Cybersecurity: Actions abound, minus strategy, law

From the Quad in the Indo-Pacific to the Shanghai Cooperation Organisation in Eurasia, and in our bilateral relationships with major powers like the US, UK and Russia, cybersecurity has become a key pillar of India’s international engagement. Not only is this expected, but it is further set to intensify due to the rapidly growing cyberattacks on India. In July 2022, the government informed the Lok Sabha that there were 394,499 cybersecurity incidents in 2019; 1,158,208 in 2020; 1,402,809 in 2021; and 674,021 in 2022 (till June). Despite this, it is perplexing that India does not have a cybersecurity strategy in place. At least, not yet.

There have been reports that Lt Gen Rajesh Pant, the National Cyber Security Coordinator, has been working on a National Cyber Security Strategy for the last few years. This strategy document is reported to be in the final stages of approval by the government. The government has, however, neither offered a reason for its pendency nor announced a clear timeline for its approval and implementation.

India’s data protection legislation has suffered a similar fate. In the works since at least 2017, when a committee of experts headed by Justice B N Srikrishna was constituted, the Personal Data Protection (PDP) Bill was introduced in parliament in 2019. In August 2022, the PDP Bill was withdrawn. While withdrawing the PDP Bill, the government announced that it would instead bring a comprehensive legal framework comprising separate laws relating to data privacy, the internet ecosystem, cybersecurity and telecommunications. On November 18, it released the draft Digital Personal Data Protection (DPDP) Bill for public comments.

The new Bill is significantly shorter than the earlier PDP Bill, concerns itself with only the ‘digital’ personal data, does away with ‘sensitive’ data categorisation and data localisation requirements, introduces duties and penalties for data principals, and provides no compensation to data principals in case of breach even as hefty fines are proposed on data fiduciaries. But most importantly, and not unlike the previous PDP Bill, the DPDP Bill provides unbridled powers to the government relating to accessing citizens’ personal data and the functioning of the proposed Data Protection Board of India. Expected to be introduced in the budget session of parliament in 2023, the DPDP Bill leaves much to be desired and may face stiff opposition from digital rights activists and opposition parties.

The absence of a cybersecurity strategy and a legal framework for data privacy, however, has not stopped the government from bringing various policies and guidelines. For example, in April 2022, the Computer Emergency Response Team-India issued cybersecurity guidelines. In February 2021, the government notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules under the Information Technology Act of 2000 (these rules were amended in October 2022). The pace of actions on the domestic front is matched by India’s increasing international engagement on cybersecurity and digital issues. For example, India is working with its Quad partners on protecting critical infrastructure from cyber threats and building capacities in the Indo-Pacific region under the Quad Cybersecurity Partnership.

India’s approach to cyber and digital issues demonstrates the abundance of actions, both on the domestic and international fronts, even as it lacks a cybersecurity strategy and legal framework. Ideally, strategy and legal framework should guide policy, and not vice versa. The National Cybersecurity Policy, which was released in 2013, is insufficient to meet the challenges facing India in the 2020s. A comprehensive cybersecurity strategy document would help tackle both home-grown and foreign cyber threats, rationalise the government machinery responsible for securing India’s cyberspace, as well as guide India’s domestic and foreign policies relating to cybersecurity.

Even a comprehensive cybersecurity strategy would be incomplete without an adequate legal framework relating to data protection. A strong legal framework would ensure that the data of citizens, from sensitive sectors like health and finance to non-personalised and metadata, is collected, stored and processed in a secure way with effective regulatory oversight and citizen empowerment at its core.

Absence of a comprehensive cybersecurity strategy, coupled with a legal vacuum regarding data protection, provides a fertile ground for malicious actors of all kinds. While the implementation of the latter would ensure that the best data security practices are followed by public and private bodies, the former would define those practices and dictate the response of the government and private bodies should a breach happen despite best efforts.

(The writer is a PhD candidate at the National Institute of Advanced Studies (NIAS), IISc Campus, Bengaluru)