"Fostering an innovation-friendly environment by providing clear guidelines and regulations that encourage entrepreneurship and growth is also crucial."
With the fundamental shift in cybersecurity threats, do you believe policymakers fully understand the gravity of this change, or are we still too focused on legacy threats?
Policymakers do understand the evolving cybersecurity threat landscape, but there is still a gap between their understanding and the gravity of the change. Several factors contribute to this gap. Cybersecurity threats are becoming increasingly sophisticated, making it challenging for policymakers to keep pace with the latest developments. Moreover, as you mentioned, there is still a focus on legacy threats, such as traditional malware and phishing attacks, rather than emerging threats like AI-powered attacks and IoT vulnerabilities. Policymakers may also lack the necessary technical expertise at times to fully comprehend the implications of emerging threats and technologies. Additionally, government agencies and institutions tend to be slow to adapt to changing circumstances, which can hinder their ability to respond effectively to new and evolving threats.
The consequences of this gap are significant. Insufficient understanding of emerging threats can lead to inadequate regulations, which can fail to address the root causes of cybersecurity risks. Without a clear understanding of the threat landscape, resources may be misallocated, leading to ineffective cybersecurity measures. Ultimately, this gap between policymakers’ understanding and the seriousness of the situation leaves organizations and individuals more vulnerable to cyber-attacks.
To bridge this gap, several steps can be taken. Policymakers should be provided with regular education and training on emerging cybersecurity threats and technologies. Collaboration between policymakers, cybersecurity experts, and industry leaders should be encouraged to ensure that policymakers receive accurate and timely information. Promoting the sharing of threat intelligence across government agencies, industries, and organizations will help create a more comprehensive understanding of the threat landscape. Finally, regulations should be developed to be agile and adaptive, allowing for swift responses to emerging threats and technologies.
We can take necessary steps to bridge the gap and ensure that our cybersecurity measures are effective in addressing the evolving threat landscape, by acknowledging the gap between policymakers’ understanding and the gravity of the change.
With the Digital India Act on the horizon, what key principles, do you think, should be prioritized to balance innovation, user safety, and regulatory compliance?
The Digital India Act presents an opportunity to create a comprehensive framework that balances innovation, user safety, and regulatory compliance. To achieve this balance, several keep principles should be prioritized in my opinion.
Firstly, online platforms and services must be transparent about their data collection and usage practises. They should be held accountable for any violations or misuse of user data. Alongside this, user safety, security, and well-being must be prioritized, with clear measures implemented to protect users from harm, harassment, and exploitation.
Fostering an innovation-friendly environment by providing clear guidelines and regulations that encourage entrepreneurship and growth is also crucial.
In tandem, robust data protection and privacy laws must be enacted to safeguard users’ personal data and ensure its secure storage, processing, and transfer.
Another important principle is the incorporation of security by design principles, ensuring that security is integrated into every stage of development. Further, collaboration between government, industry, civil society, and academia is vital to ensure that regulations are informed by diverse perspectives and expertise.
The regulations are agile and adaptable to accommodate emerging technologies, innovations, and changing user needs. In addition, promoting digital literacy, online safety awareness, and cybersecurity education is essential to empower users to make informed decisions and protect themselves online.
To ensure that regulations are enforced effectively, independent oversight mechanisms must be established. On a global scale, cooperation and alignment must be encouraged on digital governance, data protection, and cybersecurity standards to facilitate seamless international interactions and commerce.
In terms of implementation, it is pertinent to engage with diverse stakeholders through public consultations to ensure that regulations reflect the needs and concerns of all parties. A regulatory sandbox can be created to test innovative solutions and provide a safe environment for experimentation. Further, clear guidelines and standards for online platforms and services should be provided to ensure compliance and consistency. Investment in digital literacy programs will empower users and promote online safety awareness. Finally, collaboration with international partners is necessary to establish global standards and best practices for digital governance, data protection, and cybersecurity.
The Digital India Act can create a balanced framework that promotes innovation, user safety, and regulatory compliance, by prioritizing these principles and implementing these strategies.
With data breaches growing exponentially, do you think India’s cybersecurity frameworks, like CERT-In guidelines, are keeping pace with the threat landscape?
India’s cybersecurity frameworks, including CERT-In guidelines, have made progress in addressing the growing threat landscape, but there is still a need for improvement to keep pace with the evolving nature of cyber threats.
