The government released the first draft of the National Policy on Cyber-security in July 2013. The policy aims at building a secure and resilient cyberspace for citizens, businesses and Government. The full document can be accessed here at: National Cyber Security Policy 2013.
As TRAK.IN article says, the policy is very superficial and lacking-in-details, especially for a document which the government has been trying to draft for more than a year now. Given the inherent vagueness of the policy and while awaiting any further clarification from the government, one can presume that the effect of this policy will be felt by organizations in sectors whose relevance to cyber-security would be mildly appreciable. This concern is punctuated by the fact that the policy simply terms all concerns as ‘cyber threat’ instead of distinguishing clearly between ‘national cyber security threat’ and ‘cyber crimes’. The former needs a much graver concern than the latter. And by failing to appreciate the difference in the policy itself, there is a high potentiality of the government interference in cyber-security concerns of private sector to an extent more than what is required. For the sake of analysis, one can evaluate the overall exposure of a firm to the policy along 3 dimensions, cyber exposure, national security exposure and global exposure. The ultimate measure of impact would be the weighted sum of all these three factors.
Cyber exposure, is the proportion of total operations that happens on the cyber space. National security exposure, measure of how critical the operations of an organization to the national security. Global exposure, measure of the geographical spread of the operations of the firm. Global exposure is especially contentious given the cross-border laws and regulations involved. For example, IT firm working on defense project of a foreign country would score high on all factors whereas an education-services firm providing e-lessons to kids in rural India would score high on the first indicator but low on the other two etc.
The gravest concern in any national policy or any regulation for that matter is the entry barrier it poses to the new entrants. The world today is being increasingly ‘cyberized’. An ever increasing amount of economic activity has shifted to the cyber-space, e-commerce and e-banking, being highly recognized developments. But in a way these developments and the larger proliferation of e-firms in India was facilitated by the lack of strait-jacket regulations in the sector. Such a situation whose credibility could be questioned still served as the jumping board for a large section of self-styled entrepreneurs who couldn’t circumvent the regulations choking the conventional entrepreneurial environment in the nation. I wouldn’t be surprised if difficulty in procuring affordable real estate at the appropriate time was stated as the primary and availability of credit as secondary of the greatest challenges to healthy entrepreneurial activity in the country. In the last few years, we have seen the rise of numerous multi-retail online stores, e-outlets for major brands, online bazaars for wholesale sell/buy etc. By integrating the operational space and logistical platform into one portal, the firms were able to cut down on a lot of administrative and operation costs. Such a cut-back helped numerous firms to compete at miniscule differences in profit-margins.
The National Optical Fiber Network being built by the Bharat Broadband Network Limited working in coordination with other PSUs, aims to provide pan-India internet connectivity. This is will provide all of the existing 2.5 lakh (approx.) Gram Panchayats with internet connectivity. This opens a whole new dimension to the rural economic sphere. Financial inclusion, Spot futures for farmers, e-medicine etc. are just some of the many boons to follow. But over and above the rest, it is education and medicine whose exposure to internet in rural India, I value the most, given their potential impact on the overall development of the nation.
In the post-liberalization era, given the demographic dividend of the nation, education has been a great attraction for both the profit and non-profit sector. In the for-profit sector, the attraction is by virtue of the potential market size in all the sections of primary, secondary and higher education sector. In the non-profit sector, entrenched poverty, large-scale illiteracy etc. brought the world’s attention to the development needs of the nation. Education was seen as a solution to all the problems with the presumption that it will lead to increased employability. The boom of the IT sector indeed made this wish true till the end of the first decade of the millennium. But as job prospects fall in tandem with the employability of India’s educated youth, the focus on education has intensified like never before. There are hundreds of NGOs and tens of Foundations working in the country towards making education more accessible to the poor as well addressing issues like gender discrimination, social inclusion of physically/mentally challenged children and class based discrimination. But given, the amount of money and effort that has gone into the sector, most of the veterans in the field agree that the expected impact hasn’t been yet achieved. The inefficacy of philanthropic interventions has brought about a certain pessimism in the minds of development sector professionals. But the gloom is parallel witnessing the rise of technology based education solutions for children in India. Educom, Pearson, Pratham etc. are just some of the organizations that are in this e(du)-sphere.
Many of these organizations and many other start-ups in the pipeline are greatly relying on this optical fiber network to scale-up their ventures and reach the remote areas where access to quality education has always been marred by lack of competent teachers and other supportive resources. These firms in the process of scaling up will inevitably fall under the purview of the National Cyber Security Policy given the wide mandate the policy has provided for itself. Also due to lack of distinction between critical levels of cyber-activities with respect to national security, for the purpose of compliance with the policy, the policy stands in the position of possibly imposing a higher entry cost for firms and organizations. Even with conservative estimates, the education market in India is worth tens of billions in US dollars. The demography to be served is also widely distributed providing a fertile ground for a new wave of entrepreneurs in the sector. This is a great opportunity for Indian youth to build upon the IT expertise we have developed, thanks to the IT revolution in the country. As things stand, there is a great demand and great possibility for quality supply especially given that the beneficiaries are going to be lower sections of the economic hierarchy in the country, we should be all the more supportive of the momentum. In the light of the above, the fear is that, the Cyber Security Policy could be interpreted much widely than essential for securing national security. This will be a great obstacle to the blossoming online entrepreneurs/development professionals in delivering the targeted products/interventions to the target population. As of now, there is no idea about the compliance cost for this policy. But one can envisage the difficulties that might arise given the bureaucratic history of the Indian state.
The National Cyber Security Policy 2013, is a step in the right direction but its inherent vagueness combined with the discretionary powers of the State bureaucrats could quell the upcoming online entrepreneurs by increasing their entry cost. This is especially bad for the education sector given the rising number of tech-based solutions for mitigating the education problems of the nation. We will have to be vigilant about the evolution of this policy into a full-fledged bill and strive to correct any deviation of this policy into areas where it could be a bane rather than a boon.
Post Disclaimer
The opinions expressed in this essay are those of the authors. They do not purport to reflect the opinions or views of CCS.