NEW DELHI :The government has formulated a new policy on cyber security amid growing incidents of malware attacks on critical sectors such as hospitals and oil companies.
Lt Gen (Retd) Rajesh Pant, the national cyber security coordinator, said on Monday that the National Cyber Security Reference Framework (NCRF) 2023 has been approved and will be placed in public domain.
Speaking at an event, Pant said the NCRF policy will be aimed at helping critical sectors such as banking, energy and others with a “strategic guidance” to address cyber security concerns.
“Presently, there is no system to guide organizations, especially in critical sectors, as to what are the best practices for creating cyber secure systems. There have been large-scale attacks recently—for example on Oil India, a group in Nagpur, and an attack on a Tata Power plant. All of these are critical sector entities,” he said.
He added that the government has selected seven sectors as critical sectors namely telecom, power and energy, banking and financial services, transportation, strategic enterprises, government enterprises and healthcare.
NCRF “has been created to provide organizations with a strategic guidance to help them address their cyber security concerns in a structured manner,” he said.
On 20 February, Pant said at India Digital Summit 2023 that the framework, previously called National Cyber Security Strategy 2023, would be published soon. He also said the policy will be based on a common but differentiated responsibility (CBDR) approach.
Industry experts said NCRF 2023 is the first follow-up to the Ministry of Electronics and Information Technology (Meity)’s National Cyber Security Policy 2013, which sought to offer enterprises with best practices guidelines in terms of preventing cyber attacks, and was due for an update.
“The National Cyber Security Strategy of 2023 is a broad policy document that will set out the whole legal framework, along with other aspects. It won’t just offer legal guidelines, but be a position that India as a nation wishes to take — taking every aspect into account, be it operational or technical,” said NS Nappinai, Supreme Court lawyer and founder, Cyber Saathi.
Nappinai added that the policy will be different from directives under the Indian Computer Emergency Response Team (Cert-In), published by Meity on 28 April. The latter is the latest regulation published by Meity on cyber security, which enforced a six-hour timeline for companies to report cyber incidents — failing which companies would be liable to face penalties under Section 70B of the Information Technology Act, 2000.
Pawan Duggal, Supreme Court lawyer, said that the Framework document may not have legal implications of any sort in improving India’s cyber security environment.
“A framework, largely, is nothing but a collation of good practices that mostly do not come with any kind of penal consequences. Hence, the crux is that if you don’t comply with a framework, nothing really happens. This may not be a good approach to start with, if you don’t impose legal ramifications with cyber security best practices,” Duggal said.
He further added that approaching dedicated regulations towards cyber security is important, amid incidents such as the cyber attack on All India Institute of Medical Sciences (Aiims) on 23 November last year, and the reported data breach on the Center’s covid-19 vaccination platform, Cowin, on Monday.
“We are constantly bleeding as a data economy, and if we’re not able to come up with appropriate legal frameworks, we can’t enforce the sanctity of law. Without a legal implication, any other approach is unlikely to have a dramatic impact,” Duggal added.
Milestone Alert!Livemint tops charts as the fastest growing news website in the world 🌏 Click here to know more.