Recognizing the growing dangers of cyberattacks, India will have to tread the path of ramping-up its cybersecurity measures in response to the surge in cybercrime and threats against its citizens and also against the vital critical infrastructure of the country. Though, India is conscious of the deepening concerns for the security against cybercrime, India needs to adopt stronger proactive cybersecurity posture to combat malicious actors and bolster national cyber defenses. The government is committed to safeguarding national interests in the face of this evolving cyber threats.
In a recent broadcast of Indian Prime Minister (PM), Shri Narendra Modi during the routine talk program on National Media, ‘The Mann ki Baat’; he pointed out that Indians have lost approximately ₹120.3 crore to ‘digital arrest’ fraud scams, during the first quarter of year 2024, and he cautioned the citizens of the rampantly growing Cybercrime incidents in the country.
The Statistics
As per a certain release by the Government of India, “The National Cybercrime Reporting”, a staggering 1.5 million complaints were registered in 2023 of cybercrime cases; up from 0.96 million in 2022 which was just about 0.45 million in 2021. This alarming trend continues, with over 740,000 complaints already registered within the first two quarters of year 2024. Cybercriminals are causing significant financial damage in India. In the first quarter of 2024 alone, Indian citizens lost over ₹1,750 crore to various scams, including ₹1,420.48 crore to trading scams and ₹222.58 crore in investment scams; according to I4C CEO Shri Rajesh Kumar. During this period, it has also been reported that Indian citizens lost ₹120.3 crore through digital arrest scams(and about ₹13.23 crore in romance scams).
The Two Ministries and the NSCS Dichotomy in controlling Cybersecurity of India
India’s Ministry of Electronics and Information Technology (MeitY) is a key player in the country’s cybersecurity landscape. It shoulders the responsibility of formulating national cybersecurity policies and strategies, including promoting standards and best practices. MeitY also plays a vital role in capacity building by promoting cybersecurity research and development, and conducting training programs to enhance cybersecurity skills and awareness. Additionally, it enforces cybersecurity provisions under the IT Act and formulates regulations for data protection and cybercrime prevention. MeitY oversees the protection of critical government infrastructure and manages CERT-In, the national agency that responds to cyber incidents. It also manages the National Cyber Crime Coordination Centre (NCCC).
India’s Ministry of Home Affairs (MHA), placing its concerns on government’s emphasis on law enforcement and national security, is also organized to addressing cybercrime. The Indian Cyber Crime Coordination Centre (I4C) operates under the MHA. The government has been recently focusing on strengthening I4C’s capabilities and expanding its reach to tackling the growing threat of cybercrime.
India, has also in place a strategic organization, ‘The National Cyber Security Coordinator’ (NCSC) with crucial role in India’s cybersecurity landscape, albeit with a different focus than MeitY or I4C. Functioning under ‘The National Security Council Secretariat (NSCS), National Security Advisor (NSA)’, PM Office; the NCSC’s primary mandate is to ensure a secure and resilient cyberspace for the nation, particularly in relation to national security.
The Indian CERT (Computer Emergency Response Team), falls under the administrative control of MeitY. CERT-In is India’s national cybersecurity agency, and it also responds to cyber incidents, manages and analyzes cyber threats, issues warnings, and promotes cybersecurity awareness. Its focus is primarily on the technical aspects of cybersecurity, including incident response and protecting critical infrastructure. CERT-In collaborates with international organizations and the IT industry to enhance cybersecurity posture and address evolving threats.
CERT-In at the crossroads of affiliation to a Master
There were reports in Indian newspaper (ToI, TIMESOFINDIA.COM, dated 16 Jul 2024 ‘Why Home ministry and IT ministry want control of India’s cybersecurity agency’), that CERT-In, by virtue of its capabilities, if amalgamated with I4C (MHA) will be able to provide the essential push towards cybercrime investigation. The argument also mentioned, that the CERT-In, by means of it being re-aligned to the MHA, will also be able to multiply its capabilities in the nation’s cybersecurity posture, through enhanced investigative capability by using the LEA’s executive powers. MHA believes that I4C along with the merged CERT’s technical expertise, would streamline investigations, especially considering the agency’s enforcement powers. MeitY, in-turn has placed the argument that the CERT’s primary function being that of incident reporting and response, malware alerts, and security infrastructure improvement; does not match the overall mandate of MHA and that the organization is highly technical in its nature. MeitY also argued that CERT’s role extends beyond the scope of law enforcement. The claim by MHA is on the basis of the functional requirement, and has been arguing the same,on the basis of the otherwise ambiguous ‘Allocation of Business Rules’ (AoBR) of the Government of India.
As on date, CERT-In falls under the administrative control of the MeitY. Notwithstanding, MHA has been making a strong case for taking over its ownership. And, there has been strong claims by both the sides, with disagreement on either side. This disagreement, should be viewed positively and is assumed to be a ‘Loud Thinking’ as part of the government for better governance or restructuring governance, this also highlights the growing complexity of cybersecurity and the government’s intent to address the same. It underscores the need for various stakeholders with differing approaches and mandates to collaborate effectively; thereby bringing about a more coordinated and one-stop organization for Cybersecurity. The fact is, that as on date, Cybersecurity is not solely assigned to any one ministry, with agencies under the Prime Minister’s Office, Home Ministry, and IT Ministry handling various aspects on the subject.
