Strategic Thinking for Security: Defending the National Cyberspace – Part III

      Comments Off on Strategic Thinking for Security: Defending the National Cyberspace – Part III

Introduction

In the previous two parts of this blog, several strategic issues related to defense of our national cyberspace in the broad areas of governance, operational aspects and development of offensive cyber capabilities, were brought out.

One of the biggest challenges for any nation aspiring to become a dominant player in global cyberspace is the creation of a highly specialized cadre of cyber warriors. Another issue of importance is enforcement of cyber discipline across the very large attack surface presented by a modern nation’s CII cyberspace. These issues are discussed in the final part of this blog.

Specialized Human Resource: A Critical Factor

Requirements Analysis

One of the objectives stated in the National Cyber Security Policy 2013 was to create a workforce of five lakh professionals skilled in cyber security in the following five years through capacity building, skill development and training. Even after four years, there is hardly any quantifiable progress in this direction. Also, there appears to be no document as to how these personnel would be employed towards protecting our national cyberspace, nor apparently are any standards specified for different categories of cyber professionals in order to meet the objective for which they are to be trained (Reference:  ). There is a need to carry out a systematic and comprehensive requirements analysis in this critical area.

Skill Development

Once the skill requirement analysis is completed, the necessary ecosystem needs to be created for developing skilled human resources, wherein the government, industry and academia all have major roles to play. The necessary training infrastructure in terms of cyber ranges, etc., needs to be created. Expertise/ programs in our education institutions and other establishments would need to measure up to the standards laid down in the requirements analysis for imparting higher end skills in a formal manner. While the ISEA program has planned as deliverables 75,000 professionals in B Tech and above courses (time-frame?) in participation with several academic institutions, actual numbers enrolled as on date are only approximately 5000. It is also pertinent to point out that unless there is the requisite market demand with the right pay packages, of which candidate graduate students are fully aware, they are not likely to opt for cyber security courses. As of now, such a demand does not appear to be existing in the perception of the student community. All in all, a concerted effort needs to be taken at the national level to address this critically important issue.

Cyber Audit

Audit Standards

The NCIIPC has issued an SOP on “Auditing of CIIs/ Protected Systems by Private/ Government Organization” in June this year. This is a good step forward. However, the SOP only lays down the administrative aspects of how the audit will be carried out and not the cyber audit standards to be met by the CII. Standards such as the ISO 27001 and NREC-CIP have been mentioned in the SOP, but not mandated to be adhered to by the CII. However, the SOP states that Critical Segment Category I CII are to be audited by CERT-In empaneled auditors, which might ensure that certain CERT-In issued guidelines are likely to be followed by the auditors. There may be a need to evolve audit standards suited to the Indian cyber eco-system, and mandating them to be met by all agencies managing the CII, whether government or private.

Red Teaming

In the Indian Army, a periodic online audit exercise is conducted by a central audit agency to test cyber defenses (red-teaming) of all Army establishments. Such an exercise is expected to be useful in the civilian context too, especially with reference to CII. Modalities for conducting the same should therefore be evolved, with provisions for penalizing the defaulters, as is the practice in the Army.

Conclusion

The transformation of cyberspace as a strategic domain of conflict amongst nations is taking place at a breathtaking pace. Major world powers have recognized this and are working at a feverish pace to develop requisite capabilities and establish their dominance in this new Information Age dimension of a multi-dimensional battlespace. India, as an emerging world power, needs to take urgent steps to keep pace with these developments.

In this write-up, certain issues of strategic importance with respect to defending our national cyberspace have been brought out. In particular, the imperative to move from a defensive to an offensive mindset and so evolve and operationalize a comprehensive national strategy on cyberspace operations has been highlighted. The government, defence forces, industry and academia all need to work together as a synergistic whole in order to achieve the desired results within acceptable time-frames.

Disclaimer: The views and opinions expressed in this blog is of the author and do not
necessarily reflect the official views or position of Data Security Council of India.