Cybersecurity in India: A Primer

Authored by: Bishwa Pandey

In the first half of 2018, 945 incidents of online hacking all over the world led to a staggering 4.5 billion (450 crore)  data records[1] being compromised, equivalent to 291 records being exposed every second (Gemalto, Netherlands)[2]. Digitalisation of lifestyles is making cybersecurity increasingly important to governments, organizations and people. It is, therefore, important to understand the what, why, and how of cybersecurity and the Indian government’s plan of action to tackle this growing menace.

According to the 2018 Verizon Data Breach Report, for example, it takes less than a minute for an attacker to breach an organisation’s defenses, but over 3 months for that breach to be detected (Verizon 2018)[3]. Governments and organisations are, therefore, being called upon to move towards predicting and detecting cyber-attacks as opposed to merely protecting against them. As hackers become increasingly sophisticated in their means, methods, and motives with the help of technologies such as artificial intelligence, it is crucial that we improve our security infrastructures.

On any given day, for example, there are approximately 500 million (50 crore) people across India online (Tech Desk 2018)[4], making Indians among the most digitally active citizenry in the world. The country also has the second largest social media presence, a ranking that is only expected to improve with increased smartphone penetration, cheap mobile internet plans, and widening data networks. Indians are also some of the most prolific online shoppers. As of 2017, India’s internet economy was estimated to be $38.5 billion (approximately 270,000 crores) and is estimated to touch $200 billion (approximately 14 lakh crores) by 2026 (IBEF, India)[5]. While the government’s Digital India program has increased people’s reliance on the internet, the sharing of sensitive data online in the form of welfare schemes, passports, etc. has made people more vulnerable to cyber-attacks, in spite of legislation in the form of the IT Act, 2000 (amended in 2008). In 2017, India was the third most vulnerable country to cyber-attacks and the second most targeted country in terms of phishing (misleading) emails (PTI 2018)[6] . As of Q3 2018, Indians were the target of 26 million (2.6 crore) cyber-attacks (Majumdar 2018)[7]. 695,000 (6.95 lakh) of these originated from China, Russia, and the United States (PTI 2018)[8]. Additionally, in 2018, incidents of mining cryptocurrencies through malware has risen by 500% in the top 3 cities in India, (Blockonomi, UK)[9]. Such a drastic increase in bypassing digital security over the last few years has made India one of the most fertile grounds for hackers in the world.

Given such a context, it would be worth exploring and detailing India’s existing protection regime. The IT Act of 2000, as mentioned above, is the overarching law of the land when it comes to matters related to cyberspace. It governs cybersecurity under sections 43 (data protection), 66 (hacking), 66B (punishment for illegally possessing stolen computer resources or communication devices), 67 (protection against unauthorised access to data), 69 (cyberterrorism), 70 (securing access or attempting to secure access to a protected system), and 72 (privacy and confidentiality). Notably, the act also “applies also to any offence or contravention hereunder committed outside India by any person”.  The law also governs the use of the internet to address the sending of offensive messages which has become an increasingly common way for stalkers and harassers to target individuals. However, the law can only work retroactively. To deal with the 500,000-odd security alerts received daily (Livemint 2018)[10], the IT Act repositioned CERT (Computer Emergency Support Team), to serve as the national agency to perform cybersecurity functions. These include collection, analysis and dissemination of information on cyber incidents, forecast and alerts of cyber security incidents, emergency measures for handling cyber security incidents, and coordination of cyber incident response activities. Finally, the government created a National Cybersecurity Policy in 2013. Its primary focus was to help protect information and the information infrastructure in cyberspace, build capabilities to prevent and respond to cyber threats, reduce vulnerabilities, and minimise damage from cyber incidents. The Ministry of Electronics and Information Technology (MeitY) also mandated other ministries to earmark 10% of their IT budgets on security.

Despite such measures, the government allocated 500 crores from 2012-2017 as part of the 12th 5-year plan[11] and only $217 million (1500 crores) towards cybersecurity in the Union Budget, 2018. In contrast, the United States government plans to spend $ 15 billion on cybersecurity in 2019 (President’s Budget, FY2019). India is effectively spending less than a dollar/person on cybersecurity, which is disconcerting given the push by the government for Digital India, eKYC and other online programs. Further, over 100 government websites were hacked between January and November 2018[12].  A total no. of 44679, 49455, 50362 and 53081 cybersecurity incidents were observed during the year 2014, 2015, 2016 and 2017 respectively[13]. The types of cybersecurity incidents include phishing, scanning/probing, website intrusions and defacements, virus/malicious code, Denial of Service attacks, etc. This has led to criticism over India’s manner of addressing digitalisation and cybersecurity. A Hague security report (Netherlands Business Support Office 2018)[14] claims that India has rapidly tried to go digital without adequate security infrastructure. The report also points towards a lack of a national security architecture that unifies the efforts of private sector, public sector, individual states, and even the armed forces in having separate cybersecurity protocols, practices, and infrastructures. India has seen massive level data breaches e.g. Aadhar[15].  Furthermore, there is a distinct shortage of individuals trained to handle cybersecurity incidents effectively[16]. The country has a requirement of 3 million cybersecurity professionals and it has barely less than 100,000 according to global tech giant IBM[17].

