Editorial Plus

Cybersecurity and government policies

19 December, 2024
9 Min Read

Cybersecurity and government policies (Internal security) Paper-3 PMP

Cybersecurity refers to technologies, processes, and rules created to protect computer systems, servers, networks, programs, devices, and data from cyber-attacks. It aims to protect against the unauthorised access to data and misuse of technologies. India’s growing reliance on digital technologies, increasing use of the internet, lack of awareness, and vulnerability of the Critical Information Infrastructure have made it a target of a wide range of cyber threats. According to a CERT-In report, over 3.94 lakh cyber security incidents were reported in 2020 in India, an increase of 63% from the previous year. These incidents included phishing attacks, website intrusions, malware attacks, and ransomware attacks.

Terminology

Cyber Security is protecting cyber space including critical information infrastructure from attack, damage, misuse and economic espionage.
Cyber Space: A global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.
Critical Information Infrastructure: According to Section 70(1) of the Information Technology Act, CII is defined as a “computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety”.
Cyber Attack: It is a malicious and deliberate attempt by an individual or organization to breach the information system of another individual or organization.

India to Cyber Attacks?

India has a large and growing population of internet users, with more than 52% of the population or 759 million people accessing the internet at least once a month in 2022

- India is the second largest online market in the world, behind China.
- By 2025, the number is expected to grow to 900 million.

India has a rapidly expanding digital economy, with sectors such as healthcare, education, finance, retail, and agriculture relying on online platforms and services.

- However, India’s outdated or inadequate cyber security infrastructure, policies, and awareness, making it easy for hackers to exploit the gaps and weaknesses in the system that’s why India faces sophisticated and persistent cyber threats from state-sponsored and non-state actors, who target India’s strategic, economic, and national interests.

Methods used for cybercrime/Cyber Attack

Phishing	It is a kind of fraudulent attempt that is made through email, to capture personal and financial information.
Cyber Stalking	Repeated use of electronic communications to harass or frighten someone
Identity theft	It is a type of fraud in which a person pretends to be someone else and does crime with the name of someone else
Denial of service (DoS)	It refers to an attempt to make computer, server or network resources unavailable to its authorized users usually by using temporary interruption or suspension of services.
Ransomware	Ransomware is a type of computer malware that encrypts the files, storage media on communication devices like desktops, Laptops, Mobile phones etc., holding data/information as a hostage. The victim is asked to pay the demanded ransom to get his device decrypted.
Botnets	A Botnet is a collection of networked computers that reside on the Internet. These computers silently send spam, viruses, and malicious information, to other Internet computers. All based on the instructions they receive from those controlling the botnet.
Whaling	A whaling attack is a method used by cybercriminals to masquerade as a senior player at an organization and directly target senior or other important individuals at an organization, with the aim of stealing money or sensitive information or gaining access to their computer systems for criminal purposes.
Spoofing	Spoofing, as it pertains to cyber security, is when someone or something pretends to be something else in an attempt to gain our confidence, get access to our systems, steal data, steal money, or spread malware.
Browser hijacking	Browser hijacking is the unintended modification of a web browser’s settings by a malware. The term “hijacking” is used as the changes are performed without the user’s permission. Some browser hijacking can be easily reversed, while other instances may be difficult to reverse. Various software packages exist to prevent such modification
Pharming	It is a method used by phishers to deceive users into believing that they are communicating with a legitimate Web site. Pharming uses a variety of technical methods to redirect a user to a fraudulent or spoofed Web site when the user types a legitimate Web address
Skimming	It is the act of obtaining data from an unknowing end user who is not willingly submitting the sample at that time. An example could be secretly reading data while in close proximity to a user on a bus.
Spamming	Unsolicited commercial e-mail (UCE) sent to numerous addresses or newsgroups.
Espionage	Espionage is the act or practice of obtaining data and information without the permission and knowledge of the owner.
Computer Virus	It is a program written to enter your computer and damage/alter your files/data and replicate themselves.
Worms	Worms are malicious programs that make copies of themselves again and again on the local drive, network shares, etc.
Trojan horse	A Trojan horse is not a virus. It is a destructive program that looks like a genuine application. Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive. Trojans open a backdoor entry to your computer which gives malicious users/programs access to your system, allowing confidential and personal information to be stolen.

