GS Notes

20. Security Notes 10

13 min read

Elaborate Notes

Definition and Scope of Cyber Security

Cyber Security, as defined under the Information Technology (IT) Act of 2000, refers to the practice of protecting computer systems, networks, devices, and the information stored therein from unauthorised access, use, disruption, disclosure, modification, or destruction. This definition encompasses a wide array of protective measures designed to maintain the Confidentiality, Integrity, and Availability (CIA) of digital information and infrastructure.

  • Confidentiality: Ensuring that information is not disclosed to unauthorised individuals, entities, or processes.
  • Integrity: Maintaining the consistency, accuracy, and trustworthiness of data over its entire lifecycle.
  • Availability: Ensuring that systems, applications, and data are accessible to authorised users when needed.

Vulnerability and Cyber Attack Landscape in India

India’s rapid digitalisation, driven by initiatives like Digital India, has exponentially increased its “attack surface,” making it a prime target for cyber adversaries.

Statistical Overview:

  • National Crime Records Bureau (NCRB) Data (2022): The report “Crime in India – 2022” highlighted a significant 24.4% surge in registered cybercrime cases compared to 2021. This indicates an accelerating trend, as the increase in 2021 over 2020 was a more modest 11.8%.
  • Motivations for Cybercrime:
    • Fraud (64.8%): The predominant motive, encompassing phishing, online shopping fraud, and OTP fraud.
    • Extortion (5.5%): Includes blackmailing and ransomware attacks.
    • Sexual Exploitation (5.2%): Involves cyberstalking, morphing, and dissemination of obscene material.
  • Ransomware Incidents: A 2022 report by the cybersecurity firm Sophos, “The State of Ransomware 2022,” indicated that 68% of Indian organisations surveyed had been hit by ransomware in the preceding year, reflecting a high vulnerability in the corporate sector.

Prominent Examples of Cyber Attacks:

  • Indian Council of Medical Research (ICMR) Data Leak (2023): The personal data of over 81 crore Indian citizens, including Aadhaar and passport details, sourced from the ICMR’s database, was allegedly put up for sale on the dark web. This incident highlighted severe vulnerabilities in the security of national health data repositories.
  • All India Institute of Medical Sciences (AIIMS) Server Attack (2022): The servers of AIIMS, New Delhi, were crippled by a major ransomware attack. The incident, suspected to have originated from China, compromised the sensitive health records of an estimated 3-4 crore patients and disrupted hospital services for nearly two weeks.
  • Mumbai Power Outage (2020): A massive power grid failure plunged Mumbai into darkness. A study by the US-based cybersecurity firm Recorded Future claimed that this was likely caused by a Chinese state-sponsored group, RedEcho, which had introduced malware into India’s critical power infrastructure systems.
  • Petya Ransomware Attack on JNPT (2017): The operations at Jawaharlal Nehru Port Trust (JNPT), India’s largest container port, were severely disrupted by the ‘Petya’ ransomware attack. The malware affected the systems of the port operator A.P. Moller-Maersk, causing significant economic losses and logistical chaos.

Threats from Adversary States

State-sponsored cyber attacks are a significant threat to India’s national security, economic stability, and critical infrastructure.

  • Target for Cyber Espionage: Reports from cybersecurity firms like FireEye (now Mandiant) have consistently placed India among the top five most targeted nations in the Asia-Pacific region for state-sponsored cyber espionage, particularly from China and Pakistan.
  • Economic Impact: A 2019 report by the security firm Symantec estimated that cyber attacks cost the Indian economy over ₹1.25 lakh crore that year alone.
  • Expanding Digital Footprint: India’s internet user base has grown phenomenally, from just 4% of the population in 2007 to approximately 60% by 2023 (as per various industry reports), creating a vast pool of potential targets.
  • E-governance Vulnerabilities: The push for e-governance has centralised vast amounts of citizen data. Programmes like Aadhaar (the world’s largest biometric ID system), UPI (Unified Payments Interface), and DigiLocker, while beneficial, are high-value targets for adversaries seeking to steal data or disrupt governance.

Typology of Cyber Threats Faced by India

Cyber threats can be broadly categorised based on the actor’s motive and methodology.

