Cybersecurity Regulatory Landscape in India: Digitisation on the Hook?

The COVID-19 pandemic brought to the fore digital technology that not only facilitated a swift response but also greased the wheels of the economy by enabling work from home and online business, among others. However, digitisation has accelerated the need for cybersecurity and its regulation. The article critically examines the technical meaning and legal definition of “cybersecurity.” The Information Technology Act of 2000 and rules made therein have, in an incremental manner, build the legal edifice for cybersecurity. Nevertheless, the rapid advancement in technology (IoT, AI, Cloud, 5G) and its diffusion has made the protection of “critical information infrastructure” vulnerable. There is a need to identify the  “critical sectors”—health, space, election and assess the obligation on the private sector to share threat information and cyber incident demands recalibrating the current cybersecurity governance in India.   

 

The present-day society’s big leap into becoming an “information society” increases vulnerability from the threats and attacks emanating from cyberspace. According to Paul M Nakasone, commanding General of US Cyber Command, “the environment we operate in today is truly one of great-power competition, and in these competitions, the locus of the struggle for power has shifted towards cyberspace” (Mayo 2018). In the ongoing COVID-19 pandemic, our increased dependence on information and communication technologies (ICTs) for essential everyday tasks has heightened the cybersecurity risks. The techniques used to attack are diverse and range from basic computer viruses to sophisticated cyber attacks conducted for various purposes such as intelligence-gathering, industrial espionage, crime and warfare. 

A state-of-the-art attack “Sunburst” or “Solorigate” that came to light in December 2020, is known to have affected public and private organisations around the world and is referred to as one of the sophisticated protracted cyber-intrusions of the decade (Tidy 2020). The fact that the email accounts of the then secretary of the US Department of Homeland Security as well as the staff working on cybersecurity were compromised, vexed the American administration to impose new sanctions against Russia (believed to be responsible by the US) (Sunderman 2021; Roth 2021). The “state responsibility” as understood in the domain of international law is based upon the twin principles—the act constitutes breach of an international obligation and the act can be attributed to a state (Crawford et al 2010). The underlying idea of the rules of attribution is that “a state is responsible only for its own conduct, that is to say the conduct of persons acting, on whatever basis, on its behalf.”1 Technology often cuts both ways, as encryption and anonymising technologies as well as the use of dark web can mask the entire modus operandi of the attack. On top of it, the non-state actors preclude the attribution of the malicious act to the state. 

At the home front, India faces myriad challenges of securing its borders via land, sea and air. However, cyberspace presents a potentially new dynamic battlespace for the country. While the border skirmishes between India and China were going on in the Galwan Valley in mid-2020, it has been reported that the Chinese triggered malware intruded into the Indian power grid, causing a massive power outage in Mumbai (Sanger and Schmall 2021). In 2020, India recorded the second highest incidents of ransomware in the world (Thomas 2020). Recently, Air India reported loss of data of 4.5 million passengers due to a cyber attack (Mukul 2021). The Kaseya ransomware caused the single largest attack that affected the IT infrastructure in more than 17 countries and hackers had demanded a whooping sum of $70 million (Paul 2021). Hardly a day passes without such news waning the public trust in the security of electronic communication. 
It has become highly imperative to recalibrate the cybersecurity governance in India. Although, in the latest report by the International Telecommunication Union (ITU) on the Global Cybersecurity Index 2020, India has been ranked at number 10 out of 194 countries (International Telecommunication Union 2021). Nonetheless, when assessed on qualitative parameters the country has been put in the “tier-three category” underlying the lopsided approach towards cybersecurity (International Institute for Strategic Studies 2021). It highlighted weak institutional framework as well as ambiguous application of rules to be a reason for India to lack robust policy and doctrine for cybersecurity (International Institute for Strategic Studies 2021).

Cybersecurity—From Computer Science to Law 

Cybersecurity is a technical concept that encompasses information (data), system (hardware and software) and network security (Gollmann 2013). Interestingly, the term has made its way in the policy and legal lexicon. The National Cybersecurity Policy (NCSP) of 2013 envisages a multipronged strategy to “protect information as well as information infrastructure, reduce vulnerabilities, build capabilities to prevent and respond to cyber threats and minimise damage from cyber incidents.”2 It is true that information security forms an important part of cybersecurity but security of systems and networks merits far more attention. Of particular interest is the cyber–physical systems that integrate computation with the physical processes, for instance, smart cities, smart living (lighting, heating), industrial robots, transportation, digital healthcare, etc. In fact, they may constitute the “critical information infrastructure” (CII) (Markopoulou and Papakonstantinou 2021). 

