Thursday, April 18, 2024

A Hydra-headed Monster

The cyber attack on AIIMS was worrying and has highlighted the need for cyberspace security. India needs to enact a new national cyber security policy and follow China and the US in tightening laws in this regard.

By Sahil Agrawal and Rakesh Singh

“Cyber security is a shared responsibility. In cyber security, the more systems we secure, the more secure we all are.”  

—Jen Johnson, former US Secretary of Homeland Security

Jen Johnson’s idea deserves consideration in the current Indian context, particularly when cybercrime is rising. According to the Norton Life Lock study report, cybercrime cost India Rs 1.24 trillion over the previous year. Of the 131 million victims of cybercrime, 63% were Indians. These facts alone are sufficient to demonstrate the need for cyberspace protection. Despite cyberspace’s significant economic contribution to India, the government pays little attention to keeping it secure. 

The cyber attack on the prestigious All India Institute of Medical Sciences (AIIMS) on November 23, 2022, once again highlighted the need for cyberspace security. All the hospital’s servers were down due to the cyber attack and there was growing worry that the breach, “in all likelihood”, could have also hit AIIMS facilities in other cities and more hospitals connected on the network. The Intelligence Fusion and Strategic Operations unit of the Delhi Police on November 25 opened a case of extortion and cyber terrorism. 

This attack is not the only example of cyber terrorism. Bombs exploded in Zaveri Bazaar in Mumbai in 2011, and a similar incident was reported in Varanasi in 2010. E-communication was used to carry out both incidents. After these two instances, the government had no choice but to amend the Information Technology Act of 2000, and Section 66F was added to deal with cyber terrorism specifically. However, the number of cyber terrorism incidents grew rather than decreased.

In 2018, around 1.1 billion Aadhaar cardholders’ personal information was compromised and made available to the public. The leaked information, including PAN numbers, phone numbers, bank account numbers and other sensitive information, was a matter of concern.

The act of cyber terrorism is covered under Section 66F of the Information Technology Act, 2000. It says: “Whoever knowingly or intentionally penetrates or accesses a computer resource without authorization or exceeding authorized access, and using such conduct obtains access to information, data or computer database that is restricted for reasons of the security of the State or foreign relations; or any restricted information, data or computer database, with reasons to believe that such information, data or computer database so obtained may be used to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or about contempt of court, defamation or incitement to an offence, or the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism.”

Penalties for cyber terrorism can be found in Section 75 of the IT Act 2000, which says that Sections 75 and 66F must be read in conjunction with each other to ensure that anyone who engages in or conspires to engage in cyber terrorism is punished and could include a life sentence. 

So, it is a wonder that terrorist acts are not declining despite this. Is it, therefore, necessary to modify the legal system? While addressing the public on the 74th anniversary of Independence, Prime Minister Narendra Modi had promised that the government would soon introduce a new cyber security policy. However, nothing has been forthcoming as yet. Supreme Court judges have occasionally underlined the need to strengthen cyber laws. Justice Dipak Misra stated at an international conference that “the government must strengthen cyber laws”.

It is obvious that the Information Technology Act of 2000 is insufficient for combating cybercrimes. In India, no law governs the area specific to data protection in the health sector. The IT Act cannot lay down any duty on hospitals to protect the details of their patients. On the other hand, the European Union and the US have specific laws governing  privacy and protection of personal information when transmitted out of their domain.

India’s IT Act places more emphasis on increasing civil liability and lessening the quantum of punishment, which is probably why there have been only a few cybercrime convictions nationwide.

Cybercrime is extra-territorial in nature. Therefore, it becomes challenging to determine the jurisdiction of this crime. An individual committing the crime may be from a different country and the target of the crime may be in a different location. Which state court has jurisdiction to resolve the dispute is a point of contention regarding international matters. The Act says nothing about how extraterritoriality would be enforced.

The Parliament has not yet passed any legislation that addresses the problem of cyber attacks. India’s poor rating in the national cyber power index, published recently by Harvard’s Belfer Center for Science and International Affairs, is alarming. While the US is ranked first in the index, China is ranked second. What is the reason for this?

China published the “network data security management rule” on November 14, 2021, to strengthen its cyber and data protection regulations. China continuously works to tighten its cyber laws because it knows that as the internet era and the complicated challenges associated with it evolve, it is crucial to change. India needs to catch up because it is still employing outdated information technology laws from 2008.

Similarly, the US president has designated cyber security as one of his key policy areas. Secretary of Homeland Security Alejandro N Mayorkas established a roadmap for the cyber security activities to be put forth by the US to secure its cyberspace to advance the president’s goal. Both China and the US have separate departments for handling cyber concerns.

India needs to give cyberspace the attention it deserves and enact a new cyber security policy that Modi promised on Independence Day. This comes after taking note of the shortcomings of the Information Technology Act of 2000 and following the lead of China and the US. While the Indian government has taken several measures such as enacting the Personal Data Protection Bill of 2022 to secure cyberspace, it must be carried out in word and spirit. 

—Both writers are second year students at Dharmashastra National Law University Jabalpur


News Update