Is 10% of Ministries' IT Budgets for Cybersecurity Enough?MeitY Sets Goal for Ramping Up Government Security Spending
The Union Ministry of Electronics and Information Technology, or Meity, has urged all ministries to allocate 10 percent of their IT budgets to cybersecurity following several high-profile hacks and breaches.
See Also: Passwords Alone Aren't Enough
But do government departments even consider security a priority?
While the security spend has grown, it's not clear that it's enough to be able to help in preparedness for facing new age threats.
Doubtless the government considers critical sectors, including defense, telecom, banking, financial securities and insurance, power, and oil and gas, the most vulnerable targets for attacks. It also believes wars will be fought in cyberspace; hence these sectors must be guarded. Thus, it's important to ensure these ministries take the right steps.
Also, it's crucial to gauge whether these ministries have security on their radar and understand their investment priorities. Most often, they don't utilize IT budgets to the fullest or judiciously, lagging behind in deploying new technologies because of insufficient funds. It's imperative to learn how much the ministries earmark for security.
A Reality Check
Details about ministries' spending on security are scarce. While the security spend has grown, it's not clear that it's enough to be able to help in preparedness for facing new age threats.
Consultants, including PWC, say the overall spend on security by Indian organizations, including government departments, is low because India lacks stringent regulation and controls over prescriptive security.
While the cabinet a year ago approved a US $120 million plan for the National Cyber Co-ordination Centre, (with close to $8 million supposedly earmarked for a pilot project), nothing's apparently been spent yet. The Maharashtra government sanctioned $3 million last year toward setting up a cybercrime and forensic labs in each district. Other ministries and state government's have not declared their security road map or budgeted for security. (See: How to Tackle the Growth of Cybercrime )
Meity's directive is well timed, but it must provide specifics on creating technology budget sub-allocations regarding cybersecurity, the government's mandate that all ministries recruit CISOs to beef up IT infrastructure, and the creation of 10 Standardization Testing and Quality Certification labs.
The Associated Chambers of Commerce and Industry of India (ASSOCHAM) , which tracks India's budgetary allocations, says the government's cybersecurity allocation was about $7.5 million in 2012-13, up 19 percent from $5.8 million in 2010-11 whereas the United States spent $658 million through the Department of Homeland Security and $93 million through US-CERT in 2013.
"We urgently need serious effort in capacity-building and setting up high-end cyber labs capable of critically inspecting every IT component before these are deployed in critical infrastructure across industry sectors," says D.S. Rawat, secretary general of ASSOCHAM. "There's an ever-growing threat to the economy, financial sector, key government departments and infrastructure set-ups, which, in turn, leaves internal security at risk."
It's obvious that cyber threats will only rise as India shifts toward a cashless economy and increased digitization.
Sivarama Krishnan, leader-cybersecurity at PWC India, says the focus on digital India and digital payments require focus on cybersecurity in all sectors.
Government leaders must spell out an action plan with priority cybersecurity investments, including a definite percentage of security budgets required to meet new age cyber demands.
Singapore has already urged ministries to allocate 8 percent of government information and communications technology expenditures to cybersecurity. Because India requires more efforts in securing government systems and networks, the percentage should be even higher here.
The biggest challenge is understanding the security needs of each department under the ministries because there's no proper methodology for assessing the risk frameworks and thereby deriving security requirements.
The cost for developing a vibrant cybersecurity ecosystem should include:
- Establishing CERTs under every ministry to respond to threats;
- Building skills, securing networks and strengthening governance;
- Appointing CISOs in each department;
- Leveraging appropriate technologies that can help in early detection of breaches;
- Accounting for the costs of third-party services;
- Creating state-of-the-art cyber forensic labs and investigation labs in major cities to conduct post-breach investigations.
The government must take a holistic approach to addressing budgeting and accept the harsh realities of the current threat environment, responding with with an appropriate action plan.
It's time to work on a blueprint with roles and responsibilities of each entity clearly spelled out and a clear modus operandi of each department's approach toward tackling cybercrime and investments.