Introduction:
As by the reports of 2016, banks in India have faced the biggest breach of personal data & information of about 3.2 million debit cards.[1] Later in 2018, Cosmos Bank of Pune reported a loss of Rs. 94 crores in just 2 days because of a malware attack which was allegedly based through hackers of Canada & Hong Kong.[2] And led by most dangerous of all, it was confirmed by the National Democratic Alliance (NDA) in September 2019 that Kundankulam Nuclear Power Plant, largest of India was infected by malware, the origin of which is still not certainly known.[3]
In the modern-day world, it is nearly impossible to imagine life without the Internet. Especially after the Covid-19 Lockdowns, it has been witnessed that dependency upon Information Technology & Communications has increased exponentially. People are connecting through digital mediums, Education, Finance, Health, etc. everything is online nowadays. From personal data to public data, everything online is being homed in a storage popularly known as Cyber-space. But just like every other thing in the world, the boon of Cyber-space has also its bane. The term “cyber-crime” can be defined as the act of using a networked device illegally for the purpose of some financial, personal, or political gain. Such acts may not affect one’s physical body but targets the virtual existence of an individual or an organization. Examples of such acts are online banking frauds, phishing scams, identity theft, cyber-extortion, cyber-espionage, crypto-jacking, online harassment, cyber-stalking, cyber-bullying, etc. The main risk of operating in the Cyber-space is that there are no limitations or extents to which one can manipulate with absolute anonymity. Such operators can be called as cyber-criminals, hackers, cyber-terrorists, etc. These are crimes of the new generations and to tackle such practices, a proper dedicated Cyber Security Infrastructure is needed. It is not only to safeguard the privacy of the individuals but also to strengthen the overall National Security of the Country from Cyber-attacks, Cyber-warfare, or Cyber-crime.
Developments of Cyber Law in India
It is regardless to say that India has not recognized the need for a dedicated Cyber Security Infrastructure. At present, the issues of cyber-security and data protection are regulated by the Information Technology Act, 2000 (hereinafter the “IT Act”) and rules framed under Section 43A of the IT Act such as:
- Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules of 2011, or in short the SPDI Rules, which laid down the procedure for collection of personal & sensitive data, and measures for processing thereafter.[4]
- The Information Technology Intermediaries Guidelines of 2011 under which all intermediaries were required to forbid the users who host harmful content threatening the public health or safety on their platforms. And later was also obligated to report any cybersecurity incident to CERT.[5]
- The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties Rules of 2013 or the CERT Rules, by the virtue of which the CERT i.e. the Computer Emergency Response Team was formed as the “nodal” agency which was obligated to collect, analyze and disseminate the information related to cyber incidents and to act with any required emergency measures to control such incidents.[6]
- Information Security Practices and Procedures for Protected System Rules of 2018 or the Protected System Rules, was enacted laying down to ensure the implementation of specific security measures to safeguard highly sensitive data, mentioned therein, by the organizations. These rules were much awaited due to the global level of threats of cyber terrorism.[7]
The Indian Penal Code also contains various provisions relating to Cyber-security which may involve the offenses of Defamation, Cheating, Criminal Intimation, and Obscenity which have the possibility to be committed in Cyber-space. Companies also are obligated to make sure that their computer systems and electronic records shall be safe from tampering by unauthorized access as under the Companies Management and Administration Rules of 2014 or CAM Rules, framed under the Companies Act, 2013.[8]
However, these laws, policies, and rules are only limited to the acts committed within the territory of India. Even though IT Act takes under its ambit the acts which are committed outside India wherein any computer resource or network of India is involved, it still poses various ambiguities as regards the question of National Security and regulation of foreign agencies in the Country. Indian Ministry of Communication and Information Technology in 2013, has also attempted to launch a whole separate National Cyber-Security policy which proposed creating a cyber-ecosystem and mechanisms countering the security threats conforming to the International Standards.[9] The news had generated interest even in the abroad as India is one of the most rapidly growing businesses outsourcing market. But unfortunately, it didn’t emerge as a good “coordinated cyber approach,” the reasons for which is still unknown. The failure reflected the Government’s least concerns regarding these matters.[10]
The issues of Cyber-crime and Cyber-terrorism were never specifically included in the Amendments made to the IT Act which was highly criticized by the Standing Committee on IT (Amendment) Bill of 2006. The Amendment Bill proposed to align the Indian Penal Code with IT Act to impose penalties whereas the report suggested that the Penal Code had its origin in Archaic Law and is not efficient to deal with such issues. The committee recommended an exclusive legislation for the governance of Information Technology rather than the amendments in the IT Act. Further, it was noted that “the government must build a roadmap to become a part of an omnibus international convention on cybercrimes to effectively address this issue.”[11] Considering the historical developments in India’s Cyber Law sect, it can be said that India is still far away from achieving a dedicated Cyber Security Infrastructure.
