Professional Documents
Culture Documents
Cyber Security
Cyber Security
Cyber security: As per Information Technology Act, 2000, “Cyber security means protecting
information, equipment, devices computer, computer resource, communication device and
information stored therein from unauthorised access, use, disclosure, disruption, modification or
destruction
Cyberspace: India’s Cyber Security Policy 2013 defines cyberspace as a complex environment
comprising interaction between people, software and services, supported by worldwide distribution
of information and communication technology devices and network. Therefore, any attack on
cyberspace is an issue of cyber security.
Cyberspace has become key component in the formulation and execution of public policies. Taking
down cyberspace will result into disruption of many critical public services like railways, defence
systems, communication system, banking and other financial system etc
Cyberthreats can be disaggregated into four baskets based on the perpetrators and their motives -
Cyber Espionage, Cyber Crime, Cyber Terrorism, Cyber Warfare
Cyber-attack is “any type of offensive manoeuvre that targets computer information systems,
infrastructures, computer networks with an intention to damage or destroy targeted computer
network or system.
Cyber terrorism is the convergence of terrorism and cyber space. It is generally understood to mean
unlawful attacks and threats of attacks against computers, networks, critical infrastructures, and
information stored therein when done to intimidate or coerce a government or its people in
furtherance of political, religious or social objectives
Besides, terrorists also use cyberspace for purposes like planning terrorist attacks, recruiting
sympathizers, communication purposes, command and control, spreading propaganda in form of
malicious content online to brain wash, funding purposes etc
Cyberwarfare is “The use of computer technology to disrupt the activities of a state or organization,
especially the attacking of information systems like websites etc. for strategic or military purposes.
These hostile actions against a computer system or network can take any form
Cyber espionage is “The use of computer networks to gain illicit access to confidential information,
typically that held by a government, individual or other organization. It is generally associated with
intelligence gathering, data theft and, more recently, with analysis of public activity on social
networking sites like Facebook and Twitter
Examples of Cyber Espionage include- 2014 hacking of major US companies to steal trade secrets by
Chinese officials; Titan Rain; Moonlight Maze; NSA surveillance Program as revealed by Edward
Snowden in USA
Cybersecurity in India
Situation of Cyber Crimes in India and need for Cyber Security
Increasing vulnerability: India the fifth most vulnerable country in the world in terms of
cybersecurity breaches. India saw at least one cybercrime every 10 minutes during the first
half of 2017 including more sophisticated cyber threats such as the WannaCry and Petya
ransomware
Increasing cost: The estimated cost of cyber-attacks in India stands at four billion dollars
which is expected to reach $20 billion in the next 10 years
The National Crime Records Bureau (NCRB) in 2016 reported 12,317 cybercrime cases, an
increase of 6% as compared to 2015
Attacks have been mostly initiated from countries such as the U.S., Turkey, China, Brazil,
Pakistan, Algeria, Turkey, Europe, and the UAE
Hacking of emails and twitter accounts by a group of hackers who call themselves ‘Legion’.
This group also claimed access to “over 40,000 servers” in India, “encryption keys and
certificates” used by some Indian banks, and confidential medical data housed in “servers of
private hospital chains”.
According to a submission in Parliament, over 700 Indian government websites, including
state and central government websites, have been hacked and forced offline for varying
periods in the past four years
Government’s digital push: Various programs of government such as Aadhaar, MyGov,
Government e- Market, DigiLocker, Bharat Net etc. are prompting a larger number of citizens,
companies and government agencies to transact online
Start-ups digital push: India is the third largest hub for technology-driven startups in the
world and its ICT sector is estimated to reach $225 billion landmark by 2020
Increasing internet users: India ranks 3rd in terms of number of internet users after USA and
China. By 2020, India is expected to have 730 million internet users with 75% of new users
from rural areas.
Increasing online transactions: For e.g.: by 2020, 50% of travel transactions will be online and
70% of ecommerce transactions will be via mobile
Therefore, focusing on cyber security should be a priority for the country
There is growing threat from online radicalization, cyber bullying
Threats like Phishing, Denial of cards, Credit card Frauds causes
Key concerns
The National Cyber Security Policy 2013 mainly covers defensive and response measures and
makes no mention of the need to develop offensive capacity.
