The government has formulated a new policy on cyber security amid growing incidents of malware attacks on critical sectors such as hospitals and oil companies. Lt Gen (Retd) Rajesh Pant, the national cyber security coordinator, has said that the National Cyber Security Reference Framework (NCRF) 2023 has been approved and will be placed in public domain.
Speaking at an event, Pant said the NCRF policy will be aimed at helping critical sectors such as banking, energy and others with a “strategic guidance” to address cyber security concerns.
“Presently, there is no system to guide organisations, especially in critical sectors, as to what are the best practices for creating cyber secure systems. There have been large-scale attacks recently—for example on Oil India, a group in Nagpur, and an attack on a Tata Power plant. All of these are critical sector entities,” he said.
He added that the government has selected seven sectors as critical sectors namely telecom, power and energy, banking and financial services, transportation, strategic enterprises, government enterprises and healthcare. NCRF “has been created to provide organisations with a strategic guidance to help them address their cyber security concerns in a structured manner,” he said.
On 20 February, Pant said at India Digital Summit 2023 that the framework, previously called National Cyber Security Strategy 2023, would be published soon. He also said the policy will be based on a common but differentiated responsibility (CBDR) approach.
Industry experts said NCRF 2023 is the first follow-up to the Ministry of Electronics and Information Technology (Meity)’s National Cyber Security Policy 2013, which sought to offer enterprises with best practices guidelines in terms of preventing cyber attacks, and was due for an update.
“The National Cyber Security Strategy of 2023 is a broad policy document that will set out the whole legal framework, along with other aspects. It won’t just offer legal guidelines, but be a position that India as a nation wishes to take — taking every aspect into account, be it operational or technical,” said NS Nappinai, Supreme Court lawyer and founder, Cyber Saathi.
Nappinai added that the policy will be different from directives under the Indian Computer Emergency Response Team (Cert-In), published by Meity on 28 April. The latter is the latest regulation published by Meity on cyber security, which enforced a six-hour timeline for companies to report cyber incidents — failing which companies would be liable to face penalties under Section 70B of the Information Technology Act, 2000.