The Cybersecurity Organization Restructuring is Essential
India is restructuring its cyber defenses, and this initiative is being undertaken under the able leadership of the PM of India. As part of this restructuring, The National Security Council Secretariat (NSCS), led by NSA Shri Ajit Doval, now has been provided the mandate of the overall responsibility for cybersecurity strategy and coordination, taking over the same from the Cabinet Secretariat (which was earlier the Cabinet Secretaries responsibility). This shift, centralizes leadership and prioritizes national security in the face of growing cyber threats. This change came through a recent notification dated 27 Sep 2024 by the PMO, as an addendum to the Allocation of Business Rules of Government of India.
Coming back to the control of CERT-In; the CERT India has been conceptualized on international precedence, and was formed in Jan 2004. It was established by the Indian government under the Information Technology Act, 2000 (under provisions of Section 70B). CERT-In has been the nodal agency responding to the Cybersecurity Incident (as and when they occur), and also the organization has been formed for larger coordination among CERTs of the individual countries, with a common goal of providing security as a service. World over, the CERTs have different affiliation models. In majority of the countries, the CERT is independent and is organized as a statutory body; in certain countries, we see CERT being part of the Interior Ministry or under the IT Ministry; there is precedence in certain countries, wherein the CERT have been assigned directly under the Head of the State or under the Ministry of External Affairs. It is important to note that there is no one-size-fits-all solution. The optimal placement of a CERT, depends on a country’s specific needs and circumstances.
Way Forward for a Robust Coordinated Cybersecurity Structure for India
India’s current cybersecurity setup is fragmented. Cybercrime falls under the Ministry of Home Affairs (MHA), while cybersecurity is under the Ministry of Electronics and Information Technology (MeitY). Additionally, the National Cyber Security Coordinator (NCSC) operates under the National Security Advisor (NSA), and is responsible for a broader cybersecurity from a strategic and limited coordination mandate. The need of the hour, is a more comprehensive strategic and action oriented, Cybersecurity management with a holistic Cyber Resilience and Threat Management strategy. The vital requiement is to empower a single office to manage the same and also a single point of contact, so as to facilitate, Government, Corporate and Individuals to approach a single window for any matter of Cybersecurity and Redressal of Cybercrime aspects.
- The Present Statue: The present silos of operations and control creates several challenges:
- Lack of Coordination: This can lead to overlapping responsibilities, conflicting priorities, and slow response times to cyber threats.
- Policy Conflicts: Different ministries might have different approaches to cybersecurity, leading to inconsistent policies and regulations.
- Resource Duplication: Separate entities might end up duplicating efforts and wasting resources.
- Confusion and Delays: For citizens and businesses, navigating this complex structure can be confusing and lead to delays in getting issues resolved.
- The Need of the Hour: India needs a centralized, unified agency to handle all aspects of cybersecurity. This agency should:
- Develop a National Cybersecurity Strategy: This strategy should encompass all aspects of cybersecurity, including prevention, protection, response, and recovery.
- Coordinate between different stakeholders: This includes government agencies, law enforcement, the private sector, and academia.
- Promote awareness and education: Citizens and businesses need to be educated about cyber threats and how to protect themselves.
- Foster international cooperation: Cyber threats are global, so India needs to cooperate with other countries to address them effectively.
- Live Models: Several countries have adopted a unified approach to cybersecurity. Here are two examples:
- United Kingdom: The UK has the National Cyber Security Centre (NCSC), which is part of GCHQ, the UK’s intelligence and security organization. The NCSC is responsible for all aspects of cybersecurity, from national infrastructure protection to citizen awareness. This organization carries out amicable synergy between different agencies including the CERT-UK
- United States: The US Cybersecurity and Infrastructure Security Agency (CISA) is a federal agency responsible for protecting critical infrastructure from physical and cyber threats. CISA works closely with other government agencies, the private sector, and international partners. The CISA also houses US-CERT.
- Australia: Australian Cyber Security Centre (ACSC) is the lead agency for cybersecurity in Australia, operating within the Australian Signals Directorate (ASD). The CERT is incorporated within the ACSC. It provides advice, guidance, and assistance to government, businesses, and individuals on cybersecurity matters.
- Recommendations:
- Establish a National Cybersecurity Agency: This agency should be independent and have the authority to coordinate all aspects of cybersecurity across the government and private sector.
- Consolidate existing cybersecurity functions: Bring together the cybersecurity functions currently spread across different ministries and PMO, under this new agency.
- Empower the NCSC: Give the NCSC more authority and resources to effectively coordinate national cybersecurity efforts.
- Develop a comprehensive legal framework: This framework should address all aspects of cybercrime and cybersecurity, including data protection, privacy, and incident response.
- India should also look at the possibility of establishing a Cybersecurity Ministry with a minister designated; initally as a Minister of State (Independent charge) portfolio, subsequently, upgrading the position to a Cabinet Minister rank.
Conclusion
By adopting a unified approach to cybersecurity, India can strengthen its defenses against cyber threats and protect its citizens, businesses, and critical infrastructure.