India’s unique opportunity in the cybersecurity realm
India, with our current positioning, could act as a bridge that could work with these hostile stakeholders in creating a global regulatory framework of common minimum acceptance.
India’s cybersecurity incidents have been on a steady rise, growing from 394,000 reported cases in 2019 to 1.4 million in 2021. The first quarter of 2022 saw 1.8 million attacks. This is an unsurprising trend in our age of accelerating digitisation. Data, the driver of the digital economy, is often the prime target of these attacks, through data thefts, software such as malware that corrupts data and makes them unusable, or ransomware that requires the victim to pay hefty amounts for the release of data. Over 75% of India’s organisations faced an attack in the past year, with an average data breach costing ₹35 crore, draining billions from our industries.
With the blurring of boundaries between the cyber and the physical world, the ramifications of these incidents are felt beyond the digital realm. Hostile State and non-State actors can cause unprecedented damage, much more than any traditional security threat, by targeting critical systems, including banking, transportation, and power and water grids. These incidents are highly asymmetric, as the aggressors, many of whom while remaining anonymous, use minimal resources to create disproportionately higher damages.
In April, the Indian Computer Emergency Response Team (CERT-In), India’s cyber security agency, introduced a series of compliance requirements for organisations to combat cyberattacks. All organisations, in the private and government sectors, are obliged to report cyber incidents within six hours of noticing or being brought to the notice of these incidents. All of them are mandated to designate a point of contact to interphase with CERT-In. They are also required to take action or assist with the agency’s response activities. Currently, most Indian organisations are woefully ill-equipped to tackle sophisticated cyberattacks. Beyond reporting, they struggle to be equitable participants in blunting cyber threats.
Various Indian governments realised the magnitude of these threats, and have played proactive roles in creating institutions meant to tackle this growing menace. Nodal agencies, CERT, under the erstwhile department of information technology, and the National Technical Research Organisation (NTRO) under the national security adviser (NSA), were created as early as 2004. A national cybersecurity policy was created in 2013, and a national cybersecurity coordinator was appointed in 2014.
Recognising the looming threat from antagonistic actors, including rival armies and terror organisations to our defence equipment that is heavily reliant on electronic systems, India recently set up a tri-service command Defence Cyber Agency (DCyA), with cutting-edge defensive and offensive capabilities. Every state has set up specialised cybersecurity command and control centres and cyber-domes to curb cybercrimes.
Nonetheless, with cyber threats growing exponentially, India will have to create an integrated cybersecurity doctrine and framework. We will also need to enhance the cyber threat mitigation capacity and cyber resilience of our public and private organisations as they bear the brunt of these malicious attacks. Further, with a large percentage of India’s cyberattacks coming from beyond our borders, international collaborations will make our efforts to counter cyber threats more efficient. It will also be a cause where we can find common ground with the rest of the world. Cybercrimes inflicted worldwide damages worth over $6 trillion in 2021 alone.
The European Union (EU) initiated the first international treaty, the Budapest Convention, in 2001, aimed at tackling cybercrimes by harmonising national laws, and investigative practices. Sixty-seven countries, including the United States (US) and Japan, are signatories. Countries including India, Brazil, China and Russia stayed out as they were not participants in its drafting. A few clauses that infringe on the digital and law enforcement sovereignty of emerging nations were also embedded in the accord in their absence.
The United Nations (UN) General Assembly also established two processes to discuss the issue of security in the Information and Communications Technology (ICT) environment. Through a resolution sponsored by Russia, it established an Open-Ended Working Group (OEWG), which comprised the entire UN membership. Around the same timeline in 2019, the US initiated another resolution on the continuation of the Group of Governmental Experts (GGE). The GGE was limited to 25 countries from regional organisations including the EU, African Union, and member-States from major geographical regions. The road maps of both resolutions included discussions on tackling potential avenues of cyber threats, setting global standards, the applicability of international law, and measures to build capacity for member-nations. Based on adoption, States found the two resolutions to be complementary and not mutually exclusive.
However, recent times, exacerbated by the conflict in Ukraine, have our world moving towards the Cold War days, of being divided into antagonistic blocks. There are slim chances of them cooperating in areas of competing interests, thereby stalling all ongoing efforts through the UN group processes. India, with our current positioning, could act as a bridge that could work with these hostile stakeholders in creating a global regulatory framework of common minimum acceptance. Besides providing a massive boost to our national security situation, such an initiative could be our most important contribution to the systems of global governance.
Anil K Antony is a tech entrepreneur, public policy commentator and, works on the Congress’s digital initiatives
The views expressed are personal