Over two years ago, Prime Minister Narendra Modi announced in an Independence Day speech that India would soon release its new national Cyber Security Policy. The incoming policy is still yet to be announced, while the existing national Cyber Security Policy from 2013 remains outdated and poorly implemented. However, if reports are to be believed, the announcement is imminent.
Delays have notable implications for India’s digital transition, diplomatic initiatives, and domestic privacy. India’s cyber security responses to threats have been conducted in a reactionary and piecemeal fashion. A case in point is the recent statement by the Home Minister, Amit Shah, who announced forming a new committee focused on social media cyber security. However, this was a reactionary response to some chief ministers’ concerns raised at the 30th Northern Zonal Council instead of a proactive policy initiative.
An established and up-to-date Cyber Security Policy is crucial for laying out the framework for a proactive and coordinated response to growing cyber threats. Delays in doing so leave India’s cyber and national security vulnerable amidst a climate of increasing cyber risks.
Cyber Security Policy in India’s Digital Landscape
Despite the lack of an updated Cyber Security Policy, India as a society is increasingly using digital technology for communications, banking transactions, and other aspects of daily life. Social media connectivity and digital payments have seen a marked rise. Eight hundred thirty million users consume 14.1 GB of data (compared to just 1.24 GB five years ago), engaging with each other across WhatsApp, Facebook, and YouTube. Digital payments as of June 2022 were to the tune of $12 billion (up from $9.5 billion in 2021), accounting for 5.86 billion unique transactions.
Cybercrimes against individuals and institutions have increased. Rogue elements and criminal syndicates have increasingly launched sophisticated domestic and foreign hacking schemes and targeted phishing attacks. The national portal for cybercrime reporting has seen a significant increase in the number of complaints lodged. Incident reporting to the government’s Computer Emergency Response Team (CERT-IN) has also increased. Critical infrastructure, particularly assets in the power sector, is particularly vulnerable and has been subject to coordinated attacks and disruptions.
Cyber-attacks by India’s adversaries have been on the rise in lieu of emerging geopolitical dynamics in South Asia and the Indo-Pacific. State and non-state actors have attacked India’s nuclear setup, power systems, telecom equipment ecosystems, and disrupted financial systems. With growing concerns over a two-front threat from China and Pakistan, both countries are also suspected of coordinating in cyber-space with capabilities that could be used to disrupt and damage India’s critical information infrastructure assets. China has already targeted India’s electricity network post-Galwan and attempted to infiltrate the National Security Adviser in 2010. These attempts have significantly impacted India’s national security perception.
Currently, India’s response to most cyber incidents is guided by the Information Technology Amendment Act of 2008 and the related Information Technology Rules, along with the provisions of the Indian Penal Code of 1860. Various law enforcement agencies across the federal government, as well as different state police forces, implement these legal provisions. Each law enforcement agency has different levels of competencies and priorities as far as cyber security is concerned.
Coordination between government agencies and the private sector does not function within a trust-based ecosystem. While India’s cyber security initiatives have been mostly defensive, the government has also built capacity for offensive pursuits. There are pre-existing approaches for defensive and offensive cyber responses. While India’s response to cyberattacks has mostly been to initiate audits and bolster network security, a national Cyber Security Policy could create a more robust framework that can be consistently applied across the country.
India has also undertaken several cyber diplomacy initiatives that are slated to expand in scale and depth. A spate of bilateral cyber agreements has focused on information sharing on cyber intrusions, protective measures, and cyber law enforcement. Significantly, agreements with the United States, Japan, the United Kingdom, Australia, and Israel are dynamic and renewed to expand.
India will have an important role with the Quad expanding its focus on cyber security and critical and emerging technologies. India will play a major role as the global community steps up to agree on binding norms related to cyber security and bring in some form of regulation. It has already been in the deliberations of the UN-premised Group of Governmental Experts (GGE). Partnering states may expect a clear and updated Indian Cyber Security Policy that aligns with its proposals for more comprehensive collaboration.
Moving Towards a National Cyber Security Policy
Much has changed in how technology impacts people and adversaries engaging in cyberspace. Risks can arise without malicious intentions. While the government understands the centrality of cyber security within its national security strategy, India’s cyber vulnerabilities make it imperative to announce an updated national Cyber Security Policy sooner rather than later. This policy should aim to be comprehensive, factoring in immediate and long-term considerations.
At the outset, legal and regulatory edifices can be strengthened. Efforts to legislate the personal data protection bill and bring changes to the IT Act should be undertaken to support existing provisions and provide more security to individuals. The amendments to the Information Technology Rules 2021 also need to be approved so that users and intermediaries comply with them. Furthermore, the National Cyber Security Coordinator should receive regular network cyber audits from across governmental agencies. These steps will allow for better cyber security management and implementation when they are undertaken through a national Cyber Security Policy.
Supporting human resources and personnel capacity is also essential for creating a strong cyber ecosystem. Technical expertise could be drawn from engineering and IT backgrounds, bolstering cyber security education in institutions, and organizing hackathons for the public. Government staff from non-technical sectors should be adept at cyber security management, whereas existing government employees can undertake advanced cyber training to implement best practices to limit inadvertent security risks. A focus on developing trust-based public-private partnerships and increasing budgetary allocations for cyber security research and operations are also important to pursue.
As India pursues data localization—which refers to limiting or restricting data flow outside certain jurisdictions—to address data security, a detailed assessment must be done about data storage and management. Access control to data stored in cloud servers or physical premises has to be clearly delineated. A more comprehensive data management policy will be crucial in securing data irrespective of where the data is stored.
Delays in announcing India’s national Cyber Security Policy downplay cyber security concerns that have been given increasing importance in other domestic and international forums.
There finally needs to be institutional capacity building for cyber security at all levels of law enforcement, legal systems, and the judiciary. Federal agencies can better coordinate with agencies, such as law enforcement at the state level, to respond to cyberattacks promptly and establish a greater parity across jurisdictional responses. The government’s focus on coordination, capacity building, investigations, and forensics should be codified within a national Cyber Security Policy.
As India’s population and government functions are increasingly online, the government is also concerned about emerging cyber threats and vulnerabilities. This concern had pushed many ministries into action. However, India’s cyber security framework has substantial ground to cover. Delays in announcing India’s national Cyber Security Policy downplay cyber security concerns that have been given increasing importance in other domestic and international forums. So far, the approach has been piecemeal, reactionary, and interrupted. Without a policy, it is natural to be reactive to emerging concerns from different quarters. However, the realities of the cyber threat landscape require a whole-of-government approach and understanding of the threats. For this, launching an updated and encompassing national Cyber Security Policy is essential.
Image 1: MEA India via Flickr
Image 2: MANJUNATH KIRAN/AFP via Getty Images