Traditionally, the security of cyber assets in India has been viewed only from the standpoint of the government, with considerations of national security and sovereignty taking centre stage when it comes to policy formulation. But the world today is experiencing a plethora of threats, most of which did not even exist when the relevant legal framework in India was devised.
In the present day, the proliferation of information technology devices and their use by various stakeholders poses the question: Is India adequately prepared when it comes to protection of its cyber assets? The answer, unfortunately, is “No”.
Through this article, we endeavour to provide a snapshot of the existing legal, regulatory, and policy landscape in India in the context of cybersecurity for its cyber assets.
The legal provisions related to cybersecurity are predominantly encapsulated in the Information Technology Act, 2000 (Act). The Act defines “cyber-security” as the protection given to devices and information stored therein from “unauthorised access, use, disclosure, disruption, modification or destruction.”
However, the provisions to ensure the same is fragmented as well as deficient. Whether it is compensation for failure to protect data, computer-related offences, or punishment for identity theft, cheating by impersonation and cyber-terrorism, the aggrieved persons have to go through the considerable stress and effort to get adequate relief.
Pursuant to the 2009 amendment, the Act especially provides protection to Critical Information Infrastructure (CII) by prescribing punishment in the form of imprisonment for a term of up to 10 years, which can be coupled with a fine in case such systems are unauthorisedly accessed or an attempt to do so is made.
Notably, the definition of CII under the Act mentions “incapacitation or destruction of an asset” to have a “debilitating impact” on “national security, economy, public health or safety.” This leaves the private sector outside the purview of the Act as most private sector assets are unlikely to fulfil these criteria.
The Indian Computer Emergency Response Team (CERT-IN) was formed as an office within the Ministry of Electronics and Information Technology (MEITY) to serve as the national agency for incident response. The establishment of the National Critical Information Infrastructure Protection Centre (NCIIPC) was also contemplated in 2009, but was eventually set up only in 2014.
The National Cyber Security Policy, 2013 (NCSP) followed, which was notified with a vision to “build a secure and resilient cyberspace for citizens, businesses, and Government.” The NCSP has not only been criticised as a belated move, but also because it reiterates the establishment of the NCIIPC and augmentation of CERT-IN, which had already been envisaged under the Act in 2009. Also, it fails to spell out practicable steps to attain its objectives.
Last year, the MEITY had indicated that cybersecurity standards and regulations for mobile applications and devices to tackle ransomware are the prime focus area. However, the policy is yet to be rolled out.
Offshore Cybersecurity Threats
In the present day, one would be naïve to believe that cybersecurity warrants only a territorial approach. Over the years, Indians have been subject to several forms of cyber threats from overseas. However, India has not acceded to the Budapest Convention on Cybercrime.
The Convention is widely recognized as a decisive document on international best practice and enjoys compliance even from non-signatory states. However, going forward, India aims to play an active role in formulating a common global policy in relation to cybersecurity.
India needs a Proactive Approach to Cybersecurity
Broadly speaking, India’s approach with respect to the protection of its cyber assets thus far has been dictated by occurrences of cybersecurity incidents, particularly where the systems of the government have been impacted. A proactive, rather than a reactive approach, is the need of the hour.
One anticipates growing traction as cybersecurity is now a high-priority area in the country. Gartner predicts that in 2018, $1.8 Bn will be spent by enterprises in India on cybersecurity products. However, care must be taken that the new standards factor in on-ground threats and that it is not merely a case of serving the same wine in a new bottle.
[Contributors to the story: Harsh Walia and Shobhit Chandra]