecurity are calculated under this heading. Various expenditures under Ministry of Electronics and Information Technology (MEITY), Department of Telecommunication (DOT), and Ministry of Home Affairs are tabulated for this.
Under MeitY, we have included the budget heads for
- Computer Emergency Response Team (CERT-IN),
- Centre for Development of Advanced Computing (C-DAC),
- Centre for Materials for Electronics and IT (C-MET),
- Society for Applied Microwave Electronics Engineering and Research (SAMEER),
- Standardization Testing and Quality Certification (STQC),
- Controller of Certifying Authorities (CCA), and
- Foreign Trade and Export Promotion and
- Certain components of the Digital India Initiative, namely:
- Manpower Development,
- National Knowledge Network,
- Promotion of electronics and IT HW manufacturing,
- Cybersecurity projects (which includes National Cyber Coordination centre and others),
- Research and Development in Electronics/IT,
- Promotion of IT/ITeS industries,
- Promotion of Digital Payment, and
- Pradhan Mantri Digital Saksharta Abhiyan (PMGDISHA).
Under Ministry of Communication, our focus was only on the Department of Telecommunication. We considered the budget allocated to the following, to come up with the total Department budget. These heads are:
- Telecom Regulatory Authority of India (TRAI),
- Human Resource Management under National Institute of Communication Finance,
- Wireless Planning and Coordination,
- Telecom Engineering Centre,
- Technology Development and Investment Promotion,
- South Asia Sub-Regional Economic Cooperation (SASEC) under Information Highway Project,
- Telecom Testing and Security Certification Centre,
- Telecom Computer Emergency Response Team,
- Central Equipments Identity Register (CEIR),
- 5G Connectivity Test Bed,
- Promotion of Innovation and Incubation of Future Technologies for Telecom Sector,
- Centre for Development of Telematics (C-DoT), and
- Labour, Employment and Skill Development.
Under Ministry of Home Affairs, the funds allocated for the following budget heads have been included:
- Education, Training and Research purposes,
- Criminology and Forensic Science,
- Modernisation of Police Forces and Crime and Criminal Tracking Network and Systems (CCTNS),
- Indian Cyber Crime Coordination Centre, and
- Technical and Economic Cooperation with Other Countries.
All these budget heads were tabulated to come up with the total for department wise allocation. Along with departments mentioned under ‘Supporting Departments’, all these departments were again classified on the basis of their functions and activities, and analysed under (III).
(II) Supporting Department Wise Allocation: While certain expenditures of the Ministry of Defence, Ministry of External Affairs, Department of Telecommunication, and Ministry of Home Affairs can potentially be used for cybersecurity-related activities, but it it is not possible to infer from the Demands for Grants, the share of cyber in the total allocation, we have treated them as ‘allocations to supporting departments’. In this data, the total funds indicated may not be directly related to cybersecurity efforts, but they contribute towards the larger security and governance framework, which enables the creation of a secure ecosystem for cyber. These headings are tabulated under this section.
Under Ministry of Defence, the following heads were considered to contribute towards the larger security and governance framework in cyberspace:
- Navy/Joint Staff,
- Ordnance Factories R&D,
- Research and Development, including the Research and Development component of R&D head,
- Capital Outlay on R&D, and
- Technology Development and Assistance for Prototype Development under Make Procedure
Under Ministry of External Affairs, we considered the following heads as important contributors:
- The Special Diplomatic Expenditure,
- Expenditure for International Cooperation,
- Expenditure for Technical and Economic Cooperation with other Countries, and
- Other Expenditure of Ministry
Under Department of Telecommunication again, there were several heads that we considered not to be directly related to cybersecurity, but they did significantly contribute towards it. These include allocations for
- Defence Spectrum,
- Capital Outlay on Telecommunication and Electronic Industries,
- Capital Outlay on Other Communication Services, and
- Universal Service Obligation Fund (USOF)
Under Ministry of Home Affairs, the departments that are involved with defence and intelligence along with law enforcement are important to be considered for cybersecurity. Thus we included the allocations for
- Intelligence Bureau,
- Delhi Police, and
- Capital Outlay on Police.
