India to step up cyber security

The world may acknowledge India as an information technology superpower, but its very own official cyber security workforce comprises a mere 556 experts deployed in various government agencies. How “grossly inadequate” is India’s cyber security manpower can be gauged by the fact that China has 1.25 lakh experts, the U.S. 91,080 and Russia 7,300. “The existing combined strength of cyber security experts in all organisations in the government domain is 556, which is grossly inadequate to handle cyber security activities in a meaningful and effective manner,” says a secret note prepared by the National Security Council Secretariat (NSCS), which is engaged in creating an elaborate ‘cyber security architecture’.

Waking up from a deep slumber, the government has decided to recruit 4,446 experts to be deployed in six organisations that would take care of India’s cyber security infrastructure.

These are the Department of Electronics and Information Technology (DEITy), which includes Indian- Computer Emergency Response Team (CERT-In) and the National Informatics Centre (NIC); the Department of Telecom (DoT); the National Technical Research Organisation (NTRO); the Ministry of Defence; the Intelligence Bureau (IB); and the Defence Research and Development Organisation (DRDO).

Of the 4,446 posts, the armed forces will get a majority of the experts (1,887), followed by NTRO (695), DEITy (590), IB (565), DoT (459) and DRDO (250). The experts will take care of traffic scanning and mitigation, system audit and forensics, assurance and certification, research and development, and coordination.

An internal study conducted by the NSCS revealed that all major countries have established mechanism and organisations dedicated to cyber security, a field where India has fared poorly.

China shows the way

For instance, in 2010, China’s Central Military Commission approved “Information Support and Safeguarding Base” to serve as People’s Liberation Army cyber command to address potential cyber threats and safeguard national security. Interestingly, China makes little distinction between hackers who work for the government and those who undertake cyber adventures on its behalf.

“China’s cyber workforce is composed of various components of military, national security, public security, propaganda militia and academia. It now has an estimated strength of 1.25-lakh personnel which includes regular troops (30,000), specialists from various universities, research institutes and states enterprises (60,000), and militia (35,000),” the note adds.

U.S. cyber command

Similarly, the U.S. has 91,080 experts in its cyber security workforce, of whom 88,169 are in the Department of Defense alone. Significantly, in May 2010, Pentagon set up the U.S. Cyber Command (Cybercom) headed by the Director of the National Security Agency (NSA), which was recently in the news for clandestine Internet snooping operations in various countries, including India.

The U.S. has also set up a 24x7 National Cyber Security and Communications Integration Centre (NCCIC) that is responsible for generating a common operating picture for cyber and communications across the federal, state and local governments, intelligence and law enforcement communities and the private sector. “During a cyber or communications incident, the NCCIC serves as the national response centre able to bring to bear the full capabilities of the federal government in a coordinated manner,” the note adds.

Security architecture

Now, India is also setting up its own ‘cyber security architecture’ that will comprise the National Cyber Coordination Centre (NCCC) for threat assessment and information sharing among stakeholders, the Cyber Operation Centre that will be jointly run by the NTRO and the armed forces for threat management and mitigation for identified critical sectors and defence, and the National Critical Information Infrastructure Protection Centre (NCIIPC) under the NTRO for providing cover to ‘critical information infrastructure’. The government is also coming up with a legal framework to deal with cyber security.

The NSCS has identified over a dozen ‘critical information infrastructure’ sectors/ facilities requiring protection. These include the civil aviation sector (Air Traffic Control or ATC), Railways’ passenger reservation system and communication network, port management, companies and organisations in power, oil and natural gas sectors, banking and finance, and telecom sectors.