Cyber Security – Definition, Laws, Challenges, Way Forward | UPSC Notes

WHAT IS CYBERSECURITY?

CyberSecurity: Process of securing information or assets that are contained in cyberspace through unauthorized access, use, disclosure, modification or destruction.

Budapest Convention: 1st convention on Internet and computer crimes. India declined the invite 🙁

 

Importance or Need Of CyberSec

• Advent of digitalization on larger scale in India (More than 1 lac cybercrime attempts on Govt organizations and portals as per MeiTY-Ministry of Electronics and Information Technology)
• Necessary for National security in the wake of growing cases of Cyber Warfare by terorist groups
  • According to statistics, China is responsible for one-third of all global cyber-attacks. They are now developing technology that will allow them to connect to the internet via satellite channels.
  • WhatsApp sued Israeli surveillance firm N.S.O. Group, saying that the business enabled clients to use malware to get access to the phones of over 1,400 customers, including those in India. Journalists and political opponents were among those targeted by the hack.
  • Pakistan is employing APT 36 to attack Indian firms. In reality, there is a hacking gang known as LAZARUS that is widely recognized for carrying out financially targeted assaults in India, Bangladesh, and other South Asian nations
• Cyber resilience for private sector (News of LAZARUS Hacker Group attacking on BFSI firms in India and SE Asian countries)
• Increase in fake news, financial frauds, cyber bullying, data breaches etc.

 

Elements Of Cyber Security

Types Of Cyber Attacks

• Malware (ransomware, trojans, worms, spyware, viruses, keyloggers, cryptojacking etc.)
• Denial-of-Service (DoS) Attacks: floods network with false requests to disrupt it
• Phishing: frauds through emails, sms, calls
• Spoofing : Domain, email or ARP spoofing
• Identity-Based Attacks
• Code Injection Attacks
• Supply Chain Attacks
• Insider Threats
• DNS Tunneling: attacker messes arounds with the quesries of domain name system
• IoT-Based Attacks: assume control of all devices, steal the data or even join all infected devices to create a botnet to launch DoS attack)

 

EXISTING MECHANISM AND INITIATIVES IN INDIA

Legal Framework

1. IT Act-200 and IT Act (Amendment)-2008

Amendments to the act have been created to address issues that the original bill failed to cover and to accommodate further development of IT and related security concerns since the original law was passed. The act includes provisions for the following

• Redefining terms such as communication devices to reflect current broader use;
• Making corporations responsible for implementing effective data security practices and liable for data breaches. Also, making the owner of a given IP address responsible for content accessed or distributed through it; and
• Establishing a legal framework for digital signatures
• Recognizing and regulating intermediaries
• Regulating interception, monitoring and decryption of electronic records
• Regulating cyber forensics and cyberterrorism
• Penalty/Punishments
  • Penalties for violating the IT Amendment Act can range from a fine of 1 lakh rupees to imprisonment for up to 3 years.
  • More serious offenses = 5 lakh rupees and may include imprisonment of up to 7 years.
  • Cyberterrorism offenses are punishable by imprisonment of up to 10 years.
  • In addition to these penalties, the court can also order the offender to pay compensation to the victim of the offense.

 

2. National Cyber Security Policy (NCSP) -2013

National cybersecurity strategies (NCSSs) are the primary documents used by national governments to establish strategic directives, goals, and specific actions to reduce cybersecurity risk. Main components of NCSP-2013 includes

• Creating a secure cyber ecosystem : Guarantee that all firms set up a designated budget for developing cyber security and offer fiscal schemes and incentives to incentivize entities to establish, enhance, and update cybersecurity-related information infrastructure.
• Research & Development: cost-effective, tailor-made indigenous security solutions
• Securing E-Governance services: promote the use of Public Key Infrastructure (PKI) for trustworthy communication and transactions throughout the Govt and hire information security specialists to help with e-Government projects and to assure compliance with security best practices
• Encouraging Open Standards: adoption of open standards to improve interoperability and data sharing among various goods or services.
  To encourage the formation of a public-private partnership to increase the availability of tested and certified I.T. solutions based on open standards.
• Est. a 24X7 National Critical Information Infrastructure Protection Centre (NCIIPC) and making it mandatory security practices related to the design, acquisition, development, use, and operation of information resources. 
• Build manpower of 500,000 cyber security skilled professionals in the next 5 years of time.
• All Private and public organizations must hire Chief Information Security Officer in their IT department.
• These organizations must develop information security policies based on their business requirement. (compliance to cyber security best practices, standards, and guidelines like ISO 27001 ISMS ISO 27001 ISMS certification, IS system audits, Penetration testing/ Vulnerability assessment, etc. )
• National Level Computer Emergency Response Team (CERT-In) to operate as Nodal agency for Cyber security emergency response and Crisis Management. It will function as an umbrella company of sectoral CERT.

Concerns Associated with National Cyber Security Policy 2013 are:

• India’s cyber security responses to attacks have been in a reactive and fragmented manner. Delays have serious consequences for India’s digital revolution, diplomatic efforts, and domestic privacy.
• Lack of coordination and single-point responsibility between government agencies and the private sector does not work.
• Our policies have primarily been defensive, we also need aggressive endeavors in cyber security aspects.

 

3. National Digital Communication Policy – 2018

It has been broadly estimated that a 10% increase in broadband penetration in a country could potentially lead to an over 1% increase in GDP. Therefore, a consistent policy and principles framework is required to create a vibrant competitive telecom market to strengthen India’s long term competitiveness.