Need for Cyber Security in India

Amongst contemporary security vulnerabilities, cyber threats to the economy, security, public service delivery, critical infrastructure, etc. have emerged as critical to India. Cyber threat is a huge challenge that is capable of disturbing and destroying the economic and social order. The following are the major reasons why cyber security is needed:

Nature of Cyberthreat: These are hard to detect and difficult to investigate because of their anonymity. Besides being inexpensive and easy to commit, they are hard to prove with certitude.
Evolving nature: Cyber criminals are embracing increasingly innovative and highly inventive techniques.
- Ransomware as a Service: Recent instances of Ransomware attacks where RaaS was used.
- Cybercrime-as-a-service: This new model emerged in 2023. E.g. LockBit, Akira, Luna Moth
- Misuse of AI: In 2023 WormGPT, a blackhat version of ChatGPT was found to be used to generate malicious content, including phishing emails, malware code, fake news, and social media posts.
High level of Vulnerability: The Critical Information Infrastructure (CII) and other state computer resources are not fully protected and have become easy targets.
- Example: The AIIMS ransomware attack of 2022 affected a large number of patients' data.
Used by terror organisations: Cyber terrorists can use the same techniques as traditional cyberattacks, such as DDoS attacks, malware, social engineering, and phishing.
The impetus to digitisation: The government has been promoting internet-based services making them more vulnerable to cybercrimes.
- Online payments via BHIM UPI are prone to fraud, surveillance, profiling, violation of privacy, etc.
Interface with Public Services: Attacks in cyberspace may result in the disruption of critical public services like railways, defense systems, communication systems, banking, and others.
- The 2020 Mumbai power outage was allegedly due to a Chinese cyber-attack carried out through malware.
Cyber warfare against India: State-sponsored cyberattacks against India went up by 278% between 2021 and 2023, with the service sector, including IT and BPO, facing the highest share of attacks, according to the 2023 India Threat Landscape Report by Cyfirma.
Rising cybercrime in India: As per the NCRB report the number of Cybercrime incidents in India was as follows:

Year	2020	2021	2022
Number of Cybercrime incidents	50035	52974	65893
Percentage rise over the previous year	11.8%	5.9%	24.2%

Major types of cybercrime in India: During 2021, 37.6% of the cases were reported under Computer-related offenses followed by fraud at 26.4% and Publication/ transmission of obscene / sexually explicit acts in electronic form in 12.5% of cases.

Latest Cases

WannaCry: It was a ransomware attack that spread rapidly in May, 2017. The ransomware locked users’ devices and prevented them from accessing data and software until a certain ransom was paid to the criminals. Top five cities in India (Kolkata, Delhi, Bhubaneswar, Pune and Mumbai) got impacted due to it.

Mirai Botnet: Mirai is malware that infects smart devices that run on ARC processors, turning them into a network of remotely controlled bots or zombies. This network of bots, called a botnet, is often used to launch Distributed Denial of Service (DDoS) attacks. In September 2016, Mirai malware launched a DDoS attack on the website of a well-known security expert.

Attack on the Kudankulam nuclear power station.
Attack over the website of national institutions
Petya Ransomware – In India, the ransomware has crippled the operations at one of the terminals of the Jawaharlal Nehru Port Trust.
In 2017 malware attack on the Tehri Dam in Uttarakhand.

Stuxnet, the cyber worm allegedly created by US’ National Security Agency and Israeli military and posed a massive attack on the cyber infrastructure of Iran’s nuclear enrichment center at Natanz. Stuxnet exploited five distinct zero-day vulnerabilities in desktop systems, apart from vulnerabilities in PLC systems. Indian investigators had already found Stuxnet in Indian systems in early 2012

CYBER SECURITY Initiatives

Information Technology Act, 2000

The act regulates use of computers, computer systems, computer networks and also data and information in electronic format.

The act lists down among other things, following as offences:

- Tampering with computer source documents.
- Hacking with computer system
- Act of cyber terrorism i.e. accessing a protected system with the intention of threatening the unity, integrity, sovereignty or security of country.
- Cheating using computer resource etc.

