Cert-In short of staff to help curb ransomware: Meity to parliamentary panel
The ministry said that manpower is also required to continuously gather intelligence to counter cyber threats, to analyse cyber security audit reports, to conduct training programmes and mock drills
Due to insufficient workforce, the Indian Computer Emergency Response Team’s (Cert-In) work in helping entities affected by ransomware incidents is impacted, the ministry of electronics and information technology (Meity) informed the parliamentary standing committee on communication and IT as per the committee’s ninth report on demand for grants tabled in the parliament on Friday.

Meity said that Cert-In is in “urgent” need of additional manpower to deal with increase in cyber security incidents and issues. The organisation also needs dedicated space for its offices, data centre and disaster recovery site.
“CERT-In faces challenges due to insufficient manpower while conducting onsite incident response activities to help affected entities in containment of incident and reducing the impact and resume operations in reasonable time,” the ministry told the committee.
The ministry added that manpower is also required to continuously gather intelligence to counter cyber threats, to analyse cyber security audit reports, to conduct training programmes and mock drills, and to improve technological solutions to deal with new threats from technologies such as AI, cloud and IoT.
To address the issue of manpower, it proposed to create additional posts at various levels and resubmitted the proposal to department of expenditure after the latter sought more details on receiving the initial proposal.
In the February budget, the allocation for Cert-In had been marginally increased from ₹241 crore (RE FY25) to ₹255 crore (BE FY26), a 5.8 per cent increase. Since FY21, Cert-In has always utilised more than 90 per cent of its revised estimate, topping at 120 per cent utilisation in FY24.
However, utilisation of funds allocated to cyber security projects, that is, the National Cyber Coordination Centre (NCCC) and R&D projects in cyber security has been far more sporadic. It topped at 92 per cent of the RE in FY22, decreased to 30 per cent of RE in FY23, increased to 79 per cent of RE in FY24 and again fell to 60 per cent as of January 31, 2025 in FY 25.
NCCC is a project under Cert-In that scans the country’s web traffic to detect cyber security threats. It shares metadata with different agencies to mitigate threats.
In Phase I of the project, operationalised in 2017, NCCC scanned the metadata from at least 20 sites of internet service providers and organisations. MeitY informed the committee that the work to integrate 250 more sites under phase II is expected to be done by end of FY25. It said that data centre and disaster recovery centres had already been operationalised. It said that the project to collect, store and analyse traffic flows data from ISP gateways under phase III was approved in November 2023 and is currently under implementation. To meet the targets for NCCC, work has been assigned to a “Project Execution Agency” which is closely working with Cert-In. The committee wants to know how the PEA is ensuring that deadlines are met.
MeitY said that the integration of these metadata sites with NCCC has been delayed because the integration depends on remote organisations making their sites ready.
In the February budget, the allocation for cyber security projects increased from ₹322 crore (RE FY25) to ₹590 crore (BE FY26), marking a 83.2 per cent increase.
The committee also wanted to know how --- with the reduction in allocation from ₹1,748.64 crore (BE) in FY25 to ₹1600 crore (BE) in FY26 --- the National Informatics Centre was expected to fulfil its mandate of e-governance and ICT infrastructure. To be sure, the allocation for NIC for FY25 was revised to ₹1,538.34 crore of which ₹1,036.55 crore had been spent as of January 31, 2025. MeitY said that it was possible because funds were allocated to NIC mainly for “establishment related expenses”.
The committee said that MeitY must ensure that the decrease in allocation of funds to NIC must not affect its mandate and targets.
The committee noted that at ₹8,744.23 crore as of January 31, 2025, only 39.86 per cent of the budget estimate (BE) of ₹21,936.90 crore or 49.77 per cent of the revised estimate (RE) of ₹17,566.31 crore had been utilised in FY25.
Despite this under-utilisation of funds, the ministry increased the allocation from the ₹17,566 crore RE FY25 to ₹26,026.25 crore for FY26. MeitY said that this was done because of three MeitY schemes --- production linked incentive (PLI) scheme, IndiaAI Mission, and the Modified Programme for Development of Semiconductors and Display Ecosystem in India.
In FY25, as of January 31, 2025, at ₹427.29 crore, MeitY had used 63 per cent of the revised estimate of ₹677.68 crore that was allocated for the promotion of electronics and IT hardware manufacturing. The BE for this head was ₹750 crore. “The RE 2024-25 provision for this was decreased by about Rs.71 crore. The variation was due to either non-receipt of claim or non-submission/compliance of requisite milestones by the applicant companies,” the ministry told the committee.
“In both PLI and Semiconductor schemes, expenditure/disbursement of incentives is dependent upon what the private companies are able to deliver. So, it is beyond the control of the Ministry. However, based on the estimated claims Ministry is likely to receive during FY 2025-26 under PLI scheme, status of approved projects under semiconductor scheme and progress made under IndiaAI Mission, the allocation under these schemes have been substantially increased,” MeitY said
The committee also reiterated its earlier recommendation that MeitY should consider creating a separate IT cadre under it to effectively supervise and implement schemes, and to increase the number of skilled IT professionals who can support the government’s digital initiatives.
The committee also recommended that four of the eight AI Safety Institute’s (AISI) projects – real-time deep fake detection, AI-generated content watermarking, ethical AI frameworks and red teaming AI models – should be adopted without delay. It said that the other four projects – machine unlearning, synthetic data generation for bias mitigation, AI bias mitigation in healthcare systems and AI algorithm auditing tools – should be developed as early as possible in consultation with stakeholders.
ABOUT THE AUTHORAditi AgrawalAditi covers technology policy, online free speech, privacy, cybersecurity, and surveillance.

E-Paper