  • Cybercrime: Criminal activities where a computer or network is the source, tool, or target.

    • Phishing: Fraudulent attempts, usually made through email, to steal sensitive information like passwords and credit card numbers by masquerading as a trustworthy entity.
    • Cyberstalking: The use of the internet or other electronic means to stalk or harass an individual, a group, or an organization.
    • Child Pornography: The creation, distribution, and possession of sexually explicit images or videos of minors. This is a grave offense under the IT Act (Section 67B) and the POCSO Act, 2012.
    • Denial-of-Service (DoS) Attacks: An attempt to make a machine or network resource unavailable to its intended users by overwhelming it with a flood of internet traffic.

  • Cyberwarfare: The use of cyber attacks by one nation-state to disrupt the critical computer systems of another, with the aim of creating damage comparable to traditional warfare.

    • Stuxnet (discovered in 2010): A landmark example of cyberwarfare. A malicious computer worm, widely believed to be a joint American-Israeli creation, designed to sabotage Iran’s nuclear program. It specifically targeted Siemens SCADA systems and caused substantial damage to uranium enrichment centrifuges at the Natanz facility.
    • Wiper Malware in Russia-Ukraine Conflict: Unlike ransomware which encrypts data for a ransom, wiper malware is designed to permanently erase data from targeted systems. In the context of the Russia-Ukraine conflict, numerous wiper malware families (e.g., WhisperGate, HermeticWiper) were deployed. A significant attack targeted the ViaSat satellite network, which severely disrupted Ukraine’s military communications at the onset of the invasion in 2022.

  • Cyber Terrorism: The intentional use of computer networks and digital technologies by terrorist organizations to cause destruction and harm in pursuit of political, religious, or social objectives. This includes:

    • Using the internet for propaganda, recruitment, and radicalisation (e.g., ISIS’s prolific use of social media).
    • Attacking critical infrastructure like power grids, financial systems, or air traffic control to cause widespread panic and disruption.
    • Fundraising through illicit online activities.

India’s Cyber Security Architecture

India has established a multi-layered framework to address cyber threats, comprising legal, policy, and institutional mechanisms.

Legal Framework:

  • The Information Technology Act, 2000 (and its 2008 Amendment): This is the primary legislation dealing with cybercrime and e-commerce.
    • Section 43A: Imposes a liability on corporate bodies to protect sensitive personal data and provides for compensation to victims in case of negligence.
    • Section 66C (Identity Theft): Penalises the fraudulent or dishonest use of another person’s electronic signature, password, or other unique identification feature.
    • Section 66D (Cheating by Personation): Deals with cheating by using a computer resource.
    • Section 66E (Violation of Privacy): Criminalises the intentional capture, publication, or transmission of images of a person’s private area without their consent.
    • Section 66F (Cyber Terrorism): Defines and prescribes punishment for acts of cyber terrorism, which can extend to life imprisonment.

Policy Framework:

  • National Cyber Security Policy, 2013: Articulated a vision to build a secure and resilient cyberspace for citizens, businesses, and the government. Key objectives included:
    • Human Resource Development: Creation of a workforce of 5 lakh cybersecurity professionals within 5 years.
    • Critical Infrastructure Protection: Establishment of a nodal agency, the NCIIPC, to protect Critical Information Infrastructure (CII).
    • Proactive Defence: Developing a 24/7 National Level Computer Emergency Response Team (CERT-In) for proactive threat detection and response.
    • Organizational Mandates: Encouraging all organizations (public and private) to designate a Chief Information Security Officer (CISO).
    • Standards and Compliance: Promoting the adoption of global security standards like ISO 27001.
    • Incentivisation: Recommending fiscal benefits for businesses that adopt best cybersecurity practices.

