India’s current Cybersecurity Policy
The dominant cybersecurity strategy of India dates back to 2013, and since then, the world has made significant technological strides. The 2013 policy aims at creating safe and secure cyberspace for individuals, enterprises, and government agencies.
The policy whitepaper states the following objective. Firstly for protecting information and information structures. In addition to preventing and responding to cyber threats and minimizing the damage from cyber incidents. Lastly, anticipating the growth in the IT industry and the resulting need for a cyberspace policy.
In a nutshell, the policy aims to construct a secure cyber environment by establishing a robust legislative framework for assurance and a method to monitor and respond to threats. Furthermore, this also requires establishing an indigenous cybersecurity workforce and developing indigenous security solutions.
Although the policy statement aims to reduce the risk of cyber-attacks by defining and covering various aspects of cybersecurity, such as
1. Methods to minimize supply chain risk.
2. Raise cybersecurity awareness
3. promote private-public partnerships and
4. Improve bilateral and multilateral collaboration at the national and international levels.
Nevertheless, the reality is far distinct from the objectives it strives to achieve. The Covid-19 pandemic, which relied heavily on digital infrastructure and technology intervention for tracing, vaccination, distancing etc., exposed the flaws of this 8-year-old cybersecurity policy.
This article attempts to analyze the policy’s flaws based on the opinions of professionals in the field. Furthermore, this reading provides insight into how a large amount of data collected during the Covid-19 pandemic faces the threat of misappropriation.
Such instances highlight the flaws in the existing policy and the failure of the legislature to address these concerns.
Deficiencies in the existing cybersecurity policy:
According to expert opinions, there are various worries about the existing cybersecurity policy regarding coordination, regulation, and overall awareness.
One of the fundamental problems is a lack of communication between governments and business groups, which exposes the cybersecurity ecosystem’s fault points.
These faults also include the processes for disclosing security vulnerabilities in government bodies. Therefore, it is critical to mandate cybersecurity compliance and create procedures for dealing with data breaches to establish accountability.
Without these requirements, businesses are just investing in cybersecurity for the sake of ensuring compliance. The absence of regulation is also visible as institutions fail to employ most IT security strategies to secure data because of no personal data protection law.
Finally, there is a lack of information on this subject even among government officials who fail to comprehend the rising threats in cyberspace and our exposed vulnerabilities that require immediate attention.
Commencement of Covid-19 & Cyber Security becomes a Priority.
The beginning of COVID-19 highlighted the current cybersecurity policy’s defects even more. The requirement for everyone to work from home, rather than within their companies’ firewalls, has increased security problems. According to a poll of employees from various Indian companies, 66% have experienced one data breach.
Since March, when the lockdown began in June, security experts have seen a 500 per cent increase in cyber-attacks and security breaches, as well as 3 to 4 times increase in phishing attacks.
In addition, according to a report by the Data Security Council of India, the number of financial transactions has increased, increasing fraudulent assault.
In response to the increased number of attacks, India’s Home Ministry issued guidance on avoiding cyber theft, particularly for those who work from home. The Computer Emergency Response Team – India (CERT-In) also produced a list of potential cyber-attack sources and best practices for ensuring safety.
CERT-In also performed a successful ‘Black Swan – Cyber Security Breach Tabletop Exercise’ to deal with cyber crises and events that may arise due to the COVID-19 pandemic. Additionally, weakened security controls while more people started working from home, ensuring cybersecurity was a priority.
The government is also considering forming a Computer Emergency Response Team for the Financial Industry to account for fraudulent behaviour in the financial sector (CERT-Fin).
Finally, on Independence Day 2020, India’s Prime Minister recently launched a cybersecurity policy for safe and secure cyberspace.
Shocking: Data breaches in 2020
India’s cyberattacks increased from 1.3 million in February to 3.3 million in March 2020. Monthly attacks never fell below 300 million from April 2020 onward, reaching a new record of 409 million attacks in November 2020.
India had the most significant number of attacks in July 2020, at 4.5 million. There were 377.5 million brute-force attacks in February 2021, about a year after the epidemic began, a far cry from the 93.1 million seen at the start of 2020.
In February 2021, there were 9.04 million attacks in India alone. The overall number of attacks in India during January and February 2021 was over 15 million. In India, data breaches have increased by a factor of ten, regardless of the method used.
However, in India, a troubling trend has been for companies to refuse to acknowledge a breach, leaving individual consumers to wonder if their data is secure at all.
The lack of clear regulatory frameworks and policy execution impacts our country’s overall cyber hygiene. In addition, cybersecurity researchers who uncover breaches urgently need policy reforms as many face threats of possible legal prosecution without legislative protection.
Enacting cybersecurity legal policies will give all stakeholders a frame of reference and guide them towards building a more resilient digital economy. Incident reporting should also be made mandatory.
Reasons for data breaches and failure of the cybersecurity policy.
One of the reasons for many data breaches is that India’s burgeoning start-ups and powerhouses make it a particularly attractive market for cybercriminals.
Aside from the massive amounts of personal, financial, and user behavioural data that Indian businesses store, they also have to worry about their brand.
According to a recent analysis by Infosys- Interbrand, a data breach may result in a $223 billion loss in brand value for the world’s 100 most valuable brands. Therefore, the entire goal of ransomware attacks is now to name and shame the perpetrators.
Before Covid, hackers would encrypt the data and demand a ransom for the decryption key. However, while encrypting data, they export it to further pressure and intimidate the company into paying money or risk having its customer data auctioned on the dark web.
This is one reason why cryptocurrencies appear to be the new preferred payment method: their excellent security and near-impossibility of tracking.
The new cybersecurity policy’s direction
Expert’s advocate focusing on local demands and increasing incentives for the private sector to participate in government contracts as India develops a new cybersecurity policy.
Furthermore, the government should undertake concrete steps to formulate precise data and privacy protection guidelines.
Forming committees and framing guidelines won’t be enough. People should also be made aware of the importance of their data and privacy. A good initiative can be learning from General Data Protection Regulation (GDPR) in the EU.
It is still not too late to implement reform in the IT act, 2000, the sole authority governing cyber threats. However, a more comprehensive and robust approach covering all the dimensions, ranging from the current threats to those that might arise in the future, is required.
Therefore, more interaction should be between the information security community and the government. IN-CERT is a good step, but each nodal ministry and important department should also have its rapid response team.
Finally, the legislation should foster an environment that encourages cybersecurity innovation research. Involving Indian Tech institutions that are already world-renowned and increased spending will boost India’s cybersecurity.
By: Nishchal Verma
Nishchal Verma is a South India movie buff and a sports fanatic whose fascination for cricket never dies. Currently, he is pursuing his BBA-LLB from Dr Babasaheb Bhimrao Ambedkar University Central University, Lucknow. He has a core interest in Cyberlaw, AI, Blockchain and policies involving cybersecurity which he actively pursues from national and international perspectives.
He can be reached at [email protected]