Given below are the salient Features of the Joint Working Group (JWG) Report on
Engagement with Private Sector on Cyber Security, released by Sh Shivshankar Menon, National Security Advisor, on 15 October, 2012 in
1. One of the primary challenges facing both government as well as
industry is to ensure the security of their computer networks and systems.
Cyber security cannot be achieved in isolation by either government or industry
alone. It requires joint efforts and collaboration. Following discussion with
representatives of the private sector on their role in enhancing cyber security,
it was decided to set up a Joint Working Group (JWG), under the chairpersonship
of the Deputy National Security Advisor, to work out the details of the Roadmap
for cyber security cooperation that needed to be evolved. This JWG included
representatives of both government and private sector.
2. The JWG had constituted five
Sub-Groups to flesh out the details of such engagement. These five Sub-Groups
submitted their reports to the JWG on 16 August, 2012, which thereafter
finalized its recommendations.
The JWG has identified the following guiding principles and
objectives that would underpin the public-private partnership (PPP) in cyber
a) Given the diverse stakeholders in cyber security, institutional
mechanisms should be set up to promote convergence of efforts both in public
and private domains;
b) Use existing institutions and organizations to the extent
possible in both private sector and government and create new institutions
where required to enhance cyber security;
c) Set up
a permanent mechanism for private public partnership;
d) Identify bodies that can play a wider role in funding and
implementation in the public and private sector;
e) Identify areas where both private and public sector can build
capacities for cyber security;
f) Put in place appropriate policy and legal frameworks to ensure
compliance with cyber security efforts;
2 Recommendations of Joint Working Group on Engagement with
Private Sector on Cyber Security
g) Promote active PPP cooperation in international forums and in
formulating India’s position on global cyber security policies;
h) Establish India as a global hub of development of cyber
security products, services and manpower; and
indigenization and work on joint R&D projects to meet the cyber security
needs of the country.
“Roadmap” for PPP on Cyber Security Issues
(1) Institutional Framework
On the basis of these guiding principles, the following
coordination and oversight structure is proposed:
(a) There should be a permanent Joint Working Group (JWG) under
the aegis of the National Security Council Secretariat (NSCS) with
representatives from Government as well as Private Sector.
(b) This JWG will act as an
advisory body and coordinate Public-Private Partnership (PPP) on cyber security.
(c) A Joint Committee on International Cooperation and Advocacy
(JCICA) will be set up as a permanent advisory committee of the JWG in
promoting India’s national interests at various international fora on cyber security issues.
(d) The composition of both JWG and JCICA will be finalized in
consultation with industry associations.
(e) The private sector will set up Information Sharing &
Analysis Centres (ISACs) in various sectors and
cooperate with the sectoral CERTs at the operational
(2) Capacity Building
(a) Critical shortage of cyber security professionals need to be
tackled in mission mode with innovative recruitment and placement procedures
along with specialized training of existing manpower. This programme
may be implemented in PPP mode.
(b) There has to be a concerted effort to increase the number of
cyber security professionals and equip them to efficiently meet the challenges
of Cyber Security.
(c) Ministry of Communication and Information Technology (MCIT)
and Ministry of Human Resource Development (MHRD) and the private sector may
jointly establish a cyber security capacity building framework.
(d) Establishing a competency framework to assess skills required,
identify gaps, Recommendations of Joint Working Group on Engagement with Private
Sector on Cyber Security 3 and
devise strategies and programmes for
capacity-building. This may include designing security certification schemes
for IT professionals and advising cyber security related curriculum for formal
sector (B.Tech, M.Tech., MBA etc).
(e) Work towards establishing a multi-disciplinary Centre of
Excellence (COEs) in Cyber security areas including best practices, forensics,
cyber crime investigation, studies, research and international frameworks/
(f) MCIT and private sector should jointly run cyber security
awareness campaigns for the general public, teenagers, children, etc.
(g) Ministry of Home Affairs (MHA) and MCIT may setup training
facilities for training of Law Enforcement Agencies (LEAs) in cyber crime investigations
and cyber forensics. Private sector may be associated with establishment of
training facilities and provide basic and advanced level trainings to the LEAs.
(h) Government and private sector may fund research &
development for development of indigenous cyber security products and solutions
that meet international standards and address the global market.
(3) Security Standards and Audits
Given the role of security standards and audit in enhancing the
level of preparedness and assurance in cyber security, the private sector would
be an active partner in undertaking the following activities:
(a) Define baseline security standards and practices/guidelines
for the critical sector organizations both in the public and private sectors.
The standards may be developed by a MCIT led body with active involvement of
the industry and academia.
(b) Define enhanced standards and guidelines for organizations
that fall in the high risk category i.e. the critical information
(c) Laying down of
security standards and guidelines for acquisition of IT products and services.
(d) Develop protection profiles, capturing users’ cyber security
concerns, to aid the procurement of IT products as well as compliance
verification of IT products prior to deployment.
(e) Work jointly towards the establishment of Institute of Cyber
Security Professionals of India (similar to ICAI for CAs). This could be an
autonomous institution under the patronage of MCIT.
(f) Make cyber security audit mandatory by appropriate amendment
in the listing requirements under the Companies Act.
(4) Testing & Certification
The following measures may be taken for enhancing testing &
certifying facilities to address the growing concerns relating to supply-chain
(a) Establishment of National Testing and Certification Schemes,
under the supervision and oversight of appropriate empowered entities under the
(b) While action is underway for establishment of Telecom Testing
and Certification Centre in telecom sector, there is a need for establishment
of an independent government certification body for IT products under the MCIT.
The certification body should be separate from the testing facilities. In the
interim, Standardisation Testing and Quality
Certification (STQC) may be authorized as certificate issuing
body for IT
(c) Development of skills and competence of evaluators, validators and certification body personnel for
successfully running the National Testing and Certification Scheme.
(d) Establishment of private owned testing labs, duly accredited
by the certification body; Government may provide the necessary incentives for
the private sector for opening testing labs.
(e) Encourage active participation in the communities of interest
for defining protection profiles for addressing the security requirements of
(f) Take necessary steps to transition from a ‘Common Criteria
Certificate Consuming Nation’ to a ‘Common Criteria Certificate Authorizing
As the first step towards the implementation of the above
recommendations, four pilot projects have been identified for early
(a) Setting up of a pilot testing lab,
(b) Conducting a test audit,
(c) Study vulnerabilities in a sample Critical Information Infrastructure,
(d) Establishment of a multi-disciplinary Centre of Excellence
6. The permanent JWG (to be constituted) will work out the
Action-Plan for implementation of the recommendations.