National Cyber Security Strategy

A National Cyber Security Strategy is the apex policy instrument through which a sovereign state articulates its objectives, institutional architecture, and operational measures for securing cyberspace as a domain of national interest. In India, the foundational document is the National Cyber Security Policy, 2013, issued by the Ministry of Electronics and Information Technology (then the Department of Electronics and Information Technology). Its legal scaffolding rests on the Information Technology Act, 2000, particularly Section 70A, which establishes the National Critical Information Infrastructure Protection Centre (NCIIPC) as the nodal agency for protecting designated critical sectors, and Section 70B, which constitutes the Indian Computer Emergency Response Team (CERT-In) as the national agency for incident response. The 2013 policy set out fourteen objectives, including the creation of a secure cyber ecosystem, the establishment of assurance frameworks, and the cultivation of a workforce of 500,000 cybersecurity professionals over five years. A successor National Cyber Security Strategy, drafted under the National Security Council Secretariat (NSCS) and the Office of the National Cyber Security Coordinator, has been in preparation since 2020 but had not been formally promulgated as of the most recent public record.

Procedurally, a national strategy is developed through an inter-ministerial consultative process. In the Indian case, the drafting is coordinated by the National Cyber Security Coordinator within the NSCS, drawing inputs from MeitY, the Ministry of Home Affairs, the Ministry of Defence, the Reserve Bank of India, and sector regulators. The process typically begins with a threat assessment, proceeds through the identification of critical sectors—power, banking, telecommunications, transport, government services, and strategic public enterprises—and culminates in the designation of protected systems under Section 70 of the IT Act. Once notified, these systems fall under NCIIPC oversight, which issues guidelines, mandates audits, and coordinates protective responses. CERT-In, operating in parallel, handles the operational layer: collection and analysis of incident data, issuance of alerts and advisories, and emergency coordination during attacks.

The strategy framework also incorporates regulatory directions with binding force. CERT-In's directions of 28 April 2022, issued under Section 70B(6) of the IT Act, require entities to report specified cyber incidents within six hours of detection, to synchronise system clocks to NPL or NIC servers, and to retain logs for 180 days. The architecture is reinforced by sectoral bodies such as the RBI's framework for banks, the SEBI cybersecurity framework for market intermediaries, and the Defence Cyber Agency established in 2019 for tri-service military cyber operations. Capacity-building components include the Cyber Surakshit Bharat initiative, the National Cyber Coordination Centre (NCCC) for real-time threat metering, and the Cyber Swachhta Kendra for botnet cleaning and malware analysis.

Contemporary national strategies illustrate divergent approaches. The United States published its National Cybersecurity Strategy in March 2023 under the Office of the National Cyber Director, shifting liability toward software vendors and emphasising the disruption of threat actors. The United Kingdom's National Cyber Strategy 2022, administered through the National Cyber Security Centre (NCSC) under GCHQ, framed cyber as integral to the Integrated Review. The European Union adopted its Cybersecurity Strategy for the Digital Decade in December 2020, operationalised through the NIS2 Directive. Australia released its 2023–2030 Cyber Security Strategy through the Department of Home Affairs. Singapore's Cyber Security Agency issued updated strategies in 2016 and 2021. Each reflects national priorities, but all converge on protecting critical infrastructure, deterring adversaries, and building resilience.

A national strategy must be distinguished from adjacent instruments. It is broader than a data protection law such as India's Digital Personal Data Protection Act, 2023, which governs the processing of personal data rather than infrastructure defence. It differs from a doctrine of cyber deterrence, which addresses offensive and retaliatory posture rather than whole-of-nation protection. It is also distinct from the IT Act itself: the statute supplies legal authority, whereas the strategy supplies policy direction and resource allocation. Crucially, a strategy is a non-binding policy document; its measures acquire legal force only when translated into rules, directions, or notifications under enabling legislation.

Edge cases and controversies attend the field. The protracted delay in promulgating India's successor strategy—pending since 2020 despite repeated parliamentary references—has drawn criticism amid rising attacks on health and power infrastructure, including the November 2022 ransomware incident at AIIMS Delhi and intrusions into power-grid load-dispatch centres reportedly linked to state-sponsored actors. The six-hour reporting mandate has been criticised by industry as operationally onerous relative to the 72-hour windows under GDPR and NIS2. Questions of overlapping jurisdiction among CERT-In, NCIIPC, NCCC, and the Defence Cyber Agency persist, as does the absence of a single statutory cybersecurity authority comparable to the UK's NCSC.

For the working practitioner, the National Cyber Security Strategy functions as the reference frame for compliance, coordination, and assessment. A desk officer drafting sectoral guidance, a regulator auditing a protected system, or a diplomat negotiating norms at the UN Open-Ended Working Group on ICT security must locate their action within its objectives and institutional map. For UPSC General Studies Paper III, the strategy connects internal security, critical infrastructure protection, and emerging technology, and candidates are expected to know the statutory provisions, the nodal agencies, and the distinction between policy aspiration and binding regulation. Mastery of the framework allows the practitioner to read incident response, capacity-building, and international cooperation as components of a single coherent national posture.