The government has developed a new cyber security policy in response to an increase in malware assaults on important sectors like hospitals and oil firms.
The national cyber security coordinator, Lt Gen (Retd) Rajesh Pant, announced on Monday that the National Cyber Security Reference Framework (NCRF) 2023 has been finalized and would be made public.
He Stating that NCRF policy will be targeted at providing "strategic guidance" to important sectors such as banking, energy, and others in order to solve cyber security threats.
There is currently no structure in place to advise organizations, particularly those in vital industries, on the best practices for developing cyber secure systems. Recently, there have been large-scale attacks, such as those on Oil India, a group in Nagpur, and a Tata Power plant.
The government has designated seven sectors as critical: telecom, power and energy, banking and financial services, transportation, strategic companies, government enterprises, and healthcare.
"The NCRF was established to provide organizations with strategic guidance to assist them in addressing their cyber security concerns in a structured manner.
Pant announced during the India Digital Summit 2023 on February 20 that the framework, formerly known as the National Cyber Security Strategy 2023, would be published soon. He also stated that the policy will be founded on the concept of shared but differentiated responsibility (CBDR).
According to industry analysts, NCRF 2023 is the first follow-up to the Ministry of Electronics and Information Technology's (Meity) National Cyber Security Policy 2013, which was due for an update and attempted to provide organizations with best practices recommendations for combating cyber assaults.
The 2023 National Cyber Security Strategy is a broad policy document that will lay out the entire legal framework, as well as other aspects. It will not only provide legal rules, but will also represent the position that India desires to take — taking into account all aspects, whether operational or technological.
The policy would differ from the Indian Computer Emergency Response Team (Cert-In) directives, which Meity issued on April 28. The latter is Meity's most recent cyber security law, which imposed a six-hour deadline for enterprises to disclose cyber events, failing which companies would face penalties under Section 70B of the Information Technology Act, 2000.
A framework, in general, is nothing more than a collection of good practices that, for the most part, have no legal ramifications. As a result, the crux is that if you don't follow a framework, nothing happens. If you don't impose legal implications with cyber security best practices, this may not be a good method, to begin with.
Approaching dedicated cyber security rules is critical, especially in light of occurrences like the cyber attack on All India Institute of Medical Sciences (Aiims) on November 23 last year, and the alleged data breach on the Center's covid-19 vaccination platform, Cowin, on Monday.
As a digital economy, we are continually bleeding, and if we are unable to develop adequate legal frameworks, we will be unable to enforce the rule of law. Without a legal implication, any alternative technique is unlikely to have a significant influence.