Cyber resilience requires cooperation

Cyber attacks have multiplied worldwide, with studies suggesting that 2022 saw a 38% increase in attacks compared to the previous year. India is no exception and is one of the most attacked countries in the world.

This global increase in cyber attacks is in part due to the rapid digitisation, especially of essential services. States have also started weaponising the cyberspace for geopolitical reasons, often by orchestrating non-state actors. For India in particular, several cyber attacks have allegedly originated from geopolitical adversaries.

Cyber attackers have become increasingly sophisticated and are armed with newer forms of technology. Persistent attacks against critical healthcare, transport, and power infrastructures could cause significant socio-economic harm.

Also Read | Cybersecurity: A profession for all age groups

While there are global efforts to design guardrails against the weaponisation of the space, these measures take a long time to take shape. The United Nation's attempt to create norms for responsible behaviour, for instance, has yielded little in terms of accountability mechanisms or ‘redlines’ for states and non-state actors.

This is partly due to geopolitical gridlock which is only intensifying with the war in Ukraine as well as a lack of willingness on the part of states to disclose and restrain their capabilities.

India has unsurprisingly recognised cybersecurity as a key national security policy priority. Over the past decade, a number of institutions have been set up for this purpose. This includes the National Critical Information Infrastructure Protection Centre and the office of the National Cyber Security Coordinator who advises the Prime Minister on cybersecurity strategy. India's Computer Emergency Response Team (CERT-IN) is the nodal agency for proactively detecting, responding to and mitigating various cybersecurity threats.

Published in 2013, the National Cyber Security Policy remains India’s only national-level legislation dealing with cyber security and it does not clearly articulate an overarching cyber doctrine.

A process to put in place a new national cyber security strategy was spearheaded by the National Security Council Secretariat in 2020 but a draft of the strategy has yet to be published.

Notwithstanding the absence of an overarching governing doctrine, India has cooperated with several partners through forums like the Quadrilateral Security Dialogue to articulate principles on, and identify modalities for countering key cybersecurity threats such as ransomware.

Law

The Information Technology Act, guidelines recently issued by CERT-IN, and several draft iterations of the Data Protection Bill impose obligations on any entity handling data to undertake ‘reasonable security practices' in line with international standards and notify the relevant authorities within set time frames.

Also Read | Threats in the cyberspace: Critical systems at risk

However, the law does not provide compensation to individual victims whose data may have been breached or stolen as a result of a cyber attack. The hitherto largely untested mechanism of cyber insurance policies may be of some use here. However, across jurisdictions, insurance companies have often refused to pay off claims arising from a cyber attack by invoking the ‘act of war’ exception.

Ultimately, improved cyber resilience will require robust cooperation within the government institutions, with the private sector and with trusted geopolitical partners. This cooperation must be utilised to make technical cyber defence capabilities stronger and to implement awareness mechanisms that can ensure widespread adoption of cyber hygiene practices.

(The author is a non-resident research fellow at the Centre for Internet and Society)