Cyber Space works through an interdependent network of critical information infrastructure, which makes it prone to various vulnerabilities, failures, intrusions and disruptions. It has revolutionised the way in which Government can deliver its services to the citizens, and has made the critical information infrastructure requirement of the current e-Governance applications. With the interconnected infrastructure, the common link may lead to new vulnerabilities, other systems may propagate failure, unexpected threats may be possible from intrusion and disruption in other infrastructure. It has signification impact on the public if these applications fail to meet the expected service levels. These applications are interconnected, with the information and communication technologies playing a pivotal role.
To realize the full benefits of the digital revolution, users need to have confidence that sensitive information is secure, not compromised, and the infrastructure is not infiltrated. Government also need confidence that the networks are safe and resilient. Achieving a trusted communications and information infrastructure will ensure that the e-Governance achieves the full potential of the information technology revolution.
With the increase in online transactions, especially in the case of online money transfer and other financial transactions, it has become necessary to provide secured cyber space to keep confidence of the service provider, i.e. government and service user. For e-Governance applications, protection of ICT infrastructure is critical and it requires continuous efforts to secure communication and information infrastructure, and ensure trustworthiness of the e-Governance services. To provide trusted e-Governance services, secured communications and information technology infrastructure is critical and it requires continuous efforts to:
Secure e-Governance information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems to prevent, deter, neutralize, or mitigate the effects of deliberate efforts to destroy, incapacitate, or illegal access of information.
Ensure trustworthy e-Governance services wherein the citizen has complete faith in every electronic transaction with the Government
Cyber Security is dependent on both technological and human factors. The Technological solutions are relatively easier to design and implement. The Human factors, on the other hand, are much more complex. This requires adopting a ‘holistic approach’, with equal emphasis on both the above aspects of cyber security. To ensure cyber security, following recommendations may be considered for implementation:
Technological Measures
a. Cyber Security standards for e-Governance applications need to be formulated in collaboration with Industry experts and Academia. The standards need to keep in with international standards, with appropriate vetting from the cyber security experts from the industry and academia. These standards could be Generic, as well as, Sector Specific and need to be evolving and dynamic in nature.
b. A common set of e-Governance specific minimum hardware and software requirements related standards needs to be formulated and mandated.
c. Auditing and Certification Mechanisms need to be formalised and mandated for e-Governance infrastructure. Periodic audits of cyber security infrastructure need to be conducted by a competent authority to ensure that the security set-up is up-to-date and all the known threats are neutralized. d. These standards are required to be reviewed periodically to incorporate
latest leanings and R&D.
e. Identity Management and e-Authentication processes need to be institutionalised for various groups of users. Identity thefts need to be prevented by employing the appropriate combination of authentication factors based on Knowledge (password, PIN etc.), Possession (hard token, digital certificate, etc.) and Biometrics (fingerprint, iris scan, etc.). In this regard, DIT has prepared and released a comprehensive Draft National e- Authentication Framework (NeAF) for comments and suggestions from all Government departments and all the other interested stakeholders. The draft NeAF covers both web-based and mobile-based authentication approaches for e-authentication and identity management of all users of Government services.
f. Trustworthiness of the e-Governance transactions needs to be ensured through implementing adequate security measures. A mechanism to certify the authenticity of Government websites needs to be devised and implemented.
g. Much higher level of trust needs to be provided in case of Mobile Governance initiatives by employing adequate security measures. The existing Security policies at National and State levels need to be reviewed in order to ensure that they encompass the use of mobile based devices now connecting very large number of citizens. Everyone on the network must be uniquely identified and monitored, ensuring the privacy of individual. h. Security and administration of the various Government domains need to be
strengthened to prevent cyber attacks and data theft. It has been widely observed that Government domains (e.g. nic) are frequently and successfully breached due to lack of proper cyber safeguards and security administration.
i. Crisis Management, Disaster recovery processes and Business Continuity Planning need to be formalised, implemented and mandated for critical and sensitive e-Governance infrastructure. All data centres and critical facilities
should have a workable Business Continuity/ Disaster Recovery Plan to ensure uninterrupted services in the event of any calamity, natural or man- made.
j. To assist research and development of Cyber Security solutions, the relevant data on cyber attacks need to be shared with designated agencies. This will allow the R&D teams to work on real-time data thus improving the chances of coming up with solutions for real-life threats and problems.
k. Government should work with groups in academic institutions and the industry to proactively identify the issues and problems related to cyber security and possible mitigation measures.
l. Proper, real-time monitoring mechanism should be established to detect incidences of cyber attack, as it is noted that in many cases, agencies are not even aware that they are under cyber attack.
m. To evaluate the performance of Security measures, e-Governance specific security metrics are required to be defined.
n. To fulfil the requirement of the continued growth of the internet and development of new applications leveraging mobile internet connectivity, transition to IPv6 is a long-term solution. This transition should be done methodically with full consideration of the required security measures to detect and block malicious attacks.
o. Framework for Effective information Sharing and Incident Response is needed to facilitate coordinated responses by government and other stakeholders to a significant cyber attack. This will help in not only responding to cyber incidences, but also in pre-empting, predicting and preventing such incidences in future. Government may work with industry to provide such a framework to improve the planning and placing required resources to effectively handle a significant cyber security incident.
Human Factors
a. A national education campaign may be initiated targeting different segments of stakeholders to create awareness regarding cyber threats and security measures. As part of this campaign, the best practices should be highlighted in preventing cyber threats and, for those cases where the security has been already breached, the process of reporting such incidents should be formalised and made mandatory.
b. In addition to the external threats, focus needs to be laid on how to prevent internal data thefts. Adequate checks and balances need to be incorporated at critical installations so that data thefts may be prevented. Agencies entrusted with ensuring the security of such installations need to be sensitized about the importance of Cyber Security and various avenues of data theft and corresponding prevention mechanisms. Security personnel and network administrators need to be trained adequately to prevent internal data thefts.
c. A capacity building program should be launched for incorporating Cyber Security related thinking and design. The academia and the industry should be engaged to proactively come up with solutions to mitigate cyber security risks through appropriate practices.
d. A Cyber Command may be created within the country’s Defence Services to start preparing for Cyber Warfare in future.
Regulatory Measures
a. Data regulation is critical in ensuring cyber security. A competent Data Regulator should be established to ensure that all data originating inside the country remains within its limits.
b. A Cyber Monitoring Agency should be established under CERT-In to monitor all traffic on internet to ensure that undesirable activities are controlled.
c. International cooperation in the field of cyber security is critical since in many cases the data servers are physically located outside the country and thus, getting access to the relevant information becomes extremely difficult. This risk may be mitigated by formalizing treaties/ pacts with other nations on jointly tackling cyber threats.
d. Steps should be taken to create a specific privacy related regulation in India for handling sensitive personal data or information in electronic form. Rules and guidelines should be formulated to deal with sensitive information and give directions to all the concerned agencies to incorporate appropriate security practices and procedures.
An outlay of Rs. 825 Cr. has been sought for this purpose.