CERT-In has established a well-defined incident response mechanism, which helps in quickly responding to and containing cyber incidents. The guidelines emphasize the importance of regular security audits and compliance, which helps organizations identify and address vulnerabilities. Further, CERT-In conducts regular cybersecurity awareness and training programs, which helps in educating organizations and individuals about cybersecurity best practices.
However, the threat landscape is evolving rapidly, with new threats and vulnerabilities emerging daily. The CERT-In guidelines need to be updated regularly to keep pace with these emerging threats. While CERT-In has established an incident response mechanism, there is a need to enhance its capabilities to respond to complex and large-scale cyber incidents.
Further, while CERT-In conducts cybersecurity awareness and training programs, there is a need to improve cybersecurity awareness and education among organizations and individuals, particularly in the context of emerging technologies like AI, IoT, and blockchain. The guidelines should encourage the adoption of international cybersecurity standards, such as ISO 27001, to ensure that Indian organizations are aligned with global best practices. In addition, CERT-In should enhance public-private partnerships to leverage the expertise and resources of the private sector in improving cybersecurity in India.
To strengthen India’s cybersecurity posture, several key recommendations should be considered. First, it is essential to regularly update CERT-In guidelines to keep pace with emerging threats and technologies.
Second, conducting regular cybersecurity drills and exercises is critical to enhancing incident response capabilities and test the preparedness of organizations. Another important step is to establish a national cybersecurity framework that outlines the roles and responsibilities of various stakeholders, including government agencies, organizations, and individuals. Encouraging the adoption of international cybersecurity standards, such as ISO 27001, is also key to ensure that Indian organizations are aligned with global best practices. Finally, enhancing public-private partnerships is essential to leveraging the expertise and resources of the private sector in improving cybersecurity in India.
With AI-driven cyberattacks becoming more sophisticated, how can regulatory frameworks ensure responsible AI use in cybersecurity without stifling innovation?
Ensuring responsible AI use in cybersecurity while promoting innovation requires a balanced regulatory framework. To achieve this balance, several key strategies can be implemented.
A risk-based approach to regulation is essential, with a focus on high-risk AI applications and ensuring that regulations are proportionate to the risks. In addition, mandating transparency and explainability in AI decision-making processes, enabling regulators and users to understand AI-driven actions.
Human oversight and accountability in AI-driven cybersecurity systems must be ensured to prevent unchecked AI decision-making. Collaboration and information sharing between regulators, industry stakeholders, and academia is another important strategy to stay abreast of AI advancements and emerging threats.
Further the regulations should be agile and adaptive, that can accommodate rapid AI advancements, ensuring they remain effective without stifling innovation. Investment in AI cybersecurity research should be encouraged, focusing on developing more effective and responsible AI-powered cybersecurity solutions.
Cybersecurity standards and guidelines for AI development and deployment should be established to ensure consistency and security across AI applications. Further, public awareness and education about AI-driven cybersecurity risks and benefits should be promoted, empowering users to make informed decisions. Regulatory sandboxes for AI innovation should be created, allowing companies to test and refine AI-powered cybersecurity solutions in a controlled environment. Lastly, international cooperation and coordination on AI cybersecurity regulation should be fostered, ensuring consistency and cooperation across borders.
A balanced regulatory framework will offer several benefits. It will encourage innovation in AI-powered cybersecurity solutions while ensuring responsible AI use. Additionally, it will improve cybersecurity by leveraging AI's capabilities while minimizing AI-driven risks.
Furthermore, it will foster trust among users, regulators, and industry stakeholders by ensuring transparency, accountability, and human oversight in AI decision-making. Finally, it will support economic growth by promoting the development and deployment of AI-powered cybersecurity solutions while ensuring responsible AI use.
As quantum computing threatens to outdate current encryption methods, what should be India’s top priority in developing quantum-resilient systems and policies?
As quantum computing threatens to outdate current encryption methods, India’s top priority should be to develop a comprehensive national strategy for quantum-resilient systems and policies. Here are some key priorities:
Short-Term Priorities (2023-2025)
Educate policymakers, industry leaders, and the public about the implications of quantum computing on current encryption methods. Identify critical infrastructure, such as financial systems, defence networks, and healthcare services, that are vulnerable to quantum computing attacks. Invest in the development of quantum-resilient cryptography, such as lattice-based cryptography, code-based cryptography, and hash-based signatures.