(III) Activity Wise Allocation: For further analysis, we have categorized the expenditures mentioned in Department Wise Allocation into five categories, each of which have been identified as constituent elements of the three Pillars of Strategy namely:
- Human Resource Development Component (Strengthen)
- Technical Research & Development Component, Capacity Building (Strengthen/Synergize)
- International Cooperation and Investment Promotion Component (Secure/Synergise)
- Standardisation, Quality Testing and Certification Component (Strengthen)
- Active Cyber Incident Response/ Defence Operations and Security Component (Secure/Strengthen)
The total for these are calculated to identify if any trends or patterns emerge in expenditure by the ministries. Apart from the ministries covered in classifications (I) and (II), we have also included budgets of two other heads/departments. Namely, these are (i) the allocation towards corporate data management under the authority of the Ministry of Corporate Affairs, which has been included in category (5) indicated above and (ii) the allocation towards technical and economic cooperation with other countries for the Department of Economic Affairs under the Ministry of Finance, which has been included in category (3) indicated above.
(IV) Ministries share over Financial Year: The total value tabulated in Department wise allocation and supporting department wise allocation for the ministries is then used to calculate the share of budget allocated to Cyber Security and related activities with respect to the total budget allocation of ministries. The ministries taken into account, which contribute significantly to Cyber Security and related activities are:
- Department of Telecommunication (under the Ministry of Communications),
- Ministry of Defence,
- Ministry of External Affairs,
- Ministry of Electronics and Information Technology,
- Ministry of Home Affairs, and
- Department of Science and Technology (under the Ministry of Science and Technology).
Ministry-wise Allocations and Expenditure on Cybersecurity and Related Activities FY 2013-14 to FY 2019-20
Figure 9 depicts actual expenditure (from FY 2013-14 to FY 2017-18), the Revised Expenditure (RE) for FY 2018-19 and Budgeted Expenditure for FY 2019-20. With the exception of FY 2016-17, we can see a clear trend of increasing allocations for expenditure towards cyber-security related activities, especially for the DoT. It is relevant to point out that this representation also includes the expenditure on Departments playing a supporting role in cybersecurity activities, such as the IDS/Joint Staff and R&D under the Ministry of Defence (MoD) as well as the MEA’s expenditure on international technical cooperation. As the expenditure incurred on cybersecurity related activities alone cannot be inferred from these budget heads, they have been treated as Departments playing a supporting role for cybersecurity efforts and included in overall expenditure.
Figure 10 is a narrower subset of the expenses indicated in Figure 9. It represents the allocations to Departments in Ministries that have been entrusted with core activities that contribute towards cybersecurity operations, R&D, e-Governance and internet governance at large. These include, to name a few, the promotion of electronics and IT hardware manufacturing and other initiatives such as Digital India, C-DAC, NCCC and other similar programmes under MeitY, TRAI, C-DoT and the 5G test bed under the authority of the DoT and MHA’s expenses towards modernization of police forces, forensics, and initiatives such as the Indian Cyber Crime Coordination Centre.
Figure 10 reveals an immediate upsurge in such allocations in the time period during and immediately after the formulation of the National Cyber Security Policy 2013, after which the allocations begin to dwindle in FY 2014-15. We can also note that with the exception of FY 2015-16 actual expenditure is consistently lower than the Budgeted Expenditure allocated to all these Ministries for cybersecurity related activities.
It is interesting to note that if we convert the absolute figures represented in Figure 10 into percentages, and represent the same data set as such, it reveals a remarkable consistency and a clear pattern emerges in burden-sharing between these three Ministries (MHA, MeitY and DoT under the Ministry of Communications).