The cyber security policy suffers from lack of proper implementation with respect to
provisions like recruitment of 5 lakh professionals etc.
It is inadequate to balance cybersecurity needs with the need to protect civil liberties of
Indians including privacy rights
The Information Technology Act, 2000 regulates the use of computer systems and computer
networks, and their data
The Act gives statutory recognition to electronic contracts and deals with electronic
authentication, digital signatures, cybercrimes, liability of network service providers etc
It defines cyber terrorism, lists all types of cybercrimes section wise with their
punishments and penalties
Therefore, anyone who commits a cybercrime will be charged under I.T act
A Controller of Certifying Authorities has been established under this act to license and
regulate the working of Certifying Authorities which issue digital signature certificates for
electronic authentication of users
According to the provisions of the Information Technology Amendment Act 2008, CERT-In
is responsible for overseeing administration of the Act
The issues relating to confidential information and data of corporates and their adequate
protection have not been adequately addressed
The maximum damage, by way of compensation, stipulated by the cyber law amendments is
Rs.5 crore. This is a small figure and hardly provides any effective relief to corporates
The issue pertaining to spam has not been dealt with in a comprehensive manner. In fact,
the word ‘spam’ is not even mentioned anywhere in the IT Amendment Act. It is pertinent to
note that the countries like U.S.A., Australia and New Zealand have demonstrated their
intentions to fight against spam by coming across with dedicated anti-spam legislations
Institutional Framework
In Prime Minister’s Office (PMO):
National Critical Information Infrastructure Protection Centre (NCIIPC) to battle cyber
security threats in strategic areas such as air control, nuclear and space. It will function
under the National Technical Research Organisation, a technical intelligence gathering
agency controlled directly by the National Security Adviser in PMO.
Critical Information Infrastructure is defined as those facilities, systems or functions whose
incapacity or destruction would cause a debilitating impact on national security, governance,
economy
The CERT-In has been established to thwart cyber-attacks in India. It is mandated under the
IT Amendment Act, 2008 to serve as the national agency in charge of cyber security
CERT-Fin has also been established based as a specialized agency on the recommendation of
a sub-committee of the Financial Stability and Development Council (FSDC) to tackle threats
related to financial sector
National Information Centre-Computer Emergency Response Team (NIC-CERT) to prevent
and predict cyber-attacks on government utilities
International Measures
Cyber-diplomacy: Indian government has entered into cyber security collaborations with countries
such as the USA, European Union and Malaysia. For eg- U.S.-India Cyber Relationship Framework
Participating in Global Conference on Cyber Space: It is a prestigious global event where
international leaders, policymakers, industry experts, think tanks, cyber wizards etc. gather to
deliberate on issues and challenges for optimally using cyberspace
Global Centre for Cybersecurity: It was launched by the World Economic Forum (WEF) to serve as laboratory
and early-warning think tank for future cybersecurity
About Budapest convention on cybercrime
This convention of the council of Europe is the only binding international instrument on this issue that
addresses Internet and computer crime by harmonizing national laws, improving legal authorities for
investigative techniques, and increasing cooperation among nations.
It deals with issues such as infringements of copyright, computer-related fraud, child pornography and
violations of network security.
It aims to pursue a common criminal policy, especially by adopting appropriate legislation and fostering
international police as well as judicial co-operation
India is not yet a member
Widespread Digital illiteracy makes Indian citizens highly susceptible to cyber fraud, cyber
theft, etc
Substandard devices: In India, majority of devices used to access internet have inadequate
security infrastructure making them susceptible to malwares such as recently detected
‘Saposhi’. Also, rampant use of unlicensed software and underpaid licenses make them
vulnerable as well
Lack of adoption of new technology: For eg-Banking infrastructure is not robust to cop-up
with rising digital crime as 75% of total Credit and Debit card are based on magnetic strip
which are easy to be cloned
Import choices/dependence for majority of electronic devices from cell phones to equipments
used in power sector, defence, banking, communication and other critical infrastructure put
India into a vulnerable situation
Underreporting: More than 90% of cybercrime incidents remains under the sheet due to fear
of reputational and credibility loss of an organization
Structural
Data colonization: India is net exporter of information however data servers of majority of
digital service providers are located outside India. Also, data is being misused for influencing
electoral outcomes, spread of radicalism etc
uniform standards: There are variety of devices used with non-uniform standards which
makes it difficult to provide for a uniform security protocol
Anonymity: Even advanced precision threats carried out by hackers is difficult to attribute to
specific actors, state or nonstate.
Other challenges: include absence of any geographical barriers, rapidly evolving technology
in cyberspace and difficulty in establishing a fool proof cybersecurity architecture because of
number of vulnerable points in the overall ecosystem
Lack of best practices and statutory backing for the same, e.g.- India does not have norms of
disclosure
The government is yet to identify and implement measures to protect “critical information
infrastructure
The appointment of National Cyber Security Coordinator in 2014 has not been
supplemented by the creating liaison officers in states
Lack of adequate infrastructure and trained staff: There are currently around 30,000 cyber
security vacancies in India but demand far outstrips supply of people with required skills
Procedural
Lack of awareness in local police of various provisions of IT Act, 2000 and also of IPC related
to cybercrimes
Post-demonetisation, government has pushed the citizenry to go ‘cashless’, without building
capacity and awareness on the security of devices or transactions thus increasing
vulnerability.
Also, the core infrastructure elements of a smart city cover urban mobility, water and
electricity supply, sanitation, housing, e-governance, health and education, security and
sustainability, all bounded and harnessed by the power of information technology
The current IT Act might not give adequate protection to the citizen data that smart
cities will generate
Way forward
Cyber deterrence: It is of two kinds – defensive and offensive. India needs to make a proper
assessment of an offensive cyber doctrine adopted by many countries where they are
acquiring offensive capabilities by building bits of software called ‘cyberweapons’ to do
enormous damage to the adversary’s networks
Better regulation and adoption of norms: Presently, there are no acceptable norms of
behaviour in cyberspace. Thus, state as well as companies are developing their own
capabilities leading to unchecked proliferation of offensive cyber tools and practices having
potential to destabilise the entire cyberspace
Ensure coordination: National Cybersecurity Coordinator (NCC) may be strengthened to
bring about much-needed synergy among various institutions and work out a coordinated
approach to cyber security
Establishing cyber insurance framework like Singapore: Cyber insurance is opening
opportunities for cyber security companies and ethical hackers. At present 80% of forensics
for insurance claims is being outsourced to Singapore. According to industry estimates, 300-
400 cyber policies have been sold in India till date. Average cost of a cyber insurance in India
is around $7.5 million. However, compared to developed countries it is still 20-25% lesser
Promote investment in cybersecurity by businesses: At present, only a part of security
budget is being utilized for IT security by companies. However, considering economic and
reputational risks associated with cyber incidents the investment in IT security has to be
increased with adoption of a cybersecurity plan, purchase of cyber insurance as well as
appointment of a data security officer
Amendment of IT Act 2008: The regulations need to keep pace with the changing cyber
scenario to ensure penalties serves as deterrence for crimes
Skill development: By 2025, the cybersecurity space is expected to generate around a
million jobs in India. To avoid ceding jobs to expatriates, India must establish ecosystem to
develop necessary skills. The idea of a National Cyber Registry “as a repository of IT
professionals” may also be implemented
Updating of cyber security policy: India needs an updated policy on cybersecurity as
National Cyber Security Policy 2013 outlined the broad principles regarding how to approach
cybersecurity while lacking outline to operationalise it
Security audit: Security Audit adhering to international standards may be made applicable
for all govt. websites, applications before hosting and publishing
Establishing cybersecurity framework at state level: For e.g.- establishment of state CERT to
work in conjunction with CERT-in
Enhanced international cooperation: There must be enhanced cooperation among nations
and reaffirmed a global call to action for all United Nations member nations to not attack the
core of the Internet even when in a state of war. Recently, Ministry of home affairs recently
called for signing of the Budapest Convention on cybercrime owing to the surge in cyber-
crime
Indian government along with NASSCOM should promote startups working in the field of
digital security.
India can follow international best practices such as Tallinn Manual which is an academic
work related to laws that apply to cyber-crimes which developed nations such as USA are
following.