Guide on Cyber Security Policy in India: Awareness Month Special
Internet penetration has grown multifold across India, thanks to lower internet prices. Life is different from what it used to be a few years ago. People are spending more and more time on the internet. With that, the need to protect personal data and hence, privacy, has become an absolute necessity. An important tool to that effect is cyber security. A good cyber security policy demands seamless intelligence, threat sharing, and coordination between agencies and incident responders. However, India does not have a comprehensive cyber security policy.
The entire cyber security policy in India is scattered and there are sector-specific guidelines/rules issued by different stakeholders. Even incident reporting is a tedious task. There are also issues of overlapping functions, which makes it difficult to enforce any regulation or decision. In this article, we will attempt to demystify the cyber security policy in India. We will have a look at all stakeholders and sectoral regulators involved. There’s also a bonus image for you!
Ministry of Home Affairs (MHA)
The MHA has a Cyber & Information Security division (“C & IS”). The division deals with matters relating to Cyber Security, Cyber Crime, National Information Security Policy & Guidelines (NISPG), and National Information Grid (NATGRID). It has the following sub-divisions:
National Cyber Coordination Centre (“NCCC”)
It generates necessary situational awareness of existing and potential cyber security threats. It is an operational cyber security & e-surveillance agency in India. The Centre intends to screen communication metadata and coordinate intelligence gathering activities of other agencies.
NCCC keeps in touch with internet service providers to monitor internet traffic in the country. It also addresses the threats faced by the computer networks of government departments and organizations handling sensitive government data and important websites.
Cyber Crime Prevention Against Women and Children (“CCPWC”)
This division was launched in 2018. Its main objective is to have an effective mechanism to handle complaints of cybercrimes against women and children. It oversees the functioning of cybercrime.gov.in to receive complaints.
Also read: How to file a cyber crime complaint online?
The MHA has also provided financial assistance to all states and UTs for setting up Cyber Forensic Laboratory cum Training centers. A National Cyber Forensic unit will be set up to work 24*7*365 basis. This unit will have a team of cyber security professionals to carry out vivid types of electronics forensic analysis and assist law enforcement agencies with forensic analysis. The Ministry has also launched a Twitter handle called “CyberDost” to create cybercrime awareness.
Indian Cyber Crime Coordination Centre (“I4C”)
The government approved the Centre in 2018 to deal with all types of cybercrimes in a comprehensive and coordinated manner. The Centre has 7 components:
- National Cyber Crime Threat Analytics Unit;
- National Cyber Crime Reporting Portal;
- Cyber Crime Ecosystem Management Unit;
- National Cyber Crime Training Centre;
- National Cyber Crime Research and Innovation Centre;
- Platform for Joint Cyber Crime Investigation Team; and
- National Cyber Crime Forensic Laboratory Ecosystem.
The Centre will identify the research problems/ needs of law enforcement agencies. Accordingly, it will take up R&D activities in developing new technologies and forensic tools in collaboration with academia/ research institutes within India and abroad.
Further, the center will coordinate activities related to Mutual Legal Assistance Treaties (MLAT) enforcement, with other countries. I4C has recently launched the ‘Cyber Crime Volunteers Program’ to let “Unlawful Content Flaggers” help law enforcement agencies identify and remove illegal/ unlawful online content.
The Prime Minister’s Office (PMO)
The PMO directly interacts with the NCSC, and the NCIIPC- the protector of critical infrastructure in India.
National Cyber Security Coordinator (“NCSC”): In 2014, the Prime Minister’s Office created the position of NCSC to coordinate with different agencies at the national level for cyber security matters. Currently, Lt. Gen. Rajesh Panth is the country’s National cyber security coordinator. NCSC in coordination with MEITY is now in the process of making the new cyber security policy.
National Technical Research Organisation (“NTRO”): NTRO specializes in disciplines such as remote sensing, signals intelligence, data gathering, cryptology, strategic hardware & software development, and cyber security. With regard to cyber security, it monitors and assesses threats to critical infrastructure. It also uses espionage techniques such as underwater buoys, drones, VSAT-terminal locators, and fiber optic cable nodal tap points. The Snowden leaks revealed that the NTRO was one of the most proactive members of the US NSA-led 10-member counter-terrorism platform called SIGINT Senior Pacific.
National Critical Information Infrastructure Protection Centre (“NCIIPC”): The organization operates under the NTRO. The government created it under Section 70A of the Information Technology Act, 2000, (IT Act) in 2014. It is the National Nodal Agency with respect to Critical Information Infrastructure (CII) protection. You can read more about NCIIPC here.
MInistry of Electronics & Information Technology (“MeitY)”
MeitY is the key decision-maker when it comes to information technology regulations in India. It has created multiple rules on cyber security under the IT Act. However,
Computer Emergency Response Team- India (“CERT-In”)
The government formed CERT-In in 2004 under Section 70B of the IT Act. It functions under the vigilance of MeitY. It is the national nodal agency for responding to cyber security incidents in the country. CERT-In also focuses on prevention, providing quick response services as well as security quality management services. You can read more about CERT-In here.
CERT- National Informatics Centre (“NIC”): The NIC has its own CERT division. It analyzes, monitors, and responds to cyber threats on government websites, emails, and various other services. It coordinates with other stakeholders to mitigate cyber threats and issues advisories.
