You are here: Home / Internet Governance / Blog / Leveraging the Coordinated Vulnerability Disclosure Process to Improve the State of Information Security in India

Leveraging the Coordinated Vulnerability Disclosure Process to Improve the State of Information Security in India

Posted by Pranesh Prakash, Karan Saini and Elonnai Hickok at Jan 23, 2019 04:48 PM |
This policy brief recommends several changes pertaining to current legislation, policy and practice to the Government of India regarding coordinated vulnerability disclosure (“CVD”) for improving the overarching information and cyber security posture of the country.

Executive Summary

The increasing use and integration of information and communication technologies in most aspects of modern life raises with it the importance of being able to ensure robust security of these systems. This policy brief has been framed under the objective of increasing and enhancing efforts for the development and maintenance of a secure environment within the country.  The brief draws upon knowledge that has been gathered from various sources, including information sourced from newspaper and journal articles, current law and policy, as well as several interviews that we conducted with various members of the Indian security community.

This policy brief touches upon the issue of vulnerability disclosures that are made by individuals to the Government, explores existing problems and makes recommendations as to how the Government’s vulnerability disclosure processes could potentially be improved.

This policy brief also explores the benefits of formalising a Vulnerabilities Equities Process (“VEP”) framework for the Indian context, which the government could adopt for processing and disseminating information about security vulnerabilities and exploits that are brought to their attention by the security community as well as those that are discovered internally by Government departments and agencies like the National Technical Research Organisation (“NTRO”) or the National Critical Information Infrastructure Protection Centre (“NCIIPC”).

Key takeaways from the research include:

  • There is a noticeable lack of transparency in current vulnerability disclosure programmes and processes;
  • There is an observable gap in communication between hackers and the Government, as well as a lack of proper outreach carried out by Government entities;
  • Problematic legislative instruments (including several sections of the IT Act) directly disincentivise security research;
  • There are several low hanging fruit which can be addressed in order to strengthen the overarching information and cyber security architecture of India.

The policy brief can be accessed here

Document Actions