Evolution of Cyber Law: Desideratum for India
In the words of a cyber-law expert and an advocate at the Supreme Court of India, Mr. Pavan Duggal has suggested “dedicated cybersecurity legislation as a key requirement for India. It is not sufficient to merely put cybersecurity as a part of the IT Act. We have to see cybersecurity not only from the sectoral perspective, but also from the national perspective.”[12] This was after the Indian Space Research Organisation’s Antrix’s website was hacked in the year 2015. Further in the interview, commenting upon the Digital India Programme of the Government Duggal said that, “The push towards building massive IT infrastructure that will transform the country into a connected economy and realize the vision of Digital India, necessitates the need for a strong cybersecurity mechanism to keep the citizen data safe and secure.”[13]
As per the report of Symantec Corp. in 2019, it was observed that India was the third-most cyber-attacked Nation after U.S.A and China.[14] The IT Act even read with the rules and procedures enacted to strengthen the laws against Cyber-threats is not enough to protect the citizens from Cyber-attacks such as Bank frauds, malware, Trojan horses, phishing scams, etc. Personal data and information of the citizens have been exposed even more with the launch of the Bhartiya Janata Party’s Digital India Programme. It may be considered as a way of providing beneficial services to the public but involves the collection of public information at huge levels, for example, the latest Aarogya Setu App which mandates the user to give access to his location & Bluetooth services. This system is highly fragile as it lacks proper Cyber Security measures[15] due to which the data of the general public is at risk of being misused.
Digital India: Mission Unaccomplished
Cyber Security has never been an issue which was raised frequently in society which is why it never received much attention from the Government. Even the IT Act was drafted and passed with the aim to promote e-commerce[16], Cyber-crime was not given much importance until the attacks of 26/11 in 2008 which led to the Amendment of IT Act, 2008.[17] There have been many instances even until after 2008 which highlights the failed system of Cyber Security in India but no step has been taken in this direction yet. Particular examples of Kundankulam & Antrix are more than enough to push the demand for a robust & clear piece of legislation securing National Cyber Security. For Digital India to be a success, a focused legislation on Cyber Security is an essential component. It can be understood that the Government of India was not having such a vision back then when it amended the IT Act but now studying the present scenario, the priorities are needed to be shifted in favor of achieving the goal of Digital India.
Is India Moving Forward?