In a time where all our data, money and memories are online, India is effectively spending less than a dollar per person on cybersecurity. Digital India is well and truly on its way. Can we avoid the threat of cybersecurity by simply building higher walls?

The research undertaken and opinions expressed in this article are solely the author’s and do not express or endorse SPRF’s beliefs, values, and position on the matter.

Bishwa Pandey, Guest Author.

 

ENDNOTES:

[1] https://in.pcmag.com/news/126146/data-breaches-compromised-45-billion-records-in-first-half-o

[2] Gemalto (October 2018), Breach Level Index, Amsterdam, Netherlands, Gemalto Inc.

[3] Verizon (2018), 2018 Verizon Data Breach Report, United States of America, Verizon Inc.

[4] Tech Desk. (2018), “India to have over 500 million Internet users by June 2018: IAMAI report”, indianexpress.com, February 20, 2018, https://indianexpress.com/article/technology/tech-news-technology/india-to-have-over-500-million-internet-users-by-june-2018-iamai-report/

[5] Indian Brand Equity Foundation, (2018), E-commerce Industry in India, New Delhi, India, Indian Brand Equity Foundation.

[6] India ranks 3rd among nations facing most cyber threats: Symantec, economictimes.com, April 4,2018, https://economictimes.indiatimes.com/tech/internet/india-ranks-3rd-among-nations-facing-most-cyber-threats-symantec/articleshow/63616106.cms?from=mdr

[7] Majumdar, Romita. “Over 26 million cyber threats targeted Indian companies in Q3 2018: Seqrite”, Business Standard, December 26, 2018, https://www.business-standard.com/article/companies/over-26-million-cyber-threats-targeted-indian-companies-in-q3-2018-seqrite-118122600121_1.html

[8] “India witnessed over 6.95 lakh cyberattacks from Russia, US, others in January-Jun: F-Secure”, economictimes.indiatimes.com, November 11, 2018, https://economictimes.indiatimes.com/tech/internet/india-witnesses-over-4-36-lakh-cyberattacks-from-russia-us-others-in-jan-jun-f-secure/articleshow/66575477.cms

[9] Jimi Aki. (2018), “Number of Compromised Cryptojacking Routers in India Close to 30,000”, blockonomi.com, October 9, 2018, https://blockonomi.com/cryptojacking-routers-india/

[10] “Over 2.6 crore cyber threats targeted Indian enterprises in Q3 2018”, livemint.com, December 26, 2018, https://www.livemint.com/Technology/V9ZW5hWAY1cVBFVDHMMpyO/Over-26-crore-cyber-threats-targeted-Indian-enterprises-in.html

[11] Govt. Of India Ministry of Communications and Information and Technology, (2014), “Rajya Sabha Unstarred Question Number-1111.”, Accessed April 3, 2019  http://164.100.47.5/qsearch/QResult.aspx

[12] “Over 100 government websites hacked during Jan-Nov 2018: Ahluwalia”, timesofinidia.com, December 18, 2018, https://timesofindia.indiatimes.com/india/over-100-government-websites-hacked-during-jan-nov-2018-ahluwalia/articleshow/67161747.cms

[13] Govt. of India Ministry of Electronics and Information and Technology, (2018), “Rajya Sabha Unstarred Question-2504.” Accessed April 3, 2019    http://164.100.47.5/qsearch/QResult.aspx

[14] Kingdom of Netherlands, Cyber Security in India, Netherlands, Kingdom of Netherlands

[15] Business today, (September 18 2018), “Story”, Accessed April 3 2019. https://www.businesstoday.in/current/economy-politics/aadhaar-software-hack-uidai-data-ghost-entries/story/282260.html

[16] Ganesh, Venkatesh. (2018), “India Lagging in Cyber Security Awareness” Hindu Business line, January 17, 2018. https://www.thehindubusinessline.com/info-tech/india-lagging-in-cyber-security-awareness/article9046626.ece

[17] India needs 3 million cyber professionals right now:IBM, 2018, Accessed April 3 2019. “News” https://www.business-standard.com/article/companies/india-needs-3-million-cyber-security-professionals-right-now-ibm-118051300153_1.html