It has taken over 7 years for India to revamp its cybersecurity policy — experts say there's room for carrots and sticks but not surveillance

It has taken over 7 years for India to revamp its cybersecurity policy — experts say there's room for carrots and sticks but not surveillance
India is long overdue to revamp its cybersecurity framework — but it will have to walk the line between being effective and not abusing user privacy, according to expertsUnsplash
  • The Indian government is looking to update its cybersecurity framework amid growing reports of state-sponsored actors, especially those from China, targeting the country’s critical infrastructure.
  • Coordinating between different ministries and incentivising private players to participate are likely to be the key changes, according to experts.
  • Considering the sensitive nature of the data that will be monitored, there needs to be significant safeguards in place to protect against government overreach.
India was among the first few countries to launch a cybersecurity policy back in 2013 and now it is looking to revamp that framework. According to Bloomberg, the new rules will be approved by the cabinet committee on security headed by Prime Minister Narendra Modi.

"Considering the fluid nature of cyberattacks, the law should enable collaborative efforts amongst states and union territories of the country and also at a cross-jurisdiction level," explained Supratim Chakraborty, a partner at Khaitan & Co.

More importantly, experts are hoping that this time the regulations will have a little more bite in order to be effective against cyber threats. “India's cyber threat canvas has evolved and now includes persistent and penetrating attacks targeting India's national and commercial computer networks,” Sameer Patil, a defence expert with Mumbai-based think tank Gateway House told Business Insider.

Complimentary Tech Event
Transform talent with learning that works
Capability development is critical for businesses who want to push the envelope of innovation.Discover how business leaders are strategizing around building talent capabilities and empowering employee transformation.Know More
The move to set up a new system comes amid increasing reports of hackers from other countries targeting users in India and the country’s critical infrastructure. According to cybersecurity firm Recorded Future, a new group called the RedEcho has its cyber guns trained on India’s power grid.

"If any of the critical institution, goes down, it would severely impair our ability to function normally. If the banking operations take a hit, the end use is invariably affected. If any of the confidential data of any Ministry is leaked, it would also lead to compromise in the security and sovereignty of our nation," said Neeraj Dubey, a partner at law firm Singh & Associates.


Red Echo may be linked to the massive power outage in Mumbai that crippled banks and the glitch at the National Stock Exchange (NSE), which the authorities are still investigating.

India needs a cybersecurity policy with more bite
Pankit Desai, chief executive and co-founder of Sequretek, a Mumbai-based cybersecurity firm, feels that India’s critical infrastructure has already opened India to a Trojan horse situation. He thinks that the only way for any new policy to be effective is to have more bite than bark.

“We don’t need frameworks, there are enough of them that already exist. What we need is an institution with teeth that will force these entities to step up their security investments much like what RBI [Reserve Bank of India] did for banks,” he told Business Insider.

It has been eight years since India’s cybersecurity framework was first unveiled, but not much has been done in terms of creating a coordinated approach to address cyber threats — especially when it comes to the country’s critical infrastructure.

“The response to a cyber threat should be at least as coordinated as the emergency response to the floods in Uttarakhand last month,” Avimukt Dar, founding member and senior partner at IndusLaw, told Business Insider.

The private sector has a key role to play
The question isn’t only about coordination between public stakeholders, but private ones too.

According to Dar, companies and businesses will only report any kind of cyber incidents if they get something in return. “Until and unless companies are being held to ransom, the details don’t come out — we saw this last year,” he said.

Not sharing data can leave behind a gaping hole of information. According to Singapore-based cybersecurity firm Cyfirma, cyber intelligence sharing is critical for players within a specific industry or a group of companies in order to fight cybercrime, effectively.

“This can create a common repository of known threats, malware, attack vectors and methods, giving organisations additional ammunition to mount more effective defence strategies. And this can only be done if reporting of data breaches is made mandatory,” Kumar Ritesh, the founder and CEO of Cyfirma told Business Insider.

In order to incentivise private players to report cyber threats in a quick and prompt way, the government needs to beef up its ability to protect Indian data from attacks and show Indian businesses that it's doing something meaningful and credible to allow their business continuity.

What will the new framework mean for ordinary folks?
The new rules are an indication that the regulatory powers under Ravi Shankar Prasad’s Ministry of Electronics and Information Technology (MeitY) are increasing.

“MeitY was historically a ministry intended to promote IT and electronics. Of late, it has a larger regulatory role which we saw in the IT Rules that came out in February. The IT Act is getting fully operationalised,” said Dar.

What is worrying is that India is currently leading the world in the number of days the internet has been shut down in one part of the country or another increasing the deficit of trust that the public has with the government.

Moreover, the recently passed IT Rules for social media, over-the-top (OTT) platforms and digital news have raised concerns about breaking encryption and the level of overreach that the government may have at its disposal.

“What we need to have in this policy are significant safeguards, which do not allow for people’s privacy to be compromised.You always have to assume there can be bad faith apples within the government too,” said Dar. There have already been multiple cases of US government employees abusing databases to spy on ordinary citizens.

In order to allay concerns, Dar recommends that there should be sufficient punishment in place to address the issue. "It should not be an administrative punishment, it should be a stiff criminal punishment for doing something wrong — like a jail sentence," he said.

Others have a more positive stance on the problem and believe that there will, inevitably, be some degree of trade off between the privacy of users and the security concerns of the state. "Both are equally legitimate concerns – but are entirely premised on what the government wants to take in relation to their framework... At present, it appears that India is greatly focussing on protecting its critical infrastructures pertaining to health, education, end-user station, nuclear sector, etc. Therefore, end-users are likely to be affected to some extent, however, that may be for the greater good.," opined Chakraborty.

Kerala High Court issues notice to central government over the ‘chilling effects’ of India’s new IT Rules for digital news

WhatsApp, Signal and Telegram face a catch-22 situation as India’s new social media rules threaten encryption

Facebook and Twitter have a ton of new rules to abide by in India ⁠— WhatsApp may find itself in the toughest spot of all