Cybersecurity strategy proposes measures for data breaches

The cybersecurity strategy of the government, which has been in the works since 2020, proposes several mitigation measures to combat data breaches, provisions that experts and officials see as being crucial in light of a string of ransomware attacks that may have compromised critical data.

In the past couple of months, attackers are known to have breached Solar India Industries Limited, a company that supplies defence related equipment, and the All India Institute of Medical Sciences (AIIMS), one of the country’s most important health care and research institutions.

“The strategy proposes that several verticals of data breaches must be assessed,” an official familiar with the matter said. “These include mitigation measures such as national threat intelligence exchange, creating a malware repository, conducting baseline audits and have awareness events such as cyber week.”

The official added that the strategy proposes a three-pronged approach — people, processes and technology. As far as the people vertical is concerned, it includes increasing cyber hygiene, and the number of cybersecurity professionals. For processes, it proposes standard operating procedures, a management plan for a cyber crisis and privileges to ensure that minimum access is given to users.

The technology vertical would address the need for firewalls, installation of intrusion prevention systems, behavioral analysis tools, network segmentation and creation of offline backups.

“The government has already started working on some of these target areas, by investing the field,” the official mentioned above added.

The government is also looking to overhaul the National Informatics Centre (NIC), which primarily responsible for storing most of the government’s data and is its chief IT service provider.

The policy, conceptualised by the National Security Council Secretariat of India headed by Lt General Rajesh Pant, has been in the works for the past two years. Called National Cyber Security Strategy, 2021, the policy stresses on a need for a legislative framework to address the emerging challenges in the technology space.

The reporting of and penalties for data breaches will be covered under the digital data protection bill, which is being formulated by the ministry of electronics and information technology. “An overarching mechanism is needed to ensure that regular audits are done to ensure that data breaches can be minimized,” the official mentioned above added.

The number of cyber security incidents have gone up 41,378 in 2017 to 1,267,564 in 2022, according to answer to question in Parliament.

Meanwhile, in answer to separate question, the government said that the “cyber space is anonymous and borderless and has become very sophisticated and complex with the technological innovations and inclusion of different type of devices and services”. “Any data breach of Indian users is required to be reported to the Indian Computer Emergency Response Team (CERT-In), which is the national nodal agency for incident response in the country and for the collecting information on cyber incidents. As per the information reported to and tracked by CERT-In, a total of 14, 6 and 22 incidents were reported during the years from 2020, 2021 and 2022 (up to November) respectively,” the ministry of electronics and information technology informed Parliament.

The Parliament was also informed that nearly 248 data breaches were reported by Indian banks between June 2018 to March 2022, leading to card-related information leakage.

According to Supreme Court lawyer and founder of Cybersaathi, NS Nappinai, any National Cyber Security Strategy would have to necessarily include robust resilience measures. “For it is only that which can protect in cases of black swan events. Whilst cyber security threats will always remain being able to anticipate and avoid and more importantly having a quick bounce back plan is what protects best against attacks on critical infrastructure,” she said.