Sections	Description
Section 43	Data protection: laws and regulations that makes it illegal to store or share some type of information or share information about people without their knowledge or permission
Section 66	Hacking of systems present over the network.
Section 69	Cyberterrorism
Section 66 B	Dishonestly receiving stolen computer resources
Section 73	Publishing electronic Signature certificate false in certain particulars.

Shreya Singhal v. Union of India(Section 66 A)

In Shreya Singhal v. Union of India judgment, Supreme Court had observed that the weakness of Section 66A lay in the fact that it had created an offense on the basis of undefined actions: such as causing “inconvenience, danger, obstruction and insult”, which do not fall among the exceptions granted under Article 19 of the Constitution, which guarantees the freedom of speech.

The court also observed that the challenge was to identify where to draw the line. Traditionally, it has been drawn at incitement while terms like obstruction and insult remain subjective.
In addition, the court had noted that Section 66A did not have procedural safeguards like other sections of the law with similar aims, such as :
The need to obtain the concurrence of the Centre before action can be taken.
Local authorities could proceed autonomously, literally on the whim of their political masters.
The judgment had found that Section 66A was contrary to both Articles 19 (free speech) and 21 (right to life) of the Constitution. The entire provision was struck down by the court.

Digital Personal Data Protection Act (DPDP), 2023: The act aims to balance the rights of individuals with the need to process digital personal data for legal purposes. It applies to the processing of digital personal data within India, as well as the processing of personal data outside India if it is for offering goods or services in India. The act grants individuals rights such as:

- The right to obtain information about processing
- The right to seek correction and erasure of personal data
- The right to nominate another person to exercise rights in the event of death or incapacity

Rights offered to citizens by personal data security bill 2019

Right to information and access
Right to forgotten
Right to correction
Right to data portability

National Digital Communications Policy, 2018: The major focus areas of the policy are as follows:

- To connect, propel, and secure India (Secure digital sovereignty of India)
- Universal broadband connectivity at 50 Mbps to every citizen
- Provide 1 Gbps internet connectivity to all Gram Panchayats
- Ensure connectivity to all uncovered areas
- Attract investments of USD 100 Billion in the Digital Communications Sector

National Cyber Security Policy 2013:

Set up different bodies to tackle various levels of threats, along with a national nodal agency to coordinate all cyber security matters.
To promote adoption of global best practices in information security.
Create a National Critical Information Infrastructure Protection Centre (NCIIPC) Create a workforce of around 500,000 trained in cyber security.
To create a think tank for cyber security policy inputs, discussion and deliberations.
Provide fiscal benefits to businesses to adopt best security practices.
To enhance the national and global cooperation among security agencies, CERTs, NCCC etc.
Set up testing labs to regularly check safety of equipment being used in the country.
Create a cyber ecosystem in the country, developing effective public-private partnerships and collaborative engagements through technical and operational cooperation.
Build indigenous security technologies through research.
To develop bilateral and multilateral relationships in the area of cyber security with other countries.

Institutional Measures

National Cyber Security Coordinator (NCSC): It coordinates with different agencies at the national level for cyber security matters.

National Critical Information Infrastructure Protection Centre: Under Section 70A of the IT Act, it is designated as the National Nodal Agency for CII protection.
Defence Cyber Agency: The union government has established it to deal with matters of cyberwarfare and cybersecurity.
Indian Computer Emergency Response Team (CERT-In): Section 70B of the IT Act provides for the constitution of CERT-In to maintain India’s cybersecurity and counter cybersecurity threats.
- It issues alerts and advisories about the latest cyber threats as well as coordinated counter-measures.
Cyber Swachhta Kendra: Botnet Cleaning and Malware Analysis Centre has been launched for the detection of malicious programs and provides free tools to remove them.
National Cyber Coordination Centre: It was set up to generate necessary situational awareness of cyber security threats and enable timely information sharing for proactive, preventive, and protective actions by individual entities.
Indian Cyber Crime Coordination Centre(I4C): The Ministry of Home Affairs has set up the I4C to deal with all types of cybercrime in the country, in a coordinated and comprehensive manner. It includes:
- National Cyber Forensic Laboratory: It provides cyber forensic assistance to State/UT Police.
- National Cyber Crime Reporting Portal: to report cyber crimes.
- Citizen Financial Cyber Fraud Reporting and Management System: for immediate reporting of financial frauds and to stop siphoning off funds by fraudsters.
- Massive Open Online Courses (MOOC) platform: namely the ‘CyTrain’ portal has been developed for the capacity building of public officials.

