By Shivanand Pandit
Cybercrimes are increasing across the world. In particular, India has witnessed a tremendous jump in the number of cybercrimes. According to information provided by the Ministry of Electronics and Information Technology (Meity) to a parliamentary panel, between 2018 and 2021, there was a five-fold increase in cybercrimes and cyber fraud incidents recorded by the government. On the other hand, amidst an increase in cyberattacks, the central government is yet to execute the National Cyber Security Strategy, which has been happening ever since 2020. The ministry told the panel that India has experienced a noteworthy surge in cases of cyber fraud and cyber-linked occurrences in the previous three years. An increase in phishing attacks, financial frauds, mail-spams and ransomware attacks were reported during the Covid-19 lockdown, when people largely worked from home, as attackers impersonated brands and deceived employees and customers.
According to facts available with the Indian Computer Emergency Response Team (CERT-In), the government agency for computer security, the number of cybercrimes increased from 2,08,456 in 2018 to 14,02,809 in 2021. That is approximately a 572% surge in three years! Also, 2,12,485 such incidents have been recorded in the first two months of 2022 itself! Indian organizations have seen a 218% surge in ransomware attacks in 2021, making India the 10th most targeted nation, worldwide, and second after Australia in the Asia-Pacific region. India was graded amongst the leading 10 countries out of 193 in cyber security posture for 2020. India climbed from the 47th position in 2018 to the 10th position in 2020. According to the American cyber security organization Palo Alto Networks’ 2021 report, Maharashtra was the most targeted state in India—facing 42% of all the ransomware attacks.
India is among the more reasonably lucrative countries for hacker groups and these hackers ask Indian firms to pay a ransom or money, usually using crypto-currencies, in order to regain access to their data. A worrying 25% of Indian organizations suffered a ransomware attack in 2021. This is higher than the international average of 21%. Software and services (26%), capital goods (14%), and the public sector (9%) were among the most targeted zones. Also, according to the study done by CyberPeace Foundation, Autobot Infosec Private Limited, along with CyberPeace Centre of Excellence, cyberattacks on the Indian petroleum refinery network have been on the rise with massive attacks recorded between October 2021 and April 2022.
The country’s cyber security strategy recommends a distinct jurisdictive outline for cyberspace and the formation of an apex body to tackle threats, responses and grievances. However, this has been pending with the central government for over two years. The strategy, conceptualized by the National Security Council Secretariat of India, led by Lt General Rajesh Pant, has been in the works since 2020. Named the National Cyber Security Strategy, 2021, the policy emphasizes the need for a judicial framework to address the evolving challenges in the technology zone.
In the recent budget session of Parliament, many MPs grilled Meity on when the centre intends to announce the policy. In response, the centre explained that it has prepared a draft National Cyber Security Strategy, 2021, which holistically looks at addressing issues related to security of national cyberspace. Without mentioning a deadline for its execution, the centre added that it had no plans, as of now, to coordinate with other countries to develop a global legal framework on cyber terrorism.
The Data Security Council of India (DSCI) has prepared a 22-page report focusing on 21 areas to ensure safe and vibrant cyberspace for India. Some of the focus areas are large-scale digitalization of public services, state-level cyber security, etc. The report recommends a national framework that should be set in collaboration with institutions like the National Skill Development Corporation and Information Security Education and Awareness to provide global professional certifications in security. The DSCI further recommended a creation of “cyber security services” with a cadre chosen from the Indian Engineering Services. However, all these suggestions are only on paper, as of now.
The Ukraine-Russia war has confirmed that a cyberwar is in progress. Power and telephone networks are disturbed. Australia’s policy, introduced in 2020, has expanded the sectors covered under the policy from the earlier 4 to 11. Likewise, the UK has designated 13 sectors as critical infrastructure. Although numerous industry specialists narrated the need for cyber security policy in India, the government is still not considering the issue on a priority basis.
The current legal and regulatory frameworks do not address the evolving threat scenarios or methods to fight the same. Currently, there is no dedicated association to take care of cyber security. The response to cyber security threat can be taken under the Information Technology Act and the IPC. CERT-In and the National Critical Information Infrastructure Protection Centre handle incident responses.
The rise in cyberattacks and threats in India has brought to light the urgent need for strengthening the country’s cyber security. India should execute a strategy immediately and it needs its unique cyber security law and devoted authority to be at par with global standards. Cyber security needs to be extended to safeguard many verticals of critical infrastructure. There should be consolidation, integration, reorientation, and realignment of the present mechanism to create the apex establishment.
The strategy should target methods to configure a comprehensive system, with both state-owned and private companies having to obey cyber security yardsticks. It should stipulate a strict recurring cyber audit and suggest annual appraisals by the apex body yet to be established. The framework of the policy should aim to label cyber security as a strategic sector. There should be an obligation upon all players to ensure cyber safety. However, this can only be done if Parliament passes a bill quickly.
The pandemic demonstrated severe warning for India’s cyber security. Several Covid-19 test results were leaked and a cyber attack took place on systems of an airline service provider, resulting in the leakage of personal data of 4.5 million passengers. As per the investigation by US cybertech firm CrowdStrike, on an average, companies across the world take seven days to respond to cyber security violations. In contrast, Indian companies take around nine days. India now has more than 1.15 billion phones and over 700 million internet users which makes it a sitting duck for cyber attacks. The pandemic has only worsened this problem as it resulted in an even heavier dependence on digital technologies. From payments to e-shopping to working from home, the pandemic led to the greater adoption of interconnected devices and hybrid work networks. Consequently, this vast and rapid expansion of digital assets has only increased the ambit for cyberattacks.
The abovementioned facts and figures push India at the bottom of the list when it comes to dealing with cyber security threats and attacks. Undoubtedly, India is one of the fastest-developing markets for digital technologies. Therefore, the government needs to introduce and implement a robust cyber security strategy immediately.
—The writer is a financial and tax specialist, author and public speaker based in Margao, Goa