Haryana State Launches Its Own Cybersecurity PolicyBut Some Question Whether State Policies Are Really Needed
With an objective to address growing threats and breaches, Haryana state has launched its own cybersecurity policy. The policy spells out action the state intends to undertake to bolster cybersecurity in the region, and it specifies security guidelines that businesses must follow.
But some security practitioners question whether it's really necessary, given the national policy in place. And they point to a lack of detail in the policy, such as the failure to spell out penalties to be imposed if a firm fails to protect data.
The policy says that the state will develop:
- A cybersecurity privacy management framework, which will integrate privacy protections from the outset;
- A plan to train 6,000 cybersecurity professionals over the next five years;
- A plan to encourage implementation by organizations in the state of standards and best practices of information security as spelled out in national and international standards.
Haryana is following the lead of states like Andhra Pradesh, Telangana and Kerala, which already have in place their own cybersecurity policies.
Assessing the Move
Some security practitioners say the Haryana government needs to ensure that its cybersecurity policy is clear, practical and operational - and not just superficial - if it's to be effective in fighting new threats.
They point out that similar policies already adopted by three states before haven't had a major impact. Moreover, a closer look at the Haryana policy document shows it contains mainly the same ingredients as the National Cyber Security Policy, 2013.
"The existing state policy talks about threats and cybersecurity, but the institutional mechanism to run the functions, role of stakeholders in the cybersecurity life cycle, and classification of threats are missing," says one security practitioner, who requested anonymity.
"All cybersecurity policies, at the national level and at the state level, are more or less the same," adds Kislay Chaudhary, chairman at Indian Cyber Army. "I don't understand a need to have a state policy when we have a national policy in place."
Privacy and Collaboration
Although the overall framework of the policy is prescribed along the lines of national cybersecurity policy, the Haryana policy takes a new approach to a security and privacy management framework. It states: "Government has a special responsibility to the citizen, industry and organizations operating in the state of Haryana, and further to national and international allies and partners and to be able to assure them that every effort made has been to render our systems safe and to protect data and networks from cyberattacks or any other interference."
The cybersecurity privacy management program for Haryana says actions will be taken against companies that fail to protect individuals' data, but fails to provide details, such as the kind of penalties to be imposed if a firm fails to protect data.
While the new state policy touches upon building an incidence response framework by the state, it doesn't spell out its critical components.
One security practitioner from the state, who asked to remain anonymous, points out that the framework fails to mention implications in the event of a data breach. "It doesn't say what would happen in case a company or organization faces a breach and the best approach that needs to be followed as a response to the breach," the practitioner says.
Haryana's policy emphasizes a collaborative approach to address breach challenges through private and public partnership. A cybersecurity call center and citizens portal have been proposed to react to breach incidents in real time.
States and their ministries should be actively involved in implementing the policy stringently, security experts say. This is not now the case because many states do not have an adjudicating officer.
Public Private Partnership, or PPP, has been mentioned in the policy. "This is something that has been mentioned in every policy of the government but nothing is written beyond this one line," Chaudhary says. "If they have mentioned PPP, then they should have also elaborated on the plan chart and at what level they want the public-private partnership to be involved. These things, in fact, fail to get mentioned in most policies."
Are State Policies Required?
Many security practitioners question whether India needs separate cyber policies in each state.
Nitish Chandan, founder of Cyber Blog India, offers a similar view. "India doesn't have a federal structure like the U.S. Here, the centre needs to have a stronghold on frameworks and sanctions," he says. "A policy initiated at the centre is more widely accepted because the internet is border free. Two states enforcing different rules ... within one country will not be beneficial technically or legally. For instance, if a state comes out with a framework which gives its own privacy related guidelines, what happens in case an organization serves pan India?"
State policies, however, will encourage startups and state-owned companies to have a cyber structure in place and reach out to the government in case of a need, contends Sapan Talwar, CEO, at Aristi Ninja, an information security company. "Apart from this, as a practitioner, I don't see any major value-add of having a state policy," he says. "The National Cyber Security Policy is sufficient, provided the state government devises an implementation methodology and aligns with national policy."
Moreover, many state government initiatives are not enforced, especially as political leadership changes, says C.N. Shashidhar, founder and CEO at SecuriT Consultancy Services.
Right Policy Measures
Some security practitioners say government leaders at the centre need to suggest strategic objectives that are supplemented with clear-cut road maps at all levels. An accountability mechanism should be in place, along with good presence of public information access channels to keep updating citizens about the work being done, they say.
Shashidhar says the policy in Haryana must emphasize the need to conduct digital forensics investigations and use the latest analysis techniques, tools and methods. "I would like to see a roadmap to achieve this," he says. "Also, there should be user awareness training to all levels of government employees if Haryana has to move forward on the path of Digital India platform."
Dinesh Bareja, COO at Open Security Alliance, says Haryana should issue a supplementary document to "list out the responsibilities of cybersecurity groups and teams. Moreover, the size of the teams too need to be mentioned along with the budgets allocated to each group."