Cyber Security in India
Cyber security is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, security includes both cyber security and physical security.
Currently, almost 70 categories of cyber security products have been identified. These include products used for data loss prevention, security analytics, big data analytics, web security, antivirus, mobile payments, mobile data protection, cloud security, spam free email solutions, among others.
NEED TO REGULATE CYBERSPACE
- There has been a rapid increase in the use of the online environment where millions of users have access to internet resources and are providing contents on a daily basis.
- The use of internet particularly for the distribution of obscene, indecent and pornographic content. The use of internet for child pornography and child sexual abuse and the relative ease with which the same may be accessed calls for strict regulation.
- The increasing business transaction from tangible assets to intangible assets like Intellectual Property has converted Cyberspace from being a mere info space into important commercial space. The attempt to extend and then protect intellectual property rights online will drive much of the regulatory agenda and produce many technical methods of enforcement.
- The major area of concern where some sort of regulation is desirable is data protection and data privacy so that industry, public administrators, netizens, and academics can have confidence as on-line user.
- Internet has emerged as the ‘media of the people’ as the internet spreads fast there were changes in the press environment that was centered on mass media. Unlike as in the established press, there is no editor in the Internet. People themselves produce and circulate what they want to say and this direct way of communication on internet has caused many social debates. Therefore the future of Cyberspace content demands the reconciliation of the two views of freedom of expression and concern for community standards.
- Another concern is that, money laundering, be ‘serious crime’ becomes much simpler through the use of net. The person may use a name and an electronic address, but there are no mechanisms toProve the association of a person with an identity so that a person can be restricted to a single identity or identity can be restricted to a single person. Therefore Cyberspace needs to be regulated to curb this phenomenon.
‘Cyber terrorism is the convergence of terrorism and cyber space. It is generally understood to mean unlawful attacks and threats of attacks against computers, networks, and information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives.
Further, to qualify as cyber terrorism, an attack should result in violence against persons or property or at least cause enough harm to generate fear. Attacks that lead to death or bodily injury, explosions, plane crashes, water contamination or severe economic loss would be examples. Serious attacks against critical infrastructures could be acts of cyber terrorism depending upon their impact. Attacks that disrupt nonessential services or that are mainly a costly nuisance would not.
Cyber-terrorism can also be understood as “the use of computer network tools to shut down critical national infrastructures (such as energy, transportation, government operations) or to coerce or intimidate a government or civilian population.” A hostile nation or group could exploit these vulnerabilities to penetrate a poorly secured computer network and disrupt or even shut down critical functions.
NEED OF “DOMESTIC PROCUREMENT” BEING EMPHASIZED
With a view to promoting domestic technology and preventing data theft by foreign entities, the government will soon announce a policy that accords preference in official procurement to ‘Made in India’ antivirus and cyber security solutions.
The Ministry of Electronics and Information Technology (MeitY) has issued a draft notification which states “preference shall be provided by all procuring entities to domestically manufactured/ produced cyber security products.”
The possibility of foreign vendors retaining some backdoor access and the risk of a third party gaining access was a key factor spurring the policy, said an official, who did not wish to be named. “So, you have to have your own solutions.”
- India witnessed more than 27,000 cyber security threat incidents in the first half of 2017. Example: WannacryRansomware.
- The number of cyber crime cases registered under IT Act 2000 in India has risen by 300 percent in the period from 2011 to 2014, according to a joint study by PwC and Assocham.
- The study also revealed that in the past, the attacks have been mostly initiated by countries like the US, Turkey, China, Brazil, Pakistan, Algeria, Turkey, Europe, and the UAE.
- Internet user base of India is said to be around 450 million.
- Growing number of internet and Smartphone users has increased the vulnerability for cybercrimes.
- The threats could also be to critical infrastructure systems like nuclear plants, railways, hospitals, as they use outdated technologies and weaker protocols.
- The governments at the Centre and states are the main targets of cyber-attacks, driven by motives ranging from theft, espionage and data extraction to counterfeiting.
- In 2015 and 2016, the government sector accounted for 27% and 29% of all cyber-attacks.
- Major victims of cyber crimes are women. This affects their safety, dignity, and empowerment.
CYBER LAWS in INDIA
Information Technology Act, 2000
- The Information Technology Act, 2000 intends to give legal recognition to e-commerce and e-governance and facilitate its development as an alternate to paper based traditional methods.