It has 3 missions under it:

• Connect India: Creating Robust Digital Communications Infrastructure.
• Secure India: Ensuring Sovereignty, Safety and Security of Digital Communications.
• Propel India: Enabling Next Generation Technologies and Services through Investments, Innovation and IPR generation.

 

Institutional Framework

1. CERT-In

CERT-In i.e. Computer Emergency Response Team – India : is the nodal agency for responding to cyber security incidents

• Has NCCC (National CyberSecurity Coordination Centre) working under it.
• Organize ‘Exercise Synergy’ in collaboration with 13 other countries

2. I4C

I4C or Indian Cyber Crime Coordination Centre was est. under MHA (Home Affairs Ministry) on recommendation of GR Commt -2014 to provide a framework and eco-system for Law Enforcement Agencies (LEAs) for dealing with Cybercrime in a coordinated and comprehensive manner.

3. NCIIPC

• Established under Sec. 70A of IT Act-2000
• CII (Critical Information Infrastructure) = Computer resources, destrcution of which, shall have impact on national security, economy, public health, safety. (E.g.: RBI, Nuclear Power Plants, ISRO etc.)

4. DSCI

Data Security Council – 2008 is a not-for-profit industry body on data protection in India established by NASSCOM i.e. National Association Of Software and Service Companies

 

 

Cyber Security Guidelines

“MASTER DIRECTION ON CYBERSEC. & DIGITAL PAYMENT SECURITY FOR OPERATORS	GUIDELINES ON INFORMATION SECURITY PRACTICES FOR GOVT. ENTITIES	CYBERSECURITY FRAMEWORK FOR ALL SEBI-REGULATED ENTITIES
Draft – RBI	CERT-In Guidelines issued under power given by Sec.70B of IT Act-2000	SEBI
Ensure resilience for all authorized non-bank PSOs (Payment System Operators)	Applies to all govt. offices listed under Schedule-I of GoI (Allocation of Business) Rules-1961	Created by NIST – National Institute Of Standards and Technology
Board members of PSO will be responsible for oversight and compliance	– Report security breach within 6 hours – Security audit in every 6 months – System logout if inactive for more than 15 mins. – Admin access to system only after approval of Chief Information Security Officer	– All entities must formulate CCMP i.e. Cyber Crisis Management Plan – Entities must have SOPs i.e. Standard operating Procedure and Incident Response Plan

 

Initiatives

1. CyberDome Project (Kerela Police)

A Visionary intiative to protect citizens, businesses, critical infrastructures of the state, and e-governance services by establishing a collaborative platform for cyber security. It’s amazing (every state should have something like this). I mean you should just check it for yourself – LINK

• 6 Divisions:
  • Cyber Intelligence (Analytics Dpt.)
  • Incident Response Team
  • Research & Development
  • CyberSecurity (continuous protection of govt assets)
  • Cyber Forensics (technical assistance to investigations)
  • Training and Awareness

2. Operation Chakra (CBI)

CBI has also launched this nationwide operation to track down cyber criminals who indulge in financial crimes and frauds.

3. KAVACH – 2023

KAVACH is a unique national Hackathon to identify innovative concepts and technology solutions for addressing the security challenges of the 21st century faced by our intelligence agencies.

There are 2 seperate Hackathon Tracks for students/HEI and Startups. Everyone’s given 20 problem statement to solve. >> Check Here

4. Exercise Synergy (CERT-In)

Cyber Security Exercise for 13 countries as part of International Counter Ransomware Initiative- Resilience Working Group

5. CSB – Cyber Surakshit Bharat (MeiTY)

Aims to spread awareness about cybercrime and adequate safety measures for Chief Information Security Officers (CISOs) and frontline IT staff across all government departments.

6. CCOSW – Command Cyber Operation And Support Wings

Specialized unit of Indian Army that will assist with the mandated cyber security functions. The unit will be responsible for safeguarding the networks and enhancing the cybersecurity posture of the Indian Army.

7. National Cyber Crime Reporting Portal 

3900 police stations and 700 police districts have been linked with the portal “cybercrime.gov.in”.

 

CHALLENGES

• Understaffed CERT-In
• Underreporting (only 1% attacks are reported, as per NCRB data)
• Dependency on other countries: imports for defense and information equipments, chinese influence in Indian telecom sector etc.
• Rapidly changing technologies (AI, IoT, Blockchain, Generatve AI etc..) makes it harder to keep track of all possible cyber attacks and data breach.
• Very distributed efforts and responsibilites i.e. Lack of cooperatiion among various organisation looking over Cyber Security in India
• Loopholes in IT Rules: No dedicated Cyber Crime Courts, Most of these crimes are bailable
• Loopholes in NCSP-2013

 

 

WAY FORWARD

• Have ‘active cyber defense’ regulation or law like EU’s GDPR or USA’s CLOUD Act
• Need a single umbrella organization, unlike the present multiple organizations
• Indigenization in hardware and software cyber toolkit
• More awareness through inclusion of cybersecurity in school/college courses
• Include “Cyber Security Architecture‘ in Make In India efforts
• Special focus on Critical Sectors like BFSI, HCLS, Energy, Telecom etc. ..(to avoid theft of valuable citizen data)
• International cooperation like Operation Synergy, or US training Saudi enterprises
• Use new creative techniques like honeypots etc. to catch hackers