Mid-Term Priorities (2025-2030)
Establish a national authority to oversee the development and implementation of quantum-resilient systems and policies. Develop quantum-secure communication networks for critical infrastructure, using technologies such as quantum key distribution (QKD). Implement quantum-resilient cryptography in critical infrastructure, such as financial systems and defence networks.
Long-Term Priorities (2030-2040)
Develop indigenous quantum computing capabilities, including the development of quantum computers and quantum algorithms. Establish a research and development ecosystem to promote innovation in quantum computing and quantum-resilient systems. Develop a national quantum computing strategy that outlines India’s vision, goals, and objectives for quantum computing and quantum-resilient systems.
To ensure a secure transition, India must invest in quantum computing research and development to promote innovation and develop indigenous quantum computing capabilities. Next, establish a national authority to oversee the development and implementation of quantum-resilient systems and policies. Further, develop quantum-resilient cryptography standards for critical infrastructure, such as financial systems and defence networks. Finally, promote international cooperation in quantum computing and quantum-resilient systems to leverage global expertise and best practices.
India is a rising digital economy, but also a prime target for sophisticated cyber threats. Do you think we need a fundamental rethink of our cybersecurity policies?
India’s growing digital economy and increasing dependence on technology make it a prime target for sophisticated cyber threats. A fundamental rethink of our cybersecurity policies is necessary to address the evolving threat landscape and ensure the security and resilience of our digital infrastructure.
There are several reasons for why we need to rethink. Cyber threats are becoming increasingly sophisticated, with the rise of AI-powered attacks, IoT vulnerabilities, and supply chain attacks. Further, India’s growing digital economy and increasing dependence on technology make it a prime target for cyber-attacks. Again, India’s cybersecurity infrastructure is still in the development stage, with inadequate investment in cybersecurity research, development, and innovation. Ultimately, there is a lack of cybersecurity awareness among Indian citizens, businesses, and organizations, making them vulnerable to cyber-attacks.
The key areas for the rethink first include developing a comprehensive national cybersecurity strategy that outlines India’s vision, goals, and objectives for cybersecurity. Establishing a clear cybersecurity governance framework that defines the roles and responsibilities of various stakeholders, including government agencies, businesses, and individuals is necessary. Our policies further need to invest in the development of a robust cybersecurity infrastructure, including cybersecurity research and development, innovation, and capacity building. Promoting cybersecurity awareness and education among Indian citizens, businesses, and organizations would further empower them to protect themselves against rising cyber threats. Ultimately, fostering international cooperation and collaboration on cybersecurity to leverage global expertise, best practices, and threat intelligence.
To recommend against the same, first we must establish a national cybersecurity authority to oversee and coordinate India’s cybersecurity efforts. Second, develop a comprehensive national cybersecurity strategy that outlines India’s vision, goals, and objectives for cybersecurity. Third, invest in cybersecurity research and development to promote innovation and develop indigenous cybersecurity solutions. Fourth, promote cybersecurity awareness and education among Indian citizens, businesses, and organizations to empower them to protect themselves against cyber threats. And last, foster international cooperation and collaboration on cybersecurity to leverage global expertise, best practices, and threat intelligence.
About AVM (Dr.) Devesh Vatsa:
Air Vice Marshal (Dr) Devesh Vatsa, VSM, is a visionary leader with 37 years of exceptional service in the Indian Air Force (IAF), specializing in cybersecurity, data operations, and strategic communication. As Air Commodore at the Defence Cyber Agency, he was instrumental in shaping India’s cyber defense framework, spearheading initiatives for cyber deterrence, resilience, and national security. AVM Vatsa played a pivotal role in drafting critical cybersecurity policies, including the National Cyber Security Policy, and establishing the IAF’s Cyber Operation Centre.
As Commandant of the Software Development Institute, he led the institute to earn CMMI Level 3 certification, enhancing the IAF’s software development and cybersecurity capabilities. Known for his expertise in protecting critical data infrastructure, AVM Vatsa has left an indelible mark on India’s defense cybersecurity landscape. He has been honored with the Vishisht Seva Medal and is also featured in the book 100 Great IITians, underscoring his legacy as a leading figure in defense cybersecurity.