Post the 26/11 terrorist attacks on Mumbai, the government introduced significant amendments in the Information Technology (IT) Act, 2000.3 It added the legal definition of “cybersecurity” as to “mean protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorised access, use, disclosure, disruption, modification or destruction.”4 The definition is a balancing act to provide an inclusive “security”—information, system (equipment, devices, computer, communication device) and network (computer resource). It is also based on, as known in computer science, the CIA triad, that is, confidentiality, integrity and availability (Anderson 1972). The component of confidentiality means protection against unauthorised information access. Integrity means protection against unauthorised modification of data. Availability implies access without disruption or destruction. 

Revamping Critical Information Infrastructure Protection

Under the IT Act 2000, the government has been authorised to “declare any computer resource which directly or indirectly affects the facility of critical information infrastructure, to be a protected system.”5 The law defines “CII” as a “computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety.”6 It means CIIs are essentially the backbone of a country upon which the “critical sectors” such as transport, power, energy, telecom, public sector undertakings, banking and financial rests upon.7 From criminals to terrorists CII is a soft target. In fact, there has been spurt in the cyber attack on the CIIs, for instance, “Operation SideCopy” targeting Indian public sector undertakings (Mantri 2020), Aadhaar data breach (Khaira et al 2018), malware attack at Kudankulam Nuclear Power Plant (Bhaskar 2019) and so on. In the technical sense, often CIIs depend upon the industrial control systems (ICS) that are automated systems that help to control and monitor the industrial processes such as transport, power, energy and other essential services (Knapp and Langill 2015). ICS are often connected with the internet and due to easy availability rely upon “commercial off-shelf software” that multiplies cyber vulnerabilities. The oft-quoted “Stuxnet” is a computer worm that targeted the Iranian uranium enrichment facilities destroying more than 900 gas centrifuges exposed by the vulnerabilities of ICS (Kushner 2013). However, it appears the existing regulatory framework in India has not yet taken strong measures to strengthen the ICS security which is the need of the hour.

It took around six years since the 2008 amendment to establish a national nodal agency for CII—the National Critical Information Infrastructure Protection Centre (NCIIPC)—created via the 2013 rules.8 One of the primary tasks for this body is to identify CII used in businesses and industrial process9 which requires the parameters of size and economic value of business/industrial process, criticality of process, duration of non-availability of computer resource (shorter the time, more critical the resource) and level of dependency of CII on other critical sectors (NCIIPC 2019). It is to be noted that the critical sectors like telecom, energy and banking are both managed by the government and private organisations. The private sector is an important player in CII security that underscores the need to have a legal framework for CII that is in tune with the prevailing business, social and technical environment. Given the fact that companies applying cost-benefit analysis may find “no visible benefit” in taking security measures as well as lack of motivation due to ambiguity on the actual loss suffered by companies due to cyber attack (National Academy of Engineering 2003). However, post-pandemic data suggests that companies are spending relatively more on the security of products (Gartner 2021). Since cybersecurity is about interdependent security among the information, system and network, therefore, the investment from companies should flow into all of the components. Further, impetus is needed from the government to incentivise the companies—big, medium and small enterprises—to invest in security. 

The Information Technology (Information Security Practices and Procedures for Protected System) Rules, 2018 spell out the institutional requirements for organisations, particularly the government, to establish an Information Security Steering Committee (ISSC) as well as appointment of chief information security officer (CISO).10 It entails the organisations to plan and improve the information security management system (ISMS) as well as to establish  a cyber crisis management plan.11 Further, the rules speak about the liaison role of NCIIPC between itself and the government agencies sharing threat information.12 In a setback, the threat information on the recent Chinese-triggered malware Shadow Pad that targeted the Indian power grid was shared first by CERT-IN (Computer Emergency Response Team India) than by NCIIPC (Hindu 2021). The nodal agency for CII has to work on coordination.