National Informatics Center (NIC) – The National Informatics Centre is an attached office under the Ministry of Electronics and Information Technology in the Indian government. The NIC provides infrastructure to help support the delivery of government IT services and the delivery of some of the initiatives of Digital India.

Home Minister recently addressed the first Foundation Day program of the Indian Cyber Crime Coordination Centre (I4C) in New Delhi and launched key initiatives for prevention of cybercrime.

New Cybersecurity Initiatives:

Cyber Fraud Mitigation Centre (CFMC):
- CFMC has been established at the Indian cybercrime Coordination Centre (14C) in New Delhi with representatives of major banks, Financial Intermediaries, Payment Aggregators, Telecom Service Providers, IT Intermediaries, and States/UTs Law Enforcement Agencies (LEAs).
- They will work together for immediate action and seamless cooperation to tackle online financial crimes.
- CFMC will serve as an example of "Cooperative Federalism" in law enforcement.
Samanvaya Platform (Joint Cybercrime Investigation Facilitation System): It is a web-based module to act as a One Stop Portal for data repository of cybercrime, data sharing, crime mapping, data analytics, cooperation, and coordination platform for LEAs across the country.
'Cyber Commandos' Program:
- Under this program, a special wing of trained 'Cyber Commandos' in States/UTs and Central Police Organizations (CPOs) will be established to counter threats of cyber security landscape in the country.
- Trained Cyber Commandos will assist States/UTs and Central Agencies in securing the digital space.
Suspect Registry: It is a new initiative to strengthen fraud risk management by creating a registry of identifiers based on the National Cybercrime Reporting Portal in collaboration with banks and financial intermediaries.

Key Facts about Indian Cyber Crime Coordination Centre (I4C):

I4C has been established under the Ministry of Home Affairs (MHA) to deal with cybercrime in the country in a coordinated and comprehensive manner.
The I4C focuses on tackling issues related to cybercrime for citizens, including improving coordination between various LEAs and stakeholders.
The centre is located in New Delhi.
Functions:
- To act as a nodal point in the fight against cybercrime.
- Identify the research problems and needs of LEAs and take up R&D activities in developing new technologies and forensic tools in collaboration with academia / research institutes within India and abroad.
- To prevent misuse of cyberspace for furthering the cause of extremist and terrorist groups.
- Suggest amendments, if required, in cyber laws to keep pace with fast changing technologies and international cooperation.
- To coordinate all activities related to the implementation of Mutual Legal Assistance Treaties (MLAT) with other countries related to cybercrimes in consultation with the concerned nodal authority in MHA.
Components of I4C:
- National Cybercrime Threat Analytics Unit (TAU): For reporting threats pertaining to cybercrimes at regular intervals.
- National Cybercrime Reporting Portal (NCRP): To report various cybercrime complaints by citizens at all India level on a common platform on a 24x7 basis from “anywhere, anytime”.
- National Cybercrime Training Centre (NCTC): To impart training to government officials, especially state law enforcement agencies.
- National Cybercrime Research and Innovation Centre: To carry out research for the development of indigenous tools for the prevention of cybercrimes.
- Platform for Joint Cyber Crime Coordination Team: For coordination, sharing of modus operandi of cybercrimes, data/information among states/UTs LEAs.
- Cybercrime Ecosystem Management Unit: For creating mass awareness in cyber hygiene for prevention of cybercrimes.
- National Cybercrime Forensic Laboratory (Investigation) Ecosystem: For helping LEAs in cyber forensics investigation.
I4C brings together academia, industry, public and government in the prevention, detection, investigation, and prosecution of cybercrimes.
I4C has envisaged the Cyber Crime Volunteers Program to bring together citizens with passion to serve the nation on a single platform and contribute in fight against cybercrime in the country.