After the National Cyber Security Policy, 2013 the Government has taken the following initiatives:
- National Cyber Security Coordination Centre, 2017
- National Critical Information Infrastructure Protection Centre
- Cyber Forensic Laboratory
- Cyber Swachhta Kendra, 2017
- Cyber Surakshit Bharat, 2018
- The Cyber Warrior Police Force, 2018
- Indian Cyber Crime Coordination Centre, 2020
- Nation Cyber Security Policy Mission, 2020
There have been discussions about refurbishing the IT Act so as to conform to the new standards set by social media & e-commerce, by the Ministry of Electronics and Information Technology (MeitY) in the start of 2020. Nayonika Dutta, Dep. Director at DPIIT has also said that, “while on the one hand, these innovations have provided opportunities for growth and efficiency gains, on the other, they also pose significant challenges. Accordingly, the IT Act, 2000 needs to be amended in order to address such upcoming and future opportunities as well as challenges.”[18]
A new law is in the making with a watertight framework so as to curb the problems of Cyber-crimes. The Union Minister Ravi Shankar Prasad has stated in an interview that, “Discussions are on in the department to revisit the IT Act. The IT Act is now 20 years old, during this time, the IT ecosystem has developed beyond recognition. New technology has become very pronounced, the whole ecosystem of consumers has changed vastly and so have the challenges.”[19]
Indian Government is indeed moving forward to make laws for the protection of rights of its citizens but is the Government still considering the threats of National Cyber-attacks & Cyber-terrorism? It is a question left unanswered as there have been no discussions or initiatives whatsoever to perceive Cyber Security as an issue of National Security. Once again, quoting Duggal in the light of Antrix Incident, “This should be enough to wake us up from complacency, we need to quickly realize that cybersecurity has to be number one national priority. Unfortunately, that is not the case. India still does not have dedicated legislation on cybersecurity, we have a very weak cyber law.”[20]
International Cyber Laws
The Budapest Convention on Cybercrimes, 2001
The first international treaty drafted by the council of Europe addressing the issue of Cyber Crimes. It saw active participation by the States of Canada, Japan, South Africa, and America. The main aim was to increase cooperation between the states by harmonizing the national laws of the countries. India being not a part of its drafting committee declined to adopt the convention. It was also the thought of the Government of India that it may raise issues of National Sovereignty as it involved sharing of data with foreign agencies.[21]
Russia-led Resolution
In 2017, Russia proposed a resolution entitled “Countering the use of information and communications technologies for criminal purposes” was introduced in the United Nations General Assembly (UNGA). According to this proposal, there was a call to establish a committee that will propose a new treaty by which nation-states can coordinate and prevent cyber-crime. It is recommended for more provisions than the Budapest Convention covering the cross border data sharing and refusal of the signatory to give such access. Various Human Rights groups criticized it, terming it to be “China and Russian form of internet governance.” India voted in favor of this resolution.[22]
Conclusion
“Cyber Terrorism could also become more attractive as the real and virtual worlds become more closely coupled, with automobiles, appliances, and other devices attached to the Internet.”
Dorothy Denning
The statement says it all, that with the people rapidly purchasing smartphones, laptops, and other gadgets, the cyber ecosystem is becoming more and more vulnerable. It is a desperate need of the hour to develop a safety wall between the real & virtual lives of the people. Awareness regarding Cyber Hygiene shall be the new mission by promoting the use of legitimate software and devices. It shall also be the duty of the private sectors to engage with the government to strengthen the areas of Cyber Security. The Government has full opportunity and is expected to institute National Security strategies while preparing or remodeling the IT Act so that, the Country can be fully prepared against any kind of Cyber-attack.
References:
[1] Gopika Gopakumar, Malware caused India’s biggest debit card data breach: Audit Report, Live Mint (Feb. 10, 2017, 01:54 AM), https://www.livemint.com/Industry/jVF2Aw72w0DcBsUGseV0UP/Malware-caused-Indias-biggest-debit-card-fraud-Audit-repor.html
[2] Anonymous, Cosmos Bank’s server hacked; Rs 94 crore siphoned off in 2 days, The Economic Times (Aug. 14, 09:31PM), https://economictimes.indiatimes.com/industry/banking/finance/banking/cosmos-banks-server-hacked-rs-94-crore-siphoned-off-in-2-days/articleshow/65399477.cms
[3] Utpal Bhasker, India Confirms malware attack at Kundankulam nuclear power plant, Live Mint (Nov. 20, 2019, 08:47 PM), https://www.livemint.com/news/india/india-confirms-malware-attack-at-kudankulam-nuclear-power-plant-11574262777163.html
[4] S.S. Rana & Co. Associates, Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data or Information) Rules, 2011, Mondaq (Sep. 05, 2017), https://www.mondaq.com/india/data-protection/626190/information-technology-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011
[5] Anonymous, Draft Information Technology [Intermediaries Guidelines (Amendment) Rules] 2018, PRS Legislative Research, https://www.prsindia.org/billtrack/draft-information-technology-intermediaries-guidelines-amendment-rules-2018
[6] The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013., https://www.cert-in.org.in/PDF/G.S.R_20(E).pdf
[7] S.S. Rana & Co. Associates, Information Technology (Information Security Practices And Procedures For Protected System) Rules, 2018 Notified, Mondaq (Aug. 23, 2018), https://www.mondaq.com/india/security/730070/information-technology-information-security-practices-and-procedures-for-protected-system-rules-2018-notified
[8] Aprajita Rana, India: Cybersecurity Comparative Guide, Mondaq (Jul. 07, 2020), https://www.mondaq.com/india/technology/963026/cybersecurity-comparative-guide
[9] AZB & Partners, Cybersecurity in India, Lexology (Feb. 24, 2020), https://www.lexology.com/library/detail.aspx?g=4cd0bdb1-da7d-4a04-bd9c-30881dd3eadf#:~:text=India%20does%20not%20have%20a,and%20the%20cybercrimes%20associated%20therewith.