Ministry of Power– Sectoral CERTs
The Ministry of Power (MoP) has recently prepared the ‘CEA (Cyber Security in Power Sector) Guidelines, 20201. You can read the why here.
Prior to the guidelines, the MoP had already created six sectoral CERTs. Each sectoral CERT has its own sub-sector-specific Cyber Crisis Management Plan.
Six Sectoral CERTs: In 2017, the MoP, through MeitY and NCIIPC, added 4 sectoral CERTs– Transmission, Thermal, Hydro, and Distribution. Later, the MoP also introduced CERT (Grid Operation) and CERT (Renewable Energy).
Information Sharing and Analysis Centre (ISAC-Power): The MoP has set up this central coordinating agency to share and analyze cyber security incidents in the Power sector. ISAC-Power will be the common platform for all the six sectoral CERTs to share and analyze cyber security incidents.
Ministry of Defence- Defence Cyber Agency (“DCA”)
On September 28, 2018, the government approved the creation of the Defence Cyber Agency. It is a tri-service command of the Indian Armed Forces. While it draws personnel from all the three branches of the Armed Forces, all of them also have their respective CERTs.
Reports suggest that that the agency is capable of hacking into networks, mounting surveillance operations, laying honeypots, and even breaking encryption. The agency is also expected to prepare India’s cyber warfare doctrine. The Central Government recently revealed to the Parliament that the DCA is fully functional.
Ministry of Finance & Sectoral Regulations
The Ministry of Finance regulates the financial, securities, and insurance sectors through separate regulators. Different sectoral regulators have their own cyber security policy in India.
Reserve Bank of India (“RBI”)- Banking
The RBI governs both public and private sector banks. It has issued various guidelines for ensuring cyber security. It directs how to handle cyber fraud within the banking sector with the Guidelines on Cyber Security Framework. The guideline mandates the adoption of a comprehensive Cyber Security Framework that includes Cyber Security Strategy, Cyber Security Policy & Procedures and Assessment of cyber threats and risks.
These guidelines suggest that the RBI can request an inspection, at any time, of any of the banks’ cyber-resilience capabilities. Additionally, the RBI has set up a Cyber Security and Information Technology Examination (CSITE) Cell of the Department of Banking Supervision. The Cell helps it assess the progress made by banks in the implementation of the framework.
In March 2020, the RBI also issued Guidelines on Regulation of Payment Aggregators and Payment Gateways. The new guidelines direct payment aggregators to implement adequate information and data security infrastructure as well as systems for the prevention and detection of fraud. The aggregators have to adopt best encryption standards and other security standards for monitoring, handling cyber security incidents and reports.
In case of inadvertent inadequacies in taking precautions on the part of the institution, the stakeholders can levy a penalty for the same. The Banking Regulation Act, 1949 (section 46 & 47A) vests power in the RBI to levy up to 1 crore rupees depending upon the nature of the contravention.
Securities and Exchange Board of India (“SEBI”)- Securities
SEBI has issued detailed Guidelines on Cyber Security and Cyber Resilience for Asset Management Companies and other market infrastructure institutions. It mandates firms to set up their respective security operations centre (SOC). They must have their operations overseen by dedicated security analysts. These guidelines also bring stock brokers and depository participants under its purview.
SEBI has also designed cyber security and cyber resilience framework for stockbrokers and depository participants. Since stock brokers and depository participants perform significant functions in relation to the securities held by traders, there is a need to maintain robust cyber security measures to protect the integrity of data and guard against breaches of privacy.
Insurance Regulatory and Development Authority of India (“IRDAI”)- Insurance
The IRDAI issued Guidelines on Information and Cyber Security for Insurers. The guidelines, updated in 2020, say that organizations shall adopt a cyber security policy or “IS Policy”. Additionally, organizations shall form an Information Security Committee (ISC) constituting of members from all departments.
Further, organizations shall undertake vulnerability assessments and penetration testing annually and close any identified gaps within a month.
Ministry of Communications- Telecommunications
The Department of Telecommunications (DoT) through its circular on best practices suggests some general instructions for cyber security for its officials. They include cautions on the usage of passwords, emails, and other guidelines. DoT also seeks to establish a comprehensive data protection regime and assure security for digital communication.
For telecom service providers and third-party operators, the Unified Access Service License (UASL) lays down the conditions. The license condition is in the form of a directive where the licensee (telecom service providers) has to procure telecom gear only from “trusted sources”. They shall connect their network only to those devices that are designated as “trusted products”, as notified by NCSC.
The DoT can fine a licensee up to Rs. 50 crores for the intentional omission, deliberate vulnerability non-disclosure, or act of attempt of a security breach. This is in addition to any liability and criminal proceeding under relevant acts.
Besides all these Ministries, Departments, and Sectors, the government is working on creating a CERT for the telecom & financial sector.
To summarize everything, here’s an image for you.
This article was co-authored by Debdatta Das, a 5th-year law student at Ajeenkya D Y Patil University, Preksha Jain, a 5th-year student at Chanakya National Law University, Patna, and Tanisha Das, a 5th-year student at KIIT University, Odisha.
Do subscribe to our Telegram group for more resources and discussions on tech-law. To receive weekly updates, don’t forget to subscribe to our Newsletter.