Cybersecurity Policy: Need For India To Amp Up Its Legislations & Cyber Infrastructure Policy

Introduction

India has been rapidly making its mark in the world for gradually establishing itself as a technology hub, with government supported policies and schemes. But since the access to cyber systems has been a late newcomer to the Indian economy, the growth of proper and adequate laws to bridge the problems faced by an increasingly tech savvy population. ^[1]This has given rise to a whole new dimension of crime known as “cybercrime”. In a country which has seen an increase in cyber-terrorism incidents, both internationally and domestically towards the end of the 21st century gave an increased impetus to establish cyber security mechanisms.

It would be an understatement to express that, in the globalized world, the Internet and Information and Communication Technology are essential for the economic and social development for people collectively and for nation states as a whole. They form spaces for vital digital infrastructural platforms upon which the proper and able functioning of societies, economies, and governments rely on. But since the internet has a relatively open nature, it often manifests itself as an unsafe as well as a toxic environment.^[2]

As such, cyber security has come to encompass a wide range of issues such as critical infrastructure protection, cyber terrorism, cyber threats, privacy issues, cybercrime, and cyber warfare. The word “cybercrime” has not been defined explicitly in any of the legislations of India but has been interpreted to include cyber stalking, spamming, cyber pornography, phishing, software piracy etc.^[3]

India has not only national obligations for the establishment of a proper cyberspace but also International obligations. ^[4]India has refrained from acceding to the Budapest Convention due to their absence at the negotiating table and for the maintenance of state sovereignty.^[5] India’s achievement in making developments in cyber technology has been evident from its inclusion in international groups like ITU-IMPACT and the Council of Security Cooperation in Asia Pacific (CSCAP), UN Group of Governmental Experts on IT, Global Conference on Cyber Space (GCCS)^[6].

With the growing rate of statistics associated with cyber warfare which threaten sensitive data or national security and sovereignty of a country as a whole, India’s bilateral concerns in the face of “war against terror” has solidified. India shares a tumultuous relationship with its neighbour countries of Pakistan and China which makes its regional cooperation on security a complex one. Even then, multilateral regional associations as the ASEAN and the Shanghai Cooperation Organisation have also marked cyber security as an important policy agenda^[7]

Even though a lot of the lacunae inherent in the laws of India regarding cyber laws and cybercrimes have been bridged, work still remains for inclusion of a more robust infrastructure sharing mechanism between government and private bodies, allowing and incentivising the participation of more private entities in government contracts.

Indian Regulatory Approach

The strides India has made towards its dream of achieving a more technologically able and digitally equipped India has indeed been recommendable. The policy in India has always been extremely diplomatically adept and aligned with sovereignty concerns combined with a state-centric approach keeping India’s sovereignty and national security in mind.^[8]

It becomes crucial to admit in this context that the growth of a more robust technical system implementation was largely hampered in India due to the lack of awareness and lacunae in the system towards adapting to a more adequate structure which ensures security. The regulatory gaps for the country to ensure a strong technological framework were smoothened out by the Wassenar Agreement.^[9]

The liberalization of the Indian economy caused the widespread usage of computers and thus the need for the regulatory action on Cyberspace arose. When the Indian Information technology Act, 2000 was adapted, the act was not pervasive in its effect and its lacunae were multifold. The Indian Computer Emergency Response Team (CERT-in) was established in 2004

and has played a major role in the maintenance of cyber security in India. But it lacked comprehensibility. The IT Act amended in 2008 focused upon demarcating the roles and the powers of CERT-in by the introduction of penal action against cyber threats, cyber-terrorism, data protection and identity threats.

The development of a framework was brought about in 2013 with the introduction of The National Cyber Security Policy which emulates policy objectives for the Central Government agencies i.e. CII and NCIIPC to comply with.^[10] Critical Information Infrastructure (CII) is defined as those facilities, systems or functions whose incapacity or destruction would cause a debilitating impact on national security, governance, economy and social well-being of a nation.^[11] This policy highlights the social and economic significance of the protection and importance of personal data, firewalls against cybercrime, and upholding and maintenance of the critical infrastructure to maintain the smooth functioning of the national economy against cyber terrorism.^[12] The policy of India regarding cyber security has often been mainly moulded around the role of the state is a largely unilateral process. This has resulted in a structural framework which largely emphasises the Government’s role in cyber security, towards achieving the specific cyber security objectives of national security, defense and other critical areas identified by the Government.^[13] But there is an extensive need for a multi-lateral approach and support as well as incentivising schemes for engaging the private sector within the policymaking procedure for singular inputs.

