India has witnessed rapid digitalization in almost all spheres of public life. The country has over 1.15 billion phones and more than 700 million internet users, and this number is growing. There is greater and easy access to financial services even for rural populations. Missions like Make in India and Digital India are creating a positive ripple effect across the economy.
Both the private sector and government agencies now provide digital service delivery mechanisms, creating a synergy of efforts. The impact is impressive. In 2021, India’s UPI (Unified Payments Interface) handled 39 billion transactions amounting to $940 billion – more than 30% of the country’s GDP. In 2020-21, digital payment systems in India recorded a robust growth of 26.2% in volume.
Such rapid digitalization also leads to a critical dependence on the resilience of interconnected networks and systems. Any successful cyberattack on a critical asset such as a power grid will have a multiplier effect, crippling communications, transportation and even endangering the health and safety of citizens.
The government and private sector are acutely aware of these threats, the capabilities, and motivations of adversaries. In the last decade, several concrete measures and steps have been taken to prevent, detect and mitigate the ill effects of cyberattacks.
Attacks
India is already one of the most attacked countries in cyberspace. In May 2021, the national airline Air India reported a cyber-attack in which the data of 4.5 million of its customers across the world, was compromised[1]. In October 2019, there was an attempted cyber-attack on the Kudankulam Nuclear power plant[2]. In February 2022, a suspected ransomware attack briefly knocked out the management information system (MIS) at Jawaharlal Nehru Port Container Terminal (JNPCT), one of five marine facilities in India’s top container gateway of JNPT (Nhava Sheva).
According to the 2021 CrowdStrike Global Security Attitude Survey[3], conducted by research firm Vanson Bourne, almost three-fourths of Indian corporates were hit by a ransomware attack in 2021 – a claim the Indian government has denied quoting lack of evidence of actual compromise.
Current laws and provisions to deal with these challenges:
India has taken several legislative and organizational measures to bolster its cyber defence and effectively respond to cybercrime.
There are two legislations: The Information Technology Act 2000, provides the legal framework for addressing cybercrimes and cyberattacks. Criminal countermeasures include the use of this Act along with the Indian Penal Code.
Administratively, the Ministry of Electronics and Information Technology (MeitY) is responsible for cyber security. The Computer Emergency Response Team, CERT-IN, an office within MeitY, is the nodal agency for dealing with cyber security threats. CERT-IN also augments the security-related defence of the Indian Internet domain.
Several other government agencies are involved in dealing with cyber security and allied issues. The National Security Council Secretariat is the central coordinating body for cybersecurity and internet governance. The National Critical Information Infrastructure Protection Center (NCIIPC) focuses on cyber threats to critical information infrastructure and has been successful. India’s National Cyber Policy, 2013[4] is up for an overhaul and a new National Cybersecurity policy will be announced in the near future.
The Cyber and Information Security Division (C&IS) of the Ministry of Home Affairs, is also concerned with cybersecurity and cybercrime. It additionally oversees the implementation of the National Information Security Policy & Guidelines (NISPG) and has a cybercrime wing, cybersecurity wing, information security wing, and a continuous monitoring unit.
The Indian Cybercrime Co-ordination Centre (I4C)[5], established by the Ministry of Home Affairs, acts as a nodal point in the response against cybercrime by coordinating with state police forces across the country. It also co-ordinates implementation of mutual legal assistance treaties (MLAT) with other countries. In response to Supreme court directions in the 2018 Prajwala case[6], and identifying the need to create a mechanism for online reporting of cybercrimes, the home ministry has begun an India-wide online cybercrime reporting portal on https://cybercrime.gov.in which allows citizens to report cybercrimes, even anonymously.
The National Technical Research Organisation (NTRO) is a technical intelligence agency under the National Security Advisor in the Prime Minister’s Office. The NCIIPC works within the NTRO.