Other Measures

Chief Information Security Officers: Guidelines have been issued for CISOs for securing applications/infrastructure and compliance in different organisations.
Cyber Auditing: All the new government websites and applications are audited prior to their hosting and on a regular basis after hosting.
Cyber Crime Prevention for Women and Children (CCPWC) Scheme: The government has released grants to States/UTs for setting up a Cyber Forensic cum Training Laboratory and organising capacity-building programs on cyber awareness and cyber crime investigation.

International cooperation:

Budapest Convention on Cybercrime, 2001

It deals with issues such as infringements of copyright, computer-related fraud, child pornography and violations of network security.
It aims to pursue a common criminal policy, especially by adopting appropriate legislation and fostering international police as well as judicial co-operation.
It is supplemented by a “Protocol on Xenophobia and Racism” committed through computer systems.
India is not yet a member. The Convention has 56 members, including the US and the UK.
This convention of the council of Europe is the only binding international instrument on this issue that addresses Internet and computer crime by harmonizing national laws, improving legal authorities for investigative techniques, and increasing cooperation among nations.

Global Centre for cyber security

It is an initiative of the World Economic Forum with its headquarters in Geneva.
Aims to establish the first global platform for governments, businesses, experts and law enforcement agencies to collaborate on cyber security challenges and to develop a comprehensive regulatory mechanism.

Global conference on Cyber Space

Conference includes members from Government, civil society, private sector and the theme is cooperation in cyberspace and enhancing cyber capacity building.
Conference is held since 2011 biennially.

‘Commonwealth Cyber Declaration’ at the Commonwealth Summit 2018:

Commonwealth Heads of Government, commit to:
- World’s largest inter-governmental commitments on cyber security cooperation.
- A cyberspace that supports economic and social development and rights online.
- Build the foundation of an effective national cyber security response.
- Promote stability in cyberspace through international cooperation.
  Signed in April 2018.

Paris call:

At the UNESCO Internet Governance Forum (IGF) meeting convened in Paris, “The Paris Call for Trust and Security in Cyberspace” was commenced, aimed at developing common principles for securing cyberspace.

WAY FORWARD

Strengthening Existing legal Framework: India’s primary legislation governing cyber crimes is the Information Technology (IT) Act of 2000, which has been amended several times to address new challenges and threats.
- However, the IT Act still has some gaps and limitations, such as the lack of clear definitions, procedures, and penalties for various cyber offences, and the low conviction rate of cyber criminals.
- India needs to enact comprehensive and updated laws that cover all aspects of cyber security, such as cyber terrorism, cyber warfare, cyber espionage, and cyber fraud.
Enhancing Cyber Security Capabilities: India has several initiatives and policies to improve its cyber security, such as the National Cyber Security Policy, the Cyber Cells and Cybercrime Investigation Units, the Cyber Crime Reporting Platforms, and the Capacity Building and Training programs.
- However, these efforts are still inadequate and fragmented, as India faces a shortage of technical staff, cyber forensics facilities, cyber security standards, and coordination among various stakeholders.
- India needs to invest more in developing its human and technological resources, establishing cyber security centers of excellence, adopting best practices and standards, and fostering collaboration and information sharing among different agencies and sectors.
Establish a Cyber Security Board: India must establish a cyber security board with government and private sector participants that has the authority to convene, following a significant cyber incident, to analyse what happened and make concrete recommendations for improving cybersecurity.
- Adopt a zero-trust architecture, and mandate a standardised playbook for responding to cybersecurity vulnerabilities and incidents. Urgently execute a plan for defending and modernising state networks and updating its incident response policy.
Expanding International Cooperation: India is not alone in facing the challenges of cyber security, as cyber attacks transcend national boundaries and affect the global community.
- India needs to engage more with other countries and international organisations, such as the United Nations, the International Telecommunication Union, the Interpol, and the Global Forum on Cyber Expertise, to exchange best practices, share threat intelligence, harmonise cyber laws and norms, and cooperate in cyber investigations and prosecutions.
- India also needs to participate more actively in regional and bilateral dialogues and initiatives, such as the ASEAN Regional Forum, the BRICS, and bilateral forums it has like Indo-US Cyber Security Forum, to build trust and confidence, and to address common cyber security issues and interests.