Institutional Framework:

  • National Critical Information Infrastructure Protection Centre (NCIIPC): Established under the National Technical Research Organisation (NTRO), it is the nodal agency for protecting the nation’s CII in sectors like Power, Banking, Telecom, and Defence.
  • Indian Computer Emergency Response Team (CERT-In): The national nodal agency under the Ministry of Electronics and Information Technology (MeitY) responsible for responding to cybersecurity incidents, issuing advisories, and conducting training. Sectoral CERTs (e.g., for finance, power) also exist.
  • Cyber Swachhta Kendra (Botnet Cleaning and Malware Analysis Centre): An initiative under MeitY that detects malicious programs (bots) in citizens’ computers and provides free anti-malware tools for their removal.
  • Indian Cyber Crime Coordination Centre (I4C): Established under the Ministry of Home Affairs (MHA), it acts as a nodal point in the fight against cybercrime and coordinates law enforcement actions.
  • National Cyber Crime Reporting Portal (cybercrime.gov.in): A citizen-centric portal managed by I4C that allows people to report all types of cybercrimes, especially those against women and children.
  • National Information Board (NIB): An apex body headed by the National Security Advisor (NSA) responsible for high-level coordination and policy formulation on information security and warfare among various ministries and agencies.

Challenges in India’s Cyber Security Framework

Despite the established architecture, India faces significant challenges in securing its cyberspace.

Legal Challenges:

  • Lack of Dedicated Procedural Law: India does not have a specific procedural law for electronic evidence, forcing reliance on the traditional Indian Evidence Act, 1872, which is often inadequate for handling digital evidence, leading to low conviction rates.
  • Outdated IT Act: The IT Act was last amended in 2008. The cyber threat landscape has evolved drastically since then with the emergence of new threats like ransomware, crypto-jacking, and AI-powered attacks, which are not explicitly defined or addressed in the current law.

Institutional Challenges:

  • Multiplicity and Coordination Gaps: There are multiple bodies with overlapping mandates (e.g., CERT-In, NCIIPC, National Cyber Security Coordinator). This can lead to a lack of clear accountability and coordination during a large-scale cyber incident.

Policy-Related Challenges:

  • Outdated National Policy: The National Cyber Security Policy of 2013 is now considered outdated. There is an urgent need for a new, dynamic policy that addresses contemporary challenges like data protection, IoT security, and the use of AI in cyber warfare.
  • Absence of a Cyber Doctrine: India lacks a publicly articulated cyber security doctrine that would outline its stance on cyber warfare, espionage, and deterrence strategies.

Infrastructural Challenges:

  • Hardware Dependency: India imports a significant portion (estimated around 70%) of its telecom and IT hardware, primarily from China. This raises concerns about embedded malware, backdoors, and supply chain vulnerabilities.
  • Forensic Capabilities: Many state-level police forces lack advanced digital forensic labs and the technology required to investigate complex cybercrimes effectively.
  • Data Localisation: A significant amount of Indian user data is stored on servers located abroad, making it difficult for Indian law enforcement agencies to access this data for investigations due to differing legal jurisdictions.
  • Low R&D Expenditure: India’s spending on R&D in cybersecurity is minuscule compared to global powers, hindering the development of indigenous security technologies.

Human Resource Challenges:

  • Skill Gap: There is a severe shortage of trained cybersecurity professionals in the country. The target of 5 lakh professionals set by the 2013 policy has not been met.
  • Capacity Building in Law Enforcement: The majority of police personnel at the local level lack the technical training and expertise needed to handle cybercrime investigations.
  • Lack of Deterrence: Weak enforcement and low conviction rates create a lack of deterrence for both criminals and organizations that fail to implement adequate data protection measures.

Prelims Pointers

  • IT Act, 2000: Defines cyber security and provides the primary legal framework for cybercrime in India.
  • Section 66F of IT Act: Defines and penalises Cyber Terrorism.
  • Section 43A of IT Act: Makes corporate bodies responsible for protecting sensitive personal data.
  • National Crime Records Bureau (NCRB): Publishes the “Crime in India” report, which provides official statistics on cybercrime.
  • 2022 NCRB Data: Cybercrimes in India saw a 24.4% increase.
  • Stuxnet: A computer worm that targeted Iran’s nuclear program; an example of cyberwarfare.
  • Petya: A type of ransomware that affected global systems, including India’s JNPT port in 2017.
  • Wiper Malware: Malicious software designed to permanently erase data, used extensively in the Russia-Ukraine conflict.
  • National Cyber Security Policy: Released in 2013.
  • Policy Target (2013): To train 5 lakh cybersecurity professionals.
  • CERT-In (Indian Computer Emergency Response Team): National nodal agency for responding to cyber security incidents. It operates under the Ministry of Electronics and Information Technology (MeitY).
  • NCIIPC (National Critical Information Infrastructure Protection Centre): Nodal agency for protecting Critical Information Infrastructure. It operates under the National Technical Research Organisation (NTRO).
  • I4C (Indian Cyber Crime Coordination Centre): A nodal centre to combat cybercrime, functioning under the Ministry of Home Affairs (MHA).
  • Cyber Swachhta Kendra: Also known as the Botnet Cleaning and Malware Analysis Centre.
  • National Information Board (NIB): Apex body for inter-ministerial coordination on information security, headed by the National Security Advisor (NSA).