Apart from above, the missing angle in the 2018 rules is the cybersecurity obligations of the private sector. The channel to share threat information between the companies and NCIIPC also needs to be streamlined. Here the government needs to extend its hand to forge a partnership with the private sector to achieve the shared goal of cybersecurity. 

From Sectoral to Tailor-made Law 

In the future, the technology will become more sophisticated and increased adoption of the same at the societal level creates new vulnerabilities that can be exploited for malicious cyber activity. As a logical corollary, the threat and risk increase with the growing digitisation. For instance, deployment and adoption of 5G technology requires enhanced security. It has now become clear that cybersecurity involves not only technical measures but also a robust policy and legal framework. The cybersecurity law paradigm in India comprises the IT Act and a mushrooming number of subordinate legislations in the form of “rules.” When enacted back in 2000 the primary objective of the law was to encourage the penetration of IT but failed to include defences in the event of cyber attack. From time to time, incremental changes have been made largely in the form of rules. The slipshod approach of the successive governments undermined the cybersecurity regulation through half-hearted measures that seem to be not in tune with the changing technology-threat scenario. 

Till date, the health sector is not included in the CII framework. The COVID-19 outbreak is not needed to make the government understand the critical nature of a health sector that has witnessed a large number of attacks. Similarly, the knee-jerk reaction coming from the Election Commission of India to come up with cybersecurity guidelines for the conduct of 2019 general elections seems to be an ad hoc and piecemeal measure.13 Of late, the data protection has assumed a lot of importance and post-Puttaswamy decision of the Supreme Court the government has been trying to place the data protection bill before Parliament (K S Puttaswamy v Union of India 2017). There seems to be a long hiatus, with the bill being pending before the Joint Parliament Committee. Once made into law it would not only regulate the processing of data but also streamline the procedure for reporting data breach as well as fixing the accountability.14

The countries across the globe are legislating specialised law dealing with cybersecurity and CII. The European Union’s Network and Information Security Directive is a step forward to protect “essential services” and includes “public or private entities that provide a service which is essential for the maintenance of critical societal and/or economic activities.”15 On the other hand, the US has enacted the Cybersecurity Act in 2015 that gives power to the companies to take “defensive actions” in case of cybersecurity incident as well as enables cooperative framework among the government and private sector to share threat information.16 Australia recently amended the Security of Critical Infrastructure Act, 2018 to expand the list of critical sectors as well as introduce mandatory reporting of cyber incidents for both public and private entities.17

For India, the idea to have standalone cybersecurity law is not joining the bandwagon but stems from increased digitisation of the essential services provided both by public and private sectors. The growing cyber connectivity through the advancement in technologies—IoT, Cloud, and AI—are going to impact the CII and, hence, the need to mitigate the vulnerability of the same. In fact, to achieve the golden dream of becoming a $5 trillion economy a robust cybersecurity law can play a pivotal role. The recent spate of ransomware attacks on the global supply chains—Solorigate, Colonial Pipeline—brings forth the higher sophistication of threats that may be responded to by enhanced cooperation between the cybersecurity agencies, law enforcement, private sector and the victims (Morrison 2021).   

Conclusions

The high degree of interconnectedness and interdependency of our global society has expanded the risks to critical information infrastructure upon which it depends. The sovereign states have now become more dependent on cyber activities and there is “creeping militarisation of global information technologies to acquire strategic national advantage” (Sidhu 2017). Interestingly, even as “there is increasing temptation to exploit cyberspace, equally determined efforts are underway to safeguard the cyberinfrastructure.”18

The Indian cybersecurity landscape needs to adapt and prove its resilience against complex futuristic cyber threats and attacks. It requires a multidimensional approach in terms of right security standards, efficient implementation of modern technologies, framing effective security policies, enacting robust legal rules and bringing together all the stakeholders without going into the rigid dichotomy between the public and private sectors. Not all cyber security risks can be addressed by governments and industry—individual citizens must also take steps to protect themselves. The users need to demand and adopt cyber secure products and use their discretion while accessing online content. A–assume nothing, B–believe nobody and C‒check everything is an appropriate mantra for cyber safety.  

Back to Top