Figure 11 depicts the same allocations indicated as absolute figures in Figure 10 as percentages of the total expenditure on core cybersecurity activities. It is clear that the MHA consistently bears the bulk of expenses on cyber security related activities, clearly with an emphasis on cyber crimes. The remaining half seems to be divided between MeitY and DoT more or less equally. FY 2015-16 allocations and actual expenditure in FY 2014-15 is the only exception to this equal distribution.
Activity-wise Allocation and Expenditure on Cybersecurity
To further analyse how these budgetary allocations are being utilized, we have re-categorized the expenditures mentioned in Department/Ministry wise allocation into five categories, each of which have been identified as constituent elements of the three Pillars of Strategy namely:
- Human Resource Development Component (Strengthen)
- Technical Research and Development Component, Capacity Building (Strengthen/Synergize)
- International Cooperation and Investment Promotion Component (Secure/Synergise)
- Standardization, Quality Testing and Certification Component (Strengthen)
- Active Cyber Incident Response/ Cyber Defence Operations and Security Component (Secure/Strengthen)
The total expenses incurred for these allocations are calculated to identify if any trends or patterns emerge to identify which activities are being prioritized according to the actual expenditure incurred by the relevant ministries. It is important to note that none of these categories include any expenses earmarked for cyber defence operations under the MoD, as the budget heads do not permit drawing such an inference in its current format.
In this reclassification, we have included one budget head each for two other Departments that do not figure in the data represented in Figures 9, 10 or 11. Namely, these are (a) the allocation towards corporate data management under the authority of the Ministry of Corporate Affairs, which has been included in category (5) indicated above and (b) the allocation towards technical and economic cooperation with other countries for the Department of Economic Affairs under the Ministry of Finance, which has been included in category (3) indicated above.
Figure 12 represents activity-wise trends in these Ministries’ actual expenditure. The figures for FY 2018-19 and FY 2019-20 represent the RE and BE for those years, respectively. It is not surprising that the expenditure on international cooperation and investment promotion towers over all other activities, as the allocated expenses would contribute to overall cooperation efforts at the international level and the promotion of investment broadly, and not only cybersecurity. Nonetheless, these are crucial contributions to enhancing India’s cybersecurity posture at home and abroad. For a clearer analysis, we remove the indicator for expenses towards international cooperation and investment promotion in Figure 13.
From Figure 13, we can clearly infer which of the four activities at the core of the Government’s cybersecurity efforts are being prioritized in terms of allocation of budgetary resources. Clearly, emphasis on equipment testing and certification needs to be sharpened. There is an apparent tension between the funds that are made available for active cybersecurity operations and programmes on the one hand, and investments in human resource development on the other.
We submit that in both these areas, the Government must look to the private sector to create synergies and supplement the financial resources available for these particular activities. We also recommend that the expenditure earmarked for quality testing, development of technical standards and certification should be increased, and accorded greater priority than before.
Share of Ministries’ Budget Allocated to Cybersecurity and Related Activities
If we try to contextualize the utilization of funds made available for cybersecurity-related activities against the total allocations to relevant Ministries, there is no identifiable trend in expenditure patterns of the MEA, MeitY and DoT. Figure 14 represents the total expenditure on cybersecurity-related activities as a percentage of the total expenses allocated to the relevant Ministry. Cybersecurity-related activities appear to be fluctuating in terms of the priority accorded to them over time, in the diversion of financial resources towards this area. The contribution of the Department of Science and Technology towards R&D in cybersecurity has been consistently low, almost negligible. This has only changed with the establishment of the National Mission on Interdisciplinary Cyber Physical Systems in FY 2018-19. has been MHA’s share of expenditure on cybersecurity activities appears relatively more consistent, and could potentially be leveraged to create synergies for the rationalization of expenditure across Ministries.
Budget for NCSS 2020?
In anticipation of the National Cyber Security Strategy 2020 expected to be released soon, we will be closely monitoring the the Union Budget for FY 2020-21 for fresh allocations to the relevant departments indicated in our analysis. We will also be on the lookout for fresh allocations that may be relevant to various components of the NCSS 2020. Watch this space for more on India’s Cybersecurity Budget 2020, coming soon!