- The Act has adopted a functional equivalents approach in which paper based requirements such as documents, records and signatures are replaced with their electronic counterparts.
- The Act seeks to protect this advancement in technology by defining crimes, prescribing punishments, laying down procedures for investigation and forming regulatory authorities.
- Many electronic crimes have been bought within the definition of traditional crimes too by means of amendment to the Indian Penal Code, 1860.
- The Evidence Act, 1872 and the Banker’s Book Evidence Act, 1891 too have been suitably amended in order to facilitate collection of evidence in fighting electronic crimes.
National Cyber security Policy, 2013
- In light of the growth of IT sector in the country, the National Cyber Security Policy of India 2013 was announced by Indian Government in 2013 yet its actual implementation is still missing. As a result fields like e-governance and e-commerce are still risky and may require cyber insurance in the near future.
Its important features include:
- To build secure and resilient cyber space.
- Creating a secure cyber ecosystem, generate trust in IT transactions.
- 24 x 7 NATIONAL CRITICAL INFORMATION INFRASCTRUCTURE PROTECTION CENTER (NCIIPC)
- Indigenous technological solutions (Chinese products and reliance on foreign software)
- Testing of ICT products and certifying them. Validated products
- Creating workforce of 500,000 professionals in the field
- Fiscal Benefits for businessman who accepts standard IT practices, etc.
STAKEHOLDER AGENCIES IN INDIA
Countering cyber crimes is a coordinated effort on the part of several agencies in the Ministry of Home Affairs and in the Ministry of Communications and Information Technology.
The law enforcement agencies such as the Central Bureau of Investigation, The Intelligence Bureau, state police organizations and other specialised organizations such as the National Police Academy and the Indian Computer Emergency Response Team (CERT-In) are the prominent ones who tackle cyber crimes.
1.National Information Board (NIB)
National Information Board is an apex agency with representatives from relevant Departments and agencies that form part of the critical minimum information infrastructure in the country.
2.National Crisis Management Committee (NCMC)
The National Crisis Management Committee (NCMC) is an apex body of Government of India for dealing with major crisis incidents that have serious or national ramifications. It will also deal with national crisis arising out of focused cyber-attacks.
3.National Security Council Secretariat (NSCS)
National Security Council Secretariat (NSCS) is the apex agency looking into the political, economic, energy and strategic security concerns of India and acts as the secretariat to the NIB
4.Department of Information Technology (DIT)
Department of Information Technology (DIT) is under the Ministry of Communications and Information Technology, Government of India. DIT strives to make India a global leading player in Information Technology and at the same time take the benefits of Information Technology to every walk of life for developing an empowered and inclusive society. It is mandated with the task of dealing with all issues related to promotion & policies in electronics & IT.
5.Department of Telecommunications (DoT)
Department of Telecommunications (DoT) under the Ministry of Communications and Information Technology, Government of India, is responsible to coordinate with all ISPs and service providers with respect to cyber security incidents and response actions as deemed necessary by CERT-In and other government agencies. DoT will provide guidelines regarding roles and responsibilities of Private Service Providers and ensure that these Service Providers are able to track the critical optical fiber networks for uninterrupted availability and have arrangements of alternate routing in case of physical attacks on these networks.
6.National Cyber Response Centre – Indian Computer Emergency Response Team (CERTIn)
CERT-In monitors Indian cyberspace and coordinates alerts and warning of imminent attacks and detection of malicious attacks among public and private cyber users and organizations in the country. It maintains 24×7 operations centre and has working relations/collaborations and contacts with CERTs, all over the world; and Sectoral CERTs, public, private, academia, Internet Service Providers and vendors of Information Technology products in the country
7.National Information Infrastructure Protection Centre (NIIPC)
NIIPC is a designated agency to protect the critical information infrastructure in the country. It gathers intelligence and keeps a watch on emerging and imminent cyber threats in strategic sectors including National Defence. They would prepare threat assessment reports and facilitate sharing of such information and analysis among members of the Intelligence, Defence and Law enforcement agencies with a view to protecting these agencies’ ability to collect, analyze and disseminate intelligence
8..National Disaster Management of Authority (NDMA)
The National Disaster Management Authority (NDMA) is the Apex Body for Disaster Management in India and is responsible for creation of an enabling environment for institutional mechanisms at the State and District levels.