Cyber-attacks and defence in Indian cyberspace
In the year 2020, CERT-In handled 1,158,208 incidents, which included Website Intrusion and Malware Propagation, Malicious Code, Phishing, Distributed Denial of Service attacks, Website Defacements, Unauthorized Network Scanning/Probing activities, Ransomware attacks, Data Breach and Vulnerable Services. With continuous efforts at improvement, India has moved up 37 places to be ranked 10th in the Global Cybersecurity Index 2020 (GCI), according to a report by the International Telecommunication Union (ITU)[7]. Each country is assessed along five pillars; legal measures, technical measures, organisational measures, capacity development and cooperation measures, and then aggregated into an overall score. This has been catching steam. In May 2022, Cert-IN[8] mandated compulsory reporting of all cyber-attacks by government and other entities, within six hours.
On the business side, Indian companies are technologically advanced and use the latest tools and techniques for the protection of their assets. Indian businesses, especially in the fintech sector, are fully compliant with the international frameworks and certifications applicable to the sector. These include the NIST, GDPR[9], PCI-DSS, ISO 27001 and others.
But mostly, the tools are developed overseas, and are expensive. It is therefore essential for India to innovate and conduct research and development domestically, to create affordable, effective home-grown solutions for the threats it faces. India has the talent – a large and steady pool of high quality of IT and cyber security professionals.
Recommendations
To improve the cyber security posture of the nation and its assets, a whole-of-nation approach must be followed. This requires a comprehensive national risk assessment in line with the criticality of Indian assets and capabilities of the adversaries. It must be done by engaging stakeholders and creating a trusted information-sharing mechanism.
A clear governance structure for organizations mandated with cybersecurity and cyber crisis management, with a proper mandate clarifying roles and responsibilities of different bodies, should be established to take stock of existing policies practices and capabilities.
Stakeholders Including different state and central government departments, law enforcement and even corporates should also be engaged through a wide consultation and information-sharing mechanism to create baseline security benchmarks, and test them by organizing regular security drills, thereby augmenting incident response capabilities.
The government must act as a facilitator and create a public-private partnership and lay adequate stress on user awareness and education. Most importantly, privacy and security should be balanced while handling cybercrime and fostering R&D to maintain a position of dominance in the cyberspace.
India must be a part of international cooperation efforts to promote responsible behaviour in cyberspace. The country is still not a signatory to several conventions including the Budapest Convention[10], which it considers to be outdated and lop-sided. The convention includes other clauses like trans-border data access, which impinges on national security. Since India was not consulted at the time the Convention draft was made, leaning in favour of the Western Bloc, it is looking for a more balanced alternative. Till that comes, the two-decade-old Budapest Convention can be updated, and made more democratic by taking into account the concerns of the developing world, where the majority of the world’s future consumers are
Brijesh Singh is an Adjunct Distinguished Fellow for Cyber Studies at Gateway House
This essay is part of a paper ‘Analysing India’s Economic Security Challenges’. Read the full paper here.
The views and opinions expressed in this paper are solely those of the authors. The view expressed in the paper do not necessarily reflect those of NEDO
For permission to republish, please contact outreach@gatewayhouse.in
©Copyright 2022 Gateway House: Indian Council on Global Relations. All rights reserved. Any unauthorised copying or reproduction is strictly prohibited.
References
[1] https://www.airindia.in/images/pdf/AIR-INDIA-NOTIFICATION-OF-DATA-BREACH-UPDATE-FOR-AUSTRALIAN-CUSTOMERS.pdf
[2] https://www.vifindia.org/sites/default/files/cyber-attack-on-kudankulam-nuclear-power-plant.pdf
[3] https://www.crowdstrike.com/blog/2021-crowdstrike-global-security-attitude-survey/
[4] https://www.meity.gov.in/writereaddata/files/downloads/National_cyber_security_policy-2013%281%29.pdf
[5] https://www.mha.gov.in/division_of_mha/cyber-and-information-security-cis-division/Details-about-Indian-Cybercrime-Coordination-Centre-I4C-Scheme
[6] Online child sexual abuse; https://indiankanoon.org/doc/92102948/
[7] https://www.itu.int/en/ITU-D/Cybersecurity/Pages/global-cybersecurity-index.aspx
[8] https://www.cert-in.org.in/
[10] https://www.coe.int/en/web/cybercrime/the-budapest-convention