Mains Insights

GS Paper III: Security

  1. Cyber Security as a Component of National Security:

    • Fifth Domain of Warfare: Cyberspace is now recognised as the fifth domain of warfare, alongside land, sea, air, and space. State and non-state actors can inflict significant damage without physical confrontation. The Mumbai power grid attack is a potent example of how cyber attacks can be used to cripple a nation’s critical infrastructure.
    • Cause-Effect Analysis: Rapid digitalisation (e.g., UPI, Aadhaar, Co-WIN platform) has improved governance and convenience but has simultaneously created centralised, high-value targets. A successful attack on these systems can cause widespread economic chaos and erode public trust in the state.
    • Hybrid Warfare: Adversary states increasingly use cyber attacks as part of a “hybrid warfare” strategy, combining conventional military threats with disinformation campaigns, economic coercion, and cyber disruption to destabilize a target nation.

  2. Challenges and Way Forward:

    • Multi-faceted Challenges: India’s cyber security challenges are systemic, spanning legal, institutional, infrastructural, and human resource domains. A piecemeal approach is insufficient.
    • Suggested Reforms (The 4 ‘P’s Model):
      • Policy: Unveiling a new, updated National Cyber Security Strategy that is dynamic and addresses modern threats like AI-driven attacks, IoT security, and data protection. It should also include a clear cyber deterrence doctrine.
      • People: A massive push for capacity building, including upskilling law enforcement, integrating cybersecurity into the formal education curriculum, and fostering public-private partnerships for skill development.
      • Processes: Streamlining institutional processes to improve inter-agency coordination. A single, empowered nodal agency for cyber security, possibly a statutory body, could be considered to reduce fragmentation.
      • Partnership: Enhancing international cooperation through bilateral and multilateral agreements for intelligence sharing and joint investigations. India’s accession to conventions like the Budapest Convention on Cybercrime should be reconsidered to improve cross-border data access for law enforcement.

GS Paper II: Governance & Polity

  1. Legislative and Policy Gaps:

    • The outdated IT Act (2000) and Cyber Security Policy (2013) reflect a policy lag in a rapidly evolving technological landscape. This highlights the need for a more agile and adaptive legislative process for technology-related issues.
    • The journey of the Data Protection Bill, from the Justice B.N. Srikrishna Committee (2018) report to the enactment of the Digital Personal Data Protection Act (2023), underscores the challenges of balancing privacy (a fundamental right under the Puttaswamy judgment, 2017), innovation, and state security interests.

  2. Institutional Overlap and Federalism:

    • The multiplicity of agencies at the central level (CERT-In, NCIIPC, NCSC) creates coordination challenges.
    • ‘Police’ and ‘Public Order’ are State subjects. Effective cybercrime investigation requires synergy and capacity building at the state level, which remains a significant challenge. Initiatives like I4C aim to bridge this federal gap but require greater investment and political will.

GS Paper IV: Ethics

  1. Privacy vs. Security:
    • Measures to enhance cyber security, such as surveillance and data monitoring, often clash with the individual’s right to privacy. The ethical dilemma for the state is to determine the proportionate and necessary level of intrusion required for national security without creating a surveillance state.
  2. Corporate Ethics and Data Fiduciary Responsibility:
    • Section 43A of the IT Act mandates corporate responsibility, but data breaches are rampant. This raises ethical questions about whether corporations are prioritising profits over the security of their users’ sensitive data. A strong ethical framework, coupled with stringent penalties for negligence, is essential.

Graph View