Cyber security to Cyber strategy

Plans and implementation

India’s National Security Council Secretariat (NSCS) has announced a roadmap of action on the cyber security front, involving partnership with the private sector. (See the recommendations of the joint working group and related media reports)

In an op-ed in Indian Express I make two sets of arguments. The first set points out that the government has realised that it needs expertise from outside its cloisters to address contemporary policy challenges and must reform itself in order to be able to use it.

The second set distinguishes three aspects of information policy in the geo-strategic and national security context: cyber security, addressing physical threats that emerge from cyber space and finally cyber-strategy. Much of the emphasis in the government’s plan is on the first of the three. It ought to place adequate emphasis on the other two. Without debating and evolving a new balance on the bounds of government in cyberspace, it will be difficult to manage the threats that emerge from it. Without investing in intellectual inquiry into the fundamentals of cyber conflicts, it will be difficult to shape a cyber strategy that protects and promotes India’s national interests in the international arena. Also, India ought to be wary of both premature and delayed militarisation of cyber strategy. You can read the whole essay here.

Subimal Bhattacharjee’s op-ed in Mint presents another perspective. Mr Bhattacharjee argues that while institutionalising cyber security management in a joint working group under the NSCS is a good thing “the key point is the cohesive functioning of the permanent JWG and the implementation of these recommendations.”

Related Link: My Takshashila colleagues, Srijith Nair & Rohan Joshi responded to the draft national cyber security policy in May 2011.

1 thought on “Cyber security to Cyber strategy”

  1. I am glad India is finally focusing on cyber security. The JWG recommendations are indeed a step forward.
    The one aspect which caught my attention is the fact that the recommendation tend to treat cyber security as “defending” rather than “securing”. By which I mean, there is a lot of emphasis on “testing” , “certifying” and “fixing” and (Seemingly) very little on “building secure systems”. This is where I believe collaboration with US may help. The industry in the US has moved (at least the well aware ones) from “we need to test for security” to “we need to build-in security”. The federal government is trying to do the same in many areas (securing smart grid being an excellent example).

    Disclosure: I am currently employed with a company which is a “Software security consulting” firm. The views above are personal.

Comments are closed.