9.The Cyber Regulations Appellate Tribunal
The Cyber Regulations Appellate Tribunal has power to entertain the cases of any person aggrieved by the Order made by the Controller of Certifying Authority or the Adjudicating Officer. It has been established by the Central Government in accordance with the provisions contained under Section 48(1) of the Information Technology Act, 2000.The body is quasi-judicial in nature.
Challenges in Cyber security for India
- Lack of coordination among different agencies of the government.
- Government agencies are severely overburdened and understaffed.
- Many government websites have been hacked several times.
- National Information Centre which hosts government’s mail servers has been compromised several times in the past.
- Government is promoting Digital India through e-governance, e-Kranti, broadband highways, etc. With initiatives like demonetization, internet and Smartphone user base is only set to grow. Banks and other financial institutions are also promoting mobile banking and net banking. These increase the vulnerability to cybercrimes like data theft, espionage, etc.
- Frequent attacks erode the trust of customers on digital platforms and could hamper India’s dreams of becoming cash-less economy.
- New age companies like start-ups mainly work on the online platform. Hackers are exploiting this opportunity for attacks like Distributed Denial of Service.
- Poor investments in Cyber security by private companies.
- Private companies and banks do not report about the attack to the government organizations.
- Lack of awareness among the common people about Cyber security. Hence they fall prey to the attempts the hackers.
- Growth in online radicalization is another area of concern. Cyberspace has no physical boundaries for extremists and terrorists, unlike the traditional warfare. Cyber Terrorism is as big a threat as Cybercrimes.
- India is not a signatory to the Budapest Convention, which is the only international convention in the field of cyber security.
Intergovernmental organisations and initiatives
Intergovernmental organisations and initiatives. Here we will see in brief, an overview of intergovernmental bodies and initiatives currently addressing cyber security at the policy level
1.Council of Europe
The Council of Europe helps protect societies worldwide from the threat of cybercrime through the Budapest Convention on Cybercrime, the Cybercrime Convention Committee (T-CY) and the technical co-operation Programme on Cybercrime. The Budapest Convention on Cybercrime was adopted on 8 November 2001 as the first international treaty addressing crimes committed using or against network and information systems (computers). It entered into force on 1 July 2004.
2. Internet Governance Forum (IGF)
The IGF was established by the World Summit on the Information Society in 2006 to bring people together from various stakeholder groups in discussions on public policy issues relating to the Internet. While there is no negotiated outcome, the IGF informs and inspires those with policy making power in both the public and private sectors.
The IGF facilitates a common understanding of how to maximise Internet opportunities and address risks and challenges. It is convened under the auspices of the Secretary-General of the United Nations.
Its mandate includes the discussion of public policy issues related to key elements of Internet governance in order to foster the sustainability, robustness, security, stability and development of the Internet.
3. United Nations (UN)
The International Telecommunication Union (ITU) is the specialized agency of the United Nations which is responsible for Information and Communication Technologies.
ITU deals also with adopting international standards to ensure seamless global communications and interoperability for next generation networks; building confidence and security in the use of ICTs; emergency communications to develop early warning systems and to provide access to communications during and after disasters, etc
1. There is a need for coordination among national and international agencies working on cybersecurity.
2. India could thus learn from the best practices of other countries and streamline the processes and protocols.
3. The Government has made it mandatory for organizations to report in case of an attack.
4. Organisations should also be pro-active in doing keeping in interest the larger good of the society instead of worrying about their reputation and brand value.
5. There is an urgent need to build a Digital Armed Force of trained IT professionals to carry on both defensive and offensive operations.
6. The proposed project NETRA for internet surveillance should be taken up. Concerns about privacy and freedom of expression have to be taken care of.
National Cyber Security Policy should be amended according to the changing times and need.
State Governments should also be taken up operations for Cybersecurity.
Example SHE Team of Telangana Government has been successful in protecting women from online harassment and cybercrimes. Similar initiatives could be taken up by other states as well.
7. Cybersecurity Help Desks need to be set up to provide guidance and support to first level users.
8. Indian Cyber Crime Coordination Centre” (I-4C) which will help in monitoring and capacity building of the cyber crimes needs to be established. This will also help the Law Enforcement Agencies in curtailing the crimes.
With growing adaptation to technology, cyber attacks, cyber crimes and cyber terrorism are growing at a faster pace. India needs to be proactive and diligent in handling these attacks. Steps should be taken to protect public, private organizations and individuals. A holistic approach is needed to the address the issue, with no loose ends left. Cybersecurity is also key to success in initiatives like Make in India, Digital India, Smart cities program.