[10] Aditi Subramaniam & Sanuj Das, The Privacy, Data Protection and Cybersecurity Law Review – Edition 6, The Law Reviews (Oct. 2019), https://thelawreviews.co.uk/edition/the-privacy-data-protection-and-cybersecurity-law-review-edition-6/1210048/india
[11] Ikigai Law, Cyber security framework under the IT Act in India, Ikigai Law (Jun. 23, 2020), https://www.ikigailaw.com/cyber-security-framework-under-the-it-act-in-india/#_ftn21
[12] Mohd Ujaley, Dedicated legislation for Cyber Security is needed: Pavan Duggal, Express Computer (Jul. 25, 2018), https://www.expresscomputer.in/magazine/dedicated-legislation-for-cyber-security-is-needed-pavan-duggal/13378/
[13] Id.
[14] CISOMAG, India to Get a New Cybersecurity Policy¸ CISO MAG Events (Apr. 02, 2020), https://cisomag.eccouncil.org/india-cybersecurity-policy/
[15] Supra 17
[16] Supra 16
[17] Supra 17
[18] Megha Mandavia, MeitY seeks ideas on IT Act revamp, The Economic Times (Apr. 07, 2020, 06:49 AM), https://economictimes.indiatimes.com/tech/ites/meity-seeks-ideas-on-it-act-revamp/articleshow/75017401.cms?from=mdr
[19] Special Correspondent, Centre to revamp IT Act, The Hindu (Feb. 26, 10:28 PM), https://www.thehindu.com/business/Industry/centre-to-revamp-it-act/article30925140.ece
[20] Abhishek Raval, Antrix website hack: Cyber security should become national priority, says Pawan Duggal, Express Computer (Jul. 25, 2018), https://www.expresscomputer.in/news/antrix-website-hack-cyber-security-should-become-national-priority-says-pawan-duggal/12801/
[21] Dolly Krishnan & Mohit Verma, Cybersecurity And Cyber Laws Around The World And India: Major Thrust Highlighting Jharkhand For Concerns, The Law Bridge (Publishing Group) (Jul. 22, 2020), https://thelawbrigade.com/general-research/cybersecurity-and-cyber-laws-around-the-world-and-india-major-thrust-highlighting-jharkhand-for-concerns/#CYBERSECURITY_ASSESSMENT_AROUND_THE_GLOBE
[22] Anonymous, Convention on Global Cybercrime, Drishti IAS (Nov. 23, 2019), https://www.drishtiias.com/daily-updates/daily-news-analysis/convention-on-global-cybercrime
2 Comments
Shruti B · 30/08/2020 at 12:22 PM
This article was really helpful as the approach towards the topic is very gallivant and open minded covering nearly all aspects of prospect and retrospective achievements.
Ratin Arrora · 01/09/2020 at 12:39 PM
Amazingly wriiten article. Tha writter has articulated her views and presented a stable arguments through his/her thoughts. It like listening to a song (Siddhu Moosewala, intense music).
Wonderfully written piece.