The Union Budget, due on Wednesday, is hours away. With the government’s push for a cashless society and ‘Digital India’, it will be interesting to see if Finance Minister Arun Jaitley announces an allocation for cyber security in his fourth Budget.
According to a cyber security expert who works closely with the government, the amount the government spends on digital security is still “a mystery number”. “There are varying figures floating around,” he says.
A budgetary allocation for cyber-security spends assumes greater importance in the wake of several high-profile hacks and debit card breaches in the recent past. Hacker groups like Legion have even claimed they have root access to government data and mails.
Defence Minister Manohar Parrikar has said that future wars will be fought in cyberspace. Incidentally, India is one of the highest spenders in defence at $50.7 billion, ranking fourth in the world.
FactorDaily asked some industry leaders and tech captains about whether there should be a separate budgetary allocation for cyber security in India.
Following are edited excerpts.
“I don’t know whether there will be something but (in response) to the broader question of whether it is required… I think in the slightly changed circumstances where the focus is on cashless and all, this assumes a different level of significance. So even from an architectural standpoint there needs to be greater foresight. So yes, given that, maybe more budgetary allocation for security and hosting, and general internet security in various forms (are required). So I think that would be justified.
The government has allocations for its various projects. In general what I have noticed is (that) security is high on the radar on everybody’s agenda. So you can assume that some part of the budget for a particular project will be spent on security.
For example, CERT-In (Indian Computer Emergency Response Team), which is a body under DeITY (Department of Electronics and Information Technology) has its own budget. So (perhaps) there is a budget for security also; maybe it is going into such organisations and their activities. But overall, maybe there is merit (in having a separate allocation for digital security). It just needs doubling down in terms of focus and in terms of money.”
“The answer is, absolutely yes. Overall spend on security in the country is quite low across sectors; not limited to the government sector alone. So firstly, we need stringent regulation and controls over prescriptive security given to a select set of critical industries: like financial services, oil and gas, energy, utility and so on. Second, the government itself needs to spend more across spectrums — state, centre, both. Moreover, they need to spend on areas both of prevention as well as prosecution, because a government spend can’t be limited to prosecution alone, it also needs to be preventive.
While there are some noises in the government around actions to be taken through CCC (Course on Computer Concepts), etc., on the ground level very little has happened. So it is time for the government to act on it.
While the Cabinet had last year approved a Rs 800 crore plan for the NCCC (National Cyber Co-ordination Centre), of which Rs 35-40 crore was earmarked for the pilot project, it has been a year and nothing has really been spent yet. Security has never got a separate budget. It is always expected to be part of the IT budget as a result of which, it gets hidden in the operational budget of overall spend. That is what has been happening till date. So it’s time the government create a focussed budget allocation for creating independent effort on securing the digital infrastructure that is already in place or that which is being created.
Globally, about 12% of governments’ budget allocation to technology is usually spent on IT security. Today the annual technology spend in India is about Rs 45,000 crore (state, centre, PSUs, departments all put together). If one goes by the global 12% benchmark and calculates, then we are literally talking about Rs 5,000-6,000 crore on digital security annually. Today the spend is less than, maybe, Rs 200-300 crore.
Even if the (Finance Minister’s budget) speech doesn’t mention it, there are always what we call line items for technology spends in various departments. Each ministry has a line item that mentions technology sub-allocations, but that doesn’t exist when it comes to cyber security.
The whole of the department of IT spends Rs 3,000 crore. Of that, Rs 1,000 crore is reserved for the NIC (National Informatics Centre) and Rs 500 crore for various grants. The remaining amount of Rs 1,500 crore is the fund for Digital India.”
“Cyber security spends, globally, and not just for governments, but for private organisations too, are a direct function of the IT spend or the digital spend.
If you go by the corporate benchmarks of spending on cyber security, the relatively less mature industries like manufacturing, infrastructure, etc. typically spend anywhere between 3-4% of their total IT budget. Globally however, an average of 12-16% is the benchmark for more technically sound industries like finance, e-commerce and to an extent even aviation.
So even for a government that is considering Digital India, digital security spend is a direct function of that initiative; so a percentage of the total IT budget has to go to IT security — there’s no two ways about that. If you don’t spend on digital security, it’s a big red flag and you are potentially putting at stake the entire spend on technology. And more importantly, technology spend today is not really restricted to technology, but percolates into any aspect of our lives that you can think of.
The good thing is that there has been some kind of focus.
Yes, there have been hacks which are serious in nature, whether it’s the 3.2 million debit cards breach or the high-profile hacks that happened through certain hacking groups. Now, considering all of this and the country’s increasing dependency on digital initiatives in the near future, there can be no doubt that the (cyber security) spend has to go up.
I hope it goes up proactively; because if not, then it will go up reactively if there any more hacks. Priority cannot not be cyber security when you are talking digital.”
“We have suggested to the government that since you are asking people to move from cash to less-cash or cashless economy, the risk of breaches is also increasing simultaneously. The banking laws are such that they don’t own up to the responsibility in case of some fraudulent activity. So therefore, what we have suggested is — we should be amending the laws immediately and make banks responsible for it (security breaches). Because the customer cannot bear the responsibility for it, he has kept it in the bank for his safety. Firstly, the banks and beneficiary companies like Paytm etc. should be incentivised and should be made to spend more on cyber security. Second, the government should also allocate a special fund for training at least 5 lakh people in the country especially for cyber-security. So yes, the government should create a conducive environment and allocate a good budget for cyber-security measures.
I personally feel there should be a minimum of Rs 30,000 crore investment in the coming year. The government should have an equal budgetary focus for making infrastructure available in the rural areas, because 95 crore people still do not have access to the internet. So what is all this talk of Digital India then? If we have to build a Digital India, then we need to provide the infrastructure to the people.”