It took eight years after the passage of the Information Technology (IT) Act for India to recognise cybersecurity as an agenda that needed legislation. The incoming Digital India Act (DIA), which promises to provide a safe and secure internet to Indians, is an opportunity to develop a future-ready cybersecurity framework.
In India, the current cybersecurity landscape is a mishmash of various agencies with the attendant gaps and inefficiencies. In 2008, when the IT Act was amended, the government introduced Sections 70A and 70B to establish two agencies – National Critical Information Infrastructure Protection Centre (NCIIPC) and the Computer Emergency Response Team-India (CERT-In).
The Sprawl That Needed A Method
However, while the amended law was passed in 2008, NCIIPC was notified in 2014. Meanwhile, the government had already created another office under the National Security Council Secretariat (NSCS), called the National Cybersecurity Coordinator (NCSC), whose mandate has never been entirely clear.
Currently, NCIIPC comes under the Prime Minister’s Office, as does the National Cybersecurity Coordinator, while CERT-In is under the Ministry of Electronics and Information Technology.
The Ministry of Defence uses its own agency as do the three armed services, while the Ministry of Home Affairs (MHA) has a body dedicated for coordinating response to cybercrimes called the Indian Cyber Crime Coordination Centre (I4C).
In addition, the sectoral Information Sharing and Analysis Centres (ISACs) never came about, thus losing an opportunity to create self-supporting communities of cybersecurity practitioners. In 2017, the Ministry of Finance floated a project for a financial sector CERT (CRT-Fin) with great fanfare, which no one hears anymore about.
Meanwhile, there are regular reports of government systems and large private sector companies falling prey to serious cyber incidents and data breaches.
Clearly, India needs a clearer delineation of roles with specific responsibilities, powers and most importantly, accountability, to address the rapidly growing threats emanating from cyberspace.
Break Down Silos, Share Responsibilities
Cybersecurity has essentially two major facets that need to be factored in. There are the users who could become victims of everyday cybersecurity threats or crimes. Then there is national security that needs the state to create a framework that can thwart major attacks.
Both are also deeply interlinked. The amended IT Act in 2008 created two broad categories – critical information infrastructure identified as those sectors on which an attack could have catastrophic consequences for India’s national and economic security.
In this category they added sectors such as banking and finance, transport, power, telecom, and government, among others. The rest come under CERT-In. However, both groups are mandated to report to CERT-In, and issues of coordination can crop up.
There are two other complexities. While in 2008, it made sense to identify two broad categories, globally distributed supply chains and the structure of the internet has blurred the categorisation.
Most importantly, the private sector plays a major role in cybersecurity at multiple levels. Many of designated critical sectors such as transport that covers airports and airlines, shipping, trains, and roadways are manned by private corporations. The increasing privatisation of many utility services in banking, power and others has led to expanding the threat landscape much beyond government entities.
Further, private companies are much better placed to detect cyber threats but only if they can collaborate with each other and work with the state to present a united front, without which they are vulnerable against dedicated nation-state adversaries and their private affiliates. Hence, they must be recognised and empowered through a structured mechanism, without which even a baseline level of trusted and safe internet will remain a mirage.
The Way Forward
While there can be interim fixes in the DIA to address India’s cybersecurity concerns, it is an area that will ultimately need a set of three separate laws.
First, a privacy law that recognises the privacy rights of residents, including governance of surveillance by the State, as emphasised by the nine-judge constitutional bench of the Supreme Court in the Puttaswamy case of August 2017.
Second, a data protection bill that creates the institutional framework for enforcing these rights against the state and the private players.
Third, a cybersecurity bill that tackles the hard problems of notifying standards for both government and private entities and creating a data sharing framework between institutions such as CERT, NCIIPC and government and private entities for presenting a collective defence approach against cyber-attacks.
The law needs to also facilitate the voluntary reporting of vulnerabilities by companies and individual information security professionals. Currently, only a few Indian agencies run such a programme, and most don’t respond to cybersecurity researchers when they flag vulnerabilities or zero day attacks (hackers exploit a flaw before developers can address it).
This is a basic requirement for any nation keen to counter cybersecurity threats. Laws can however only go far unless the institutions that support them are given long-term budgetary support and managed by a professional cadre.
In Australia, the Cyber Security Centre has a board of advisers who help in formulating policies and strategies. Similarly, in the US, the Cybersecurity Infrastructure Security Agency (CISA) plays a leading role for the federal government, aided by the FBI’s National Cyber Investigative Joint Task Force and the National Security Agency.
The US also has the National Institute of Standards and Technology (NIST) that develops and updates cybersecurity frameworks, keeping in mind the latest threats and challenges. In the UK, a dedicated Cyber Defence Agency plays a leading role in protecting the country’s cyberspace. We need similar capabilities in India.
ReBIT, founded in 2016 in India, is another successful example of a public sector institution that has provided the technology muscle to the Reserve Bank of India to conduct deep audits which have increased the baseline capacity of the banking sector.
While the DIA is an opportunity to fix many gaps in India’s current cybersecurity posture, it ultimately needs a comprehensive triad of laws that can ensure privacy, data protection, and resilience.
The authors are co-founders of DeepStrat, a New Delhi-based think tank and strategic consultancy. Views are personal, and do not represent the stand of this publication.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
