Source: Getty
Interview

India Needs a Stronger Cybersecurity Framework

It is important that start-ups start thinking about cybersecurity from the time they begin developing a structural design for their company, and not in later stages.

published by
Livemint
 on December 7, 2017

Source: Livemint

Regulators need to become enablers for the broader start-up and tech ecosystem and develop more light-touch regulations to enable innovation, according to Ananth Padmanabhan, tech and policy fellow at Carnegie India, a think tank, which is hosting the Global Technology Summit on 7 and 8 December in Bengaluru.

The summit will include sessions and discussions touching on a variety of topics, including the use of technology for governance, digitizing public services and creating regulations around new-age digital systems.

In an interview, Padmanabhan spoke about the challenge of developing light-touch regulations, how public-private partnerships are required for the benefit of the start-up ecosystem and the need to create awareness around cybersecurity issues. India needs a stronger cybersecurity framework, he said. Edited excerpts:

Many start-ups in the past have run into legal troubles with state authorities. Do you think centralization of certain laws like transport and road regulations can fix costly legal battles between aggregators and state departments?

Centralization of laws and regulations is not a fix. Centralization ensures that instead of multiple laws and regulations for each aggregator like an AirBnB, Cabs, you may have one law.

But if that law itself raises the compliance cost, it is really of not great purpose. So, I think the real challenge is developing light-touch regulations is the way forward for tech start-ups.

Even if we end up creating uniform regulations for each industry aggregator, we are solving only one part of the story, and the real challenge is equipping the regulatory institutions better with resources, training regulators to think more light-touch rather than developing fully regulated systems, especially for emerging technologies.

What does the Supreme Court’s recent Right to Privacy ruling means for regulators like the Reserve Bank of India (RBI) and Telecom Regulatory Authority of India (Trai)?

RBI is already disaggregating high value transactions from lower value daily transactions. And this was actually the approach in the early days, when the wallet industry was first evolving. But in the last 8-9 months, it (RBI) has become more of a watchdog in some ways for wallets.

The Watal Committee report, have put out some ideas like interoperability for wallets, and full-KYC compliance for mobile wallets that deal with only low-value transactions.

The way I look at it, it is better to leave a good part of this to the market to decide. There are also other things that regulators should step into and become enablers for the ecosystem. For example, grievance redressal. The second thing is a strong cybersecurity framework.

Do you think public-private partnerships can help tech start-ups?

I think private-public partnerships are always a great idea. But sometimes we make a policy decision and that policy decision is totally aligned to picking a technology winner rather than leaving it to the consumer or the market forces. Clearly, picking a technology winner over the other, like what’s happening with the UPI (Unified Payments Interface) isn’t working. Even though NPCI (National Payments Corporation of India) is batting for interoperability for its UPI system, there has always been somebody who is innovating outside this system and would like to sort of get out of that ecosystem and find a different answer. So we should allow different solutions to co-exist and not close loop them.

Should data protection and privacy regulations be created sector wise, or centrally developed at a trade level like in the US?

On the security front, there was an initial push to create the CERT-In (Indian Computer Emergency Response Team). That is the first sectorial push in bringing about cybersecurity regulations for each sector by creating an emergency response body for each sector. I think this is basically creating one more layer, and that layer will anyway have to report to the main CERT.

It may not by itself be problematic. But we have to be very careful, that you don’t end up creating more levels of authority and interfere with actual outcomes that bring about security in that sector.

How can start-ups be more self-compliant at a time when cybersecurity risks are on the rise?

I think we need a lot of awareness around cybersecurity issues. Because in many ways that is the first step. Awareness is also the reason behind our Carnegie event tomorrow (Thursday). Because you see in many instances, technologists don’t get the policy implications of what they do. Because most start-ups spend time in hitting growth targets and raising more funds to keep their company afloat.

It is even in your best interest to actually be engaged consistently with the policy implication of what you are doing, since we are no longer in the early stages of Internet adoption.

The government has largely been trying to play catch up with cybersecurity risks, today that’s not the situation anymore. So it is important that start-ups start thinking about cybersecurity from the time you start developing a structural design for the company/business, and not in later stages.

This article was originally published in Livemint.

Carnegie India does not take institutional positions on public policy issues; the views represented herein are those of the author(s) and do not necessarily reflect the views of Carnegie India, its staff, or its trustees.