Listen to this story
By the end of this year, about 60% of the Indian population (840 million), will have access to the internet, claims a report. The flip side of this is, increasing cybercrimes. Over 18 million cases of cyber attacks and threats were recorded within the first three months of 2022 in India, with an average of nearly 200,000 threats every day, according to the cyber security firm Norton.
Last year, the Indian Computer Emergency Response Team (CERT-In) handled more than 14 lakh cases. Cyber threats such as online fraud, ransomware, phishing attacks, and SQL injection attacks are becoming increasingly common with each passing day.
In this regard, recently, Dr Pavan Duggal, Supreme Court lawyer and chairman of the International Commission on Cyber Security Law, suggested that India should have a dedicated ministry in terms of cybersecurity as it has become much bigger and more comprehensive in impact and relevance.
While we may need a dedicated ministry in the future, India currently needs cybersecurity laws. In 2020, PM Narendra Modi, during his Independence Day speech, announced that India would soon have a new Cyber Security Policy; however, it’s been two years and what we have is the poorly implemented Cyber Security Policy 2013.
India needs a uniform cybersecurity law
Today, almost all nations understand that threats from the internet are limitless and have stringent cybersecurity laws in place.
In the past few years, the number of cyber attacks on the Indian government and private entities have increased alarmingly. Earlier this year, state-owned Oil India Limited’s system in Assam was hacked, which heavily impacted its operations. In 2021, Air India’s data servers were hacked, impacting nearly 4.5 million customers.
“Currently, there is no dedicated legislation for cyber law. Instead, there is a mix of IT law, contract law, penal provisions, cyber security policy and the rules and regulations that deal with cyber security in some form or the other,” Salman Waris, partner, head of TMT & IP Practice at TechLegis Advocates & Solicitors, told AIM.
One of the primary legislations in India that deals with cybersecurity and associated crimes such as phishing, malware attacks, hacking, identity fraud and electronic theft is the Information Technology (IT) Act 2000. “In my opinion, the government has been working on the National Cyber Security Policy for some time, and the fact that India does not have a dedicated law on cyber security speaks for itself,” Waris said.
With India’s cyber sovereignty at stake, what the country needs currently is a uniform cybersecurity law. Cyberthreats are only going to increase with each passing day, and to mitigate the risk, implementing the new cyber security policy should be the government’s topmost agenda.
“In today’s globalised cyber world, the government needs to make cybersecurity the cornerstone of its approach to all its traditional functions as in the near future, each and every sector in the country shall be vulnerable to cyber attacks, be it in the form of the increased ransomware attack or the completed denial of service campaigns. To ensure the success of the ‘Digital India campaign’, it is essential the government also works toward a cybersafe India,” Waris added.
CERT-In isn’t enough
Cybersecurity falls under the Ministry of Electronics and Information Technology. The Indian Computer Emergency Response Team (CERT-In) was established in 2004 to deal with cyberthreats. However, they fail to cover every aspect of cybersecurity that impacts us today.
Waris said that CERT-In primarily ensures that information on cyber events is gathered and analysed, then disseminated besides putting in place emergency response procedures for cyber security issues and publishes guidelines, advisories, response, reporting, incident prevention and vulnerability notes.
“While these cyber security initiatives are right, they fall short of meeting all the challenges the country’s cyber infrastructure faces in a post-modern world, and cyber threats today require both defensive and offensive strategy as cyber has become a realm of post-modern global warfare with both state and non-state actors as active players. Hence CERT-In alone may not be well equipped to tackle all of India’s cybersecurity challenges,” Waris reiterates.
A cybersecurity ministry?
Cyberthreats are becoming more complex, and hackers are finding modern and innovative ways to carry out cyber attacks. Experts have also warned about cyberwarfare, where cyber attacks can be used to destabilise a state and its infrastructure in case of a war.
Taking all these factors into account and given the increasing dependence on technology and the internet, there is a possibility that India might have a cybersecurity ministry one day to deal with every spectrum of cybersecurity. However, there are several roadblocks.
Waris believes that before we set up a ministry, India should have a full-fledged dedicated cyber security law. “The strategy should be seen as a concurrent step. At a time when a lot of other countries have already started coming up with dedicated laws on cyber security, India is slightly behind the curve.
“Except Zimbabwe and Australia, I don’t think there is any other country that has explored the idea of a dedicated minister or ministry for cyber security, hence before we explore such an option, we ought to have a dedicated law on cyber security, which is the need of the hour,” Waris concluded.