Problems related to Implementation

The Cyber Security Policy as well as the IT Act are indeed some commendable steps which have been taken to recognise the various facets and nuances of cyber security and making laws for overcoming the challenges,^[14] but it still lacks in some places especially in highlighting the definition of what exactly constitutes as being a “cybercrime”, does not demarcate the different approaches which are to be undertaken for facilitation of a stronger and well equipped national cyber security nor does it clearly spells out the aims and goals of the Central Government approaching this arena. There is a clear lack of debates and discourse about how the responses would vary from attacks against the critical infrastructure or cyber terrorism from crimes like data theft. It provides no track for measuring the goals or achievements for gaining ground in this topic. ^[15]

The Five Year Plan XII report on Cyber Security for 2017-2022 also resembles the other policies and legislations in terms of its glaring vagueness and open-endedness. Even though the Plan Report identifies some clear steps which can be taken to be target deliverables for the achievement of the end goal, only a very few distinct are operational.^[16]

The IT Act as well as the IPC possess penal provisions to prosecute crimes like theft of data, hacking, cyber terrorism etc. under these legislations but they are not harmonised or coordinated through law enforcement agencies and there is little distinction between cyber-dependent crimes and cyber-enabled crimes and no policy to approach the former or distinctly define. Absence of specialised investigating teams, lack of proper provisions for search and seizure, lack of awareness and guidance at the stage of collation for evidence, jurisdictional issues for the registration of a proper complaint makes the mode and manner of availing remedies extremely tough. ^[17]

The law remains significantly skewed in favour of the government authorities to infringe upon the rights of public individuals and their data held by private parties.^[18] The data of an individual as well as the consumer protection data vis-a-vis online services are not covered by any cyber law legislation and their remedies are found in scattered jurisprudence of private law, consumer acts, contractual remedies, etc. The primary umbrella tool for data protection remains a sole provision for reasonable security practices required by ‘body corporates’ under Section 43A of the IT Act, read with the Reasonable Security Practices Guidelines, which require compliance with reasonable security standards prescribed under the guidelines, such as ISO 27001 Information Security Management Standard or any other standard with government approval.

There is no formal framework for consulting industries and associations like the ones described above, nor any mechanism for certification of industry standards (the IT Act currently endorses the ISO 27001 InfoSec standard).^[19] Political lobbying in India is not regulated and consultative initiatives are largely on an ad-hoc basis. One of these initiatives is the Joint Working Group (JWG) on Cyber Security which aims to set up an institutional framework for cyber security collaboration between private entities and public sector bodies.^[20] Even then, most of the recommendations of the JWG report have not been operationalised^[21].

The JWG as well as the collaboration between Indian and US industry associations mooted Information Sharing and Analysis Centres (ISAC), which are crucial for sharing information and jointly collaborating against cyber threats, which have not yet received any formal recognition.^[22]

Apart from a singular ISAC which has been set up for the finance sector, and an Institute for Development and Research in Banking Technology, there is a lack of ISAC’s set up by the Government of India.^[23] Further, the Government needs to empanel independent auditing bodies to conduct auditing of its cyber security practices. ^[24]

Even within Government institutions, there is no clear demarcation of primary bodies which are responsible for the development of cyber security policy.^[25] The responsibility for the same is scattered over various bodies- the Ministry of Electronics and Information Technology, the Home Ministry, and the National Information Board and National Security Council, responsible for the office of the Prime Minister. This lack of coordination between the different government agencies hampers the growth of a formal inter-governmental information sharing mechanism and thus the task of operationalising falls on law enforcement agencies and newly minted CERT-in and NCIIPC. Thus the need of the hour is a central coordinating agency for law enforcement and government policymaking bodies.^[26]

Need For Changes and Suggestions For The IT Act and National Cyber Security Policy

Even though India does have in place the Information Technology Act, its lack of comprehension and clarity on provisions make the need of reviewing these laws urgent. The literature on the definition of “cybercrime” is vague and needs modification to prevent exhaustive interpretation. In this instance, policymakers can look upto Saudi Arabia’s Anti Cyber Crime Law^[27] for guidance of a statutory definition. Some of the necessary suggestions are as follows:

1. S 65 IT Act^[28]: deals with “tampering of source documents” but the provision solely deals with theft of source code only. S 43(j)^[29] also deals with theft and penalises sealing, concealing, destroying code with the intent of damaging. Thus the presence of two similar sections becomes redundant and must be harmonised for effective reinforcement.
2. S 66 IT Act^[30]: makes offences (specified under S 43 IT Act) done with a fraudulent or dishonest intention to be deemed punishable, but S 43^[31] is spread out over nine subsections each which deal with a broad offence category like hacking, virus attacks etc but fails to shed light on its nuances. Thus ambiguity in provisions of law ceases being deterrent and becomes detrimental to the overall functioning.
3. S 66 r/w S 43(i) IT Act: the provision under this must be amended to make destruction, deletion or alteration of information residing in a computer resource or diminishing its value or affecting it injurious a civil or criminal liability. The mens rea element must sustain the constitutionality of S 66 IT Act.
4. S 66 C IT Act: in cases of cyber-crimes such as phishing, to combat identity thefts the provision must be precise and must be amended to clarify the parameters of “identity” tht are protected under the provision, for e.g. inclusion of biometric information may constitute as identity markers.
5. S 66 D IT Act:^[32] the provision is at par with the Indian Penal Code for cheating by personation but it must be clearly worded to be applicable to the online domain.
6. S 66 E IT Act^[33]: this provision deals with the publication or transmission of images or videos of private parts of individuals without their consent and has been much abused. Thus, as held in the case of Justice Puttaswamy vs Union of India, it is imperative to review the provision to include protection of privacy of individuals as whole and not just their private parts. Thus a larger privacy protective measure must be accorded to the individuals and not just images of a sensitive nature.

Due to the increasing instances of offences like “revenge porn”, heinous offences of gang rape videos being uploaded online etc. it is also suggested that a more stringent form of punishment than what is currently prescribed in the statute must be provisioned to act as a successful deterrent, especially for crimes against women and children. These higher and more heinous offences must be made non-bailable and a specific and clear timeline must be specified for initiation and completion of trials to prevent extending them in courts.

1. S 66 F IT Act:^[34] this section deals with cyber terrorism and included after the Mumbai 2008 attacks and the deletion of S 66 F(b)^[35] is recommended.
2. S 67 IT Act^[36]: the nature is almost similar to S 292 IPC ^[37]yet it is not explicitly harmonised with the provisions and exceptions in IPC which protect free speech and expression of individuals.^[38] It has been rampantly in use for prosecution of “cyber defamation”. The term must be clearly explained and illustrated in the act.
3. S 69 IT Act:^[39] deals with monitoring, decryption and blocking of online content for the purpose of keeping in place a mechanism of checks and balances but has mainly been misused by Government entities without any fleeting consideration for civil rights and liberties. Rules and provisions must be framed for due protection of freedom of speech and expression
4. S 75 IT Act: provides for extra territorial jurisdiction for enforcement of provisions but so are certain sections of IPC and CrPC. It is further recommended that the cyber policies for ease of enforcement across borders be necessitated since most of the occurrence of cybercrimes are not limited to one particular geographical territory but extends across multiple jurisdictions with multiple legislations. This implies that prosecution can be legally carried out under multiple legislations and there is a desynchronisation amongst them.

S 66 A IT Act ^[40]which deals with cyber bullying was struck down by the Supreme Court due to the rampant abuse in the case of Shreya Singhal vs UOI ^[41]. India must aim for a precise and specific provision for extreme verbal violence over the internet, “trolling”, actions instigating self-harm and hate speech which must not leave any space for being open-ended.

S 65 A and S 65B (4) of the Indian Evidence Act, 1872 were drawn from the extremely convoluted and complicated laws of the UK which already underwent extensive changes. It is recommended the provisions under this be amended to make secondary electronic records transparent.

Apart from these, special tribunals must be formed along with vesting the authoritative powers with Cyber Appellate Tribunal for quicker resolution and handling civil remedies. Partnerships should be planned with various stakeholders including private sector entities, academia, civil society and independent security researchers and make the whole process verifiable and auditable by the usage of FOSS software. Even though S 46 IT Act^[42] mandates the formation of the post of Adjudicating Officer for the centralised coordination and investigation, the same was never constituted and now the authority stands with the Ministry of IT.

Intermediary liability must be protected as pursuant to the case of Avinash Bajaj vs. State of Delhi^[43] that the S 79 IT Act ^[44]be revisioned and more strongly worded to prevent interpretation which may cause a counterproductive effect to both the intermediaries and the victims. The focus must be put on the absolute clarity on the rights and protections accrued to the intermediaries, their duties and the penalties for their violations.

For the judiciary to act upon this issue, special courts with a complete separate machinery of special prosecutors and a trained police force system must be devised for quicker and specialised resolution of cases.^[45]

India’s approach towards devising a policy especially suited for combating cybercrimes has always been reactive rather than having a proactive response. The policymakers must also strive towards effective enforcement alternatives.^[46] To conclude, merely having ambiguous provisions in a legislation to combat a growing menace of an increasing number of crimes neither serves the interests of neither the Government nor its commitments to the general populace. ^[47] With the notorious menace of cybercrimes and cyber-attacks looming large over our heads India has to take strong, iron-handed measures to effectively combat these crimes in its jurisdictions before it begins tackling larger offences.

Thus, the need arises for tackling the problem with concrete and air tight provisions on a war footing immediately.

Conclusion

Cyber security is clearly a growing priority for India – both for government policy as well as for a private sector and a society which is becoming increasingly reliant on a secure internet. While India’s cyber security framework indicates a clear need to secure socially and economically important sectors like banking and finance, energy, cyber security is identified as being particularly critical to India’s foreign policy and defence objectives.^[48]

Indeed, the ever-growing interdependence of the digital sphere, across borders, has provoked the emergence of cyber security as a major component of national security strategies in states across the globe and for being equally technologically advanced, India should not delay in following their example.^[49]

Similarly, while cyber security policy acknowledges the variety of factors which could pose threats to cyber security – including foreign states, criminals, accidents or natural disasters – policy is largely focused on tackling organized cyber threats such as terrorist groups or foreign states, which could pose a threat to national security, and as such, cyber security is not seen as an objective to achieve through a multilateral approach, with a heavy preference for fulfilling statist and nationalist objectives through policy.^[50] Moreover, policy in India is focused upon improving its cyber defensive strategies rather than its cyber offensive capabilities.

About the author

Introduction: Medha Biswas is a first year student at West Bengal National University of Juridical Sciences (WBNUJS), Kolkata. She takes an immense interest in Technology and International Law.

References

1. Pillai, P. (2012). “History of Internet Security.” http://www.buzzle.com/articles/history-of-internet-security.html (Last visited on May 6, 2021). ↑

2. ibid ↑

3. Cybercrime classification, Available: http:// shodhganga. inflibnet.ac.in/

   bitstream /10603/7829/12/12_ chapter % 203.pdf [Last visited on May 6, 2021]. ↑

4. Cavelty, M. D. “The Militarisation of Cyber Security as a Source of Global Tension.”

   Mockli, Daniel, Wenger, and Andreas, eds. Strategic Trends Analysis. Zurich: Center for

   Security Studies (2012). ↑

5. Alexander Seger, India and the Budapest Convention, October 2016 http://www.orfonline.org/expert-speaks/india-and-the-budapest-convention-why-not/ (Last visited on May 6, 2021). ↑

6. Press Information Bureau, http://pib.nic.in/newsite/PrintRelease.aspx?relid=113218 . ↑

7. Sebastian Moss, India, US sign another agreement on cyber security, January 2017 http://www.datacenterdynamics.com/content-tracks/security-risk/india-us-sign-anotheragreement-on-cyber-security-cooperation/97606.fullarticle (Last visited on may 6) ↑

8. Gregory T. Nojeim, Cybersecurity and Freedom on the Internet, 4 Journal Of National Security Law &

   Policy, 119, (2010). ↑

9. Saikat Datta, Internet Democracy Project, Cybersecurity, Internet Governance and India’s Foreign

   Policy: Historical Antecedents, (January 2016) available at https://internetdemocracy.in/reports/

   cybersecurity-ig-ifp-saikat-datta/. (Last visited on May 6) ↑

10. National Critical Information Infrastructure Protection Centre, Annual Report, http://nciipc.gov.in/ ↑

11. S 70(1) of the IT Act Amendment 2008 ↑

12. New Delhi: Data Security Council of India, DSCI, Analysis of National Cyber Security Policy (NCSP–2013), 2013. ↑

13. Government of India, Discussion Draft on National Cyber Security Policy. New Delhi:

    DIETY, 2011. ↑

14. Aiyengar, S. R. R., National Strategy for Cyberspace Security. New Delhi: KW Publisher, 2010. ↑

15. Patil, P. R. and Bhosale, D. V. “Need to Understand Cyber Crime‟s Impact over National

    Security in India: A Case Study.” Online International Interdisciplinary Research Journal 3

    (4): 167–171., 2013. ↑

16. Government of India, Annual Report on Cyber Security Policy, http://meity.gov.in/writereaddata/files/downloads/Plan_Report_on_Cyber_Security.pdf ↑

17. Walstrom, M., “India’s Electrical Smart Grid: Institutional and Regulatory Cybersecurity

    Challenges.” Seattle: Henry M. Jackson School of International Studies, 2016. ↑

18. Manoharan, N. “India’s Internal Security Situation: Threats and Responses.” India Quarterly:

    A Journal of International Affairs 69 (4): 367–381, 2013. ↑

19. https://www.iso.org/isoiec-27001-information-security.html ↑

20. Press Information Bureau, http://pib.nic.in/newsite/mbErel.aspx?relid=89361 ↑

21. Press Information Bureau http://pib.nic.in/newsite/printrelease.aspx?relid=88442 ↑

22. Ministry of External Affairs, India, US Bilateral Documents, http://www.mea.gov.in/bilateral-documents.htm?dtl/6014/indiaus+cyber ↑

23. Press Information Bureau http://pib.nic.in/newsite/PrintRelease.aspx?relid=112078 ↑

24. Internet Democracy, https:// internetdemocracy.in/watchtower/. ↑

25. Ravi S Prasad, The Indian Express, http://indianexpress.com/article/business/business-others/cyber-security-coordination-centre-tobe-set-up-ravi-shankar-prasad-3008887 ↑

26. Observer Research Foundation, REport on Cyber Crime,http://www.orfonline.org/expert-speaks/policing-cyber-crimes-need-for-national-cyber-crimecoordination-centre/ ↑

27. Saudi Arabia, Anti Cyber Crime Law, Royal Decree No. M/17 ↑

28. The Information Technology Act, 2000, § 65 ↑

29. The Information Technology Act, 2000, § 43(j) ↑

30. The Information Technology Act, 2000, §66. ↑

31. The Information Technology Act, 2000, §43. ↑

32. The Information Technology Act, 2000, §66 (D). ↑

33. The Information Technology Act, 2000, §66 (E). ↑

34. The Information Technology Act, 2000, §66 (F). ↑

35. The Information Technology Act, 2000, §66 F (b). ↑

36. The Information Technology Act, 2000, §67. ↑

37. The Indian Penal Code, 1860, § 292. ↑

38. NS NAPPINAI, TECHNOLOGY LAWS DECODED (2017) ↑

39. The Information Technology Act, 2000, §69. ↑

40. The Information Technology Act, 2000, §66 A. ↑

41. Shreya Singhal vs UOI, (2013) 12 S.C.C. 73 ↑

42. The Information Technology Act, 2000, §46 ↑

43. Avinash Bajaj vs State of Delhi (NCT of Delhi), (2005) 116 DLT 427: (2005) 79 DRJ 576 ↑

44. The Information Technology Act, 2000, §79 ↑

45. TNN, Special Courts for Cybercrime Cases, Times of India (Ahmedabad) https://timesofindia.indiatimes.com/city/ahmedabad/special-courts-needed-for-cases-of-cyber-crime/articleshow/54400724.cms September 16, 2016. ↑

46. Bamrara, A., G. Singh and M. Bhatt, “Cyber Attacks and Defence Strategies in India: An

    Empirical Assessment of the Banking Sector.” International Journal of Cyber Criminology,

    7 (1): 49–61, 2013 ↑

47. Jain, S. Cyber Security: A Sine Qua Non.

    http://www.indiandefencereview.com/news/cyber-security-a-sine-qua-non/. , 2014. ↑

48. UNODA, Developments in the Field of Information and Telecommunications in the Context of

    International Security. New York: United Nations Office for Disarmament Affairs (2011). ↑

49. UN Office of Drugs and Crime, Comprehensive Study on Cyber Crime, https://www.unodc.org/documents/organized-crime/UNODC_CCPCJ_EG.4_2013/CYBERCRIME_STUDY_210213.pdf (2013). ↑

50. Unnithan, S. Enter the Cyber Dragon: India to Walk an Extra Mile to Match China’s

    Achievement in Cyberspace, India Today, October 26, (2012). ↑