Behind the Screens: Challenges Amidst India’s Cybercrime Surge

Posted On - 16 May, 2024 • By - King Stubb & Kasiva

Introduction

India’s booming digital landscape presents a double-edged sword. While it unlocks immense opportunities, it also exposes the country to a growing number of cyber threats. According to NCRB data, number of cybercrime complaints reported in 2023 is 11,28,265[1], resulting in significant financial losses.

India faces a variety of cybercrimes ranging from data breaches and financial sector vulnerabilities to cyber espionage and supply chain compromises. Addressing these challenges requires a multifaceted and targeted effort.

Legal Framework in India

India’s legal framework for cybersecurity is a complex web of legislation, regulations, and policies. While there is no single, unified cybersecurity law, the Information Technology Act (IT Act) of 2000 serves as the foundation. This act, along with subsequent amendments and additional regulations, establishes the core legal framework.

IT Act, 2000: This act defines cybercrimes, outlines data protection measures, and establishes CERT-In, the national cybersecurity agency.[2]
IT (Amendment) Act, 2008: This amendment strengthened the IT Act by updating cybercrime definitions, improving data security practices, and mandating incident reporting to CERT-In.[3]
IT Rules: These evolving rules address specific aspects of cybersecurity, such as reasonable security practices for sensitive data (SPDI Rules, 2011)[4] and intermediary guidelines (IT Rules, 2021)[5].
National Cyber Security Policy, 2013 (NCSP 2013): This policy outlines a broader strategy for improving cybersecurity through workforce development, infrastructure protection, and public-private partnerships.[6]
National Cyber Security Strategy 2020 (NCSS 2020): As a forward-looking initiative, NCSS 2020 aims to enhance India’s cyber resilience and readiness against evolving cyber threats. It emphasizes the importance of cybersecurity audits, workforce development, and institutional collaboration to safeguard critical infrastructure and digital assets.[7]
Digital Personal Data Protection Act, 2023 (DPDPA): The recent enactment of the DPDPA signifies India’s commitment to upholding data privacy rights and regulating the activities of data fiduciaries. Drawing inspiration from global standards like the GDPR, the DPDP establishes stringent obligations for data fiