Around 1.3 billion Indians have a unique digital identity; 750 million use smartphones and 800 million use the internet. The world’s biggest public information infrastructure needs a fortress to secure its cyberspace from armies threatening to weaponise data and digitally colonise nations.
Today, there are many hands holding bricks, but the foundation is yet to be laid. In July, 2019, a taskforce was set up under Rajesh Pant, a retired lieutenant general and national security coordinator, to draw up a national cybersecurity strategy. The strategy, which has taken shape on paper and is awaiting the cabinet nod, proposes to create a national architecture that brings all arms dealing with cybersecurity under one umbrella organisation.
Since 2013 the entire cyber landscape has changed. Earlier, the Indian Computer Emergency Response Team (CERT-IN) was the only agency issuing alerts and training experts. Now more than half a dozen agencies exist, and the right hand does not know what the left hand is doing sometimes.
The National Critical Information Infrastructure Protection Centre (NCIIPC) protects critical infrastructure; the Defence Cyber Agency—headed by Mohit Gupta, a rear admiral—is the first joint cyber group of the tri-services, with nearly 150 experts handling cyberthreats for military establishments. The ministry of home affairs runs the Indian Cyber Crime Coordination Centre, which is setting up regional and district cybercrime cells to act as nodal points for quick registration of crimes. The ministry of electronics and communication runs the Cyber Swachhta Kendra, separately for botnet cleaning and malware analysis. For cross-border breaches, the cyber diplomacy wing of the ministry of external affairs comes in handy.
India is not the only country with multiple structures. Some countries have even appointed cyber ambassadors at large. Recently, Pant was asked to lead a counter ransomware initiative organised virtually by the White House. There the US talked about Colonial Pipeline, JBS ransomware attacks and Kaseya Ltd, a Miami based software supplier, which was in the crosshairs of a massive ransomware spree. By its sheer size, India had experiences to share, too. It reported a 120 per cent rise in ransomware attacks, with hospitals and a leading food chain being targeted during the festive season. India also mentioned how companies getting insurance to counter ransomware threats were increasingly becoming targets.
The consensus among nations was to avoid ransom. Unless, of course, the operation was like the FBI’s probe into the Colonial Pipeline breach, where it asked the pipeline to pay the ransom and then tracked the money trail and got 25 million dollars back!
India cannot take its eyes off the ball. But cyber czars are soon realising that many cooks can spoil the broth. The biggest problem is there is not a single institution where the buck stops. The closest is the ministry of electronics and information technology, but even it falls short of taking responsibility for the entire cyberspace.
The government has to set its house in order before it starts fighting wars in cyberspace. Rolling out the national cybersecurity strategy will be key to Prime Minister Narendra Modi’s dream of securing cyberspace. In his keynote address at the Sydney Dialogue on November 18, Modi said technology and data are new weapons and urged democracies to work together in cyberspace to prevent conflict and coercion.
The new national cybersecurity architecture is promising. It aims to bring all arms of the government dealing with cybersecurity under one umbrella organisation, responsible for securing cyberspace inside the country. Using the concept of Common but Differentiated Responsibilities (CBDR), it will outline the responsibilities of individuals, academia, government and businesses.
“When multiple organisations are handling cybersecurity, it becomes difficult to assign roles and responsibilities to them. There must be an umbrella organisation looking after cybersecurity in the country. This is what the UK has done after learning the lesson the hard way,” said Muktesh Chander, senior IPS officer and founder-director of NCIIPC.
Presently, India is dependent on Google to clean its backyard of pests. The plan is to create its national malware repository, which is already in the testing stage with 75 million samples of malware in it.
“The strategy also includes creating a dedicated cyberintelligence network to acquire threat inputs from domestic and global firms and provide inputs to user agencies to tackle those threats,” said a security official. This will be on the lines of the National Intelligence Grid to counter terrorist threats.
India may soon have a standalone cybersecurity law to cover digital forensics and cryptocurrency. It will give it more teeth to handle the perils of the digital revolution.
All said, the inadequacies of the existing Information Technology Act are glaring. “The IT Act did not focus on cybersecurity or cybercrime when it was formulated, and all additions, subsequently in 2008, were at best the proverbial band-aid syndrome that can help temporarily but cannot be a permanent solution,” said N.S. Nappinai, advocate in Supreme Court and founder of Cyber Saathi.
She said the new law is expected to play a key role in not only punishing but also enabling economic growth and adaptation of evolving tech scenarios, and thereby act as a deterrent against threats and vulnerabilities underlying such evolution. “To achieve this, a concise and focused law is essential,” said Nappinai.
Today, the cases of cyberattacks being converted into an FIR is mere 10 per cent. This is because law enforcement agencies cannot step in unless there is a complaint, there are problems of overlapping jurisdictions in tier-II and tier-III cities where cybercriminals take advantage of shifting mobile tower signals and difficulty in laying hands on actual perpetrators in India and abroad.
“The cost of any lapse continues to be enormous,” said Pawan Duggal, founder and chairman of the International Commission on Cyber Security Law. Official data revealed citizens have lost 01.24 lakh crore in cybercrime incidents alone. Any more estimates of losses incurred in cyber breaches will only be guesswork.
One of the biggest nightmares of the government and citizens is a large amount of data being lost in cyberspace every day. “After all, data is money! And we are losing it every second,” said Duggal.
Rama Vedashree, CEO of Data Security Council of India, said the proposed personal data protection law should take care of these concerns by fixing accountability of public agencies along with the private sector. But until the saddle is put on the horse, it is best to take the middle road.
This was true when Nappinai appeared for the government of Kerala, as special counsel before the High Court, in a batch of writ petitions that challenged the collection of health data and used a US-based entity for processing the same to combat Covid.
“We submitted that anonymised data will be shared with the foreign entity to protect rights of individuals and also to protect against stopping the important and seminal work undertaken by the government of Kerala for combatting the pandemic,” she said. This was accepted by the High Court of Kerala.
“At a stage where the present data protection regime, which is minimal in India, does not cover regulating collection of data by a government entity, the consensus model ensured a balance between government’s requirement and individual privacy rights,” she said.
The bigger caverns, however, will take much longer to fill.