Cyber security is a techno legal field that requires patience and techno legal expertise to practice. India has been a
late entrant in the cyber security field and a robust and resilient
cyber security infrastructure in India is still missing. We have
a national cyber security policy of India (NCSP) 2013 but the same
has remained on paper only so far. An analysis
of the existing cyber security policy of India would reveal that
India has still to do its homework in the cyber security field. We at
Perry4LawOrganisation (P4LO) believe that a new and proper cyber security policy of India 2015 must be urgently formulated
by Narendra Modi government.
With fast urbanisation
and stress upon establishment of smart cities, which mainly depends
on information and communication technologies (ICT) to provide public
services, we can expect increased number of cyber attacks upon
critical infrastructure of India. The critical infrastructure protection in India (PDF) has its own
challenges and issues. Similarly, smart cities cyber security in India would have their own
problems and solutions. There is no second opinion that cyber
attacks are going to increase further and this would raise
complicated international legal issues of cyber attacks and cyber security.
For instance it was
reported in 2014 that there was a 136% increase in cyber threats and
attacks against Indian government organisations as compared to the
previous year. Similarly, there was 126% increase in attacks
targeting financial services organisations. There is no doubt that a
strong cyber security infrastructure is need of the hour in India.
Even the national cyber security policy of 2013 must be substituted
with the new cyber security policy of India 2015.
Perry4Law Organisation
(P4LO) has been suggesting formulation of the encryption policy of India (PDF) for long. As a result Indian
government tried to bring an encryption policy recently under Section
84A of the Information Technology Act, 2000 (IT Act 2000) but it was
highly defective. The government ultimately scrapped the encryption
policy but it need to be formulated in a proper manner again.
As on date we are facing
the following cyber security challenges in India:
(1) Cyber security is not
a very easy process to manage. It requires both technological expertise and legal compliances which are lacking in the
country.
(2) There are no
dedicated cyber security laws in India, except one or two sections in the
the IT Act 2000 which also has its shortcomings
such as lack of privacy, lack of civil liberties protection, absence of cyber security breaches disclosure norms etc.
(3) The IT Act 2000 was
passed to govern legal issues of e-commerce, e-governance, cyber
crimes, etc. But, according to experts, new and better techno-legal
laws must be enacted in place of the old law. Techno legal experts
believe that Indian laws like IT Act 2000 and telegraph act require urgent repeal and new and better techno legal laws
must be enacted to replaces these laws.
(4) On 13 April 2015, the
government announced that the Ministry of Home Affairs would form a
committee of officials from the Central Bureau of Investigation,
Intelligence Bureau, Delhi Police, National Investigation Agency and
ministry itself to produce a new legal framework similar to the
erstwhile Section 66A of IT Act 2000. However, it is still to be
enacted as per the information available with Perry4Law Organisation
(P4LO).
(5) Many critical cyber
security related issues need to be taken care of such as critical infrastructure protection, cyber warfare policy (PDF), cyber terrorism, cyber espionage, e-governance cyber security,
e-commerce cyber security, cyber security of banks, etc.
(6) The
cyber security obligations of
stakeholders like law firms, e-commerce websites, directors of companies, Government departments, thermal power sector, power and energy utilities, etc
must be properly understood and effectively implemented in India.
India is presently facing
many type of cyber security threats. These include sophisticated
cyber attacks, cracking, child pornography, cyber stalking, denial of service (DoS)
attacks, distributed denial of service (DDoS) attack, malware
infections, zero day vulnerabilities, phishing attacks, data theft,
etc. In June 2012, cyber attacks were reported on the Indian Navy’s
Eastern Command systems. On July 12, 2013, just few days after the
release of the National Cyber Security Policy, several high-level GOI
officials reported their emails had been hacked. A report later on
revealed that almost 12,000 systems were hacked which included
systems from the Ministry of External Affairs, Defence Research and
Development Organisation, Ministry of Home Affairs, National
Informatics Centre etc. There are also few reports of Pakistan
indulging in threatening cyber warfare. Hacker groups based out of
Karachi and Lahore have in recent years managed to hack the websites
of the Central Bureau of Investigation (CBI) and the Bharat Sanchar
Nigam Limited (BSNL) mostly to leave hate mail. It is widely believed
that regional terrorist outfits, like the Indian Mujahideen (IM) have
also made use of social media sites to communicate effectively.
Perry4Law Organisation
(P4LO) has provided the following suggestions to Indian government
from time to time:
(1) The Narendra Modi
government must take cyber security of the country seriously
considering the ever-increasing cyber security challenges in India.
(2) It is high time that
India must be cyber prepared to protect its cyberspace.
(3) Draft of the National cyber security policy of India 2015 should be formulated
as soon as possible.
(4) There must be a
dedicated cyber security law of India keeping in mind contemporary
cyber security threats.
(5) Cyber security
disclosure norms in India must be formulated as soon as possible.
(6) The cyber security
awareness in India must be further improved and spread so that
various stakeholders can also effectively take part to the
implementation of cyber security initiatives of Indian government.
Perry4Law Organisation
(P4LO) hopes that this cyber security research report of India would be useful to all
cyber security stakeholders in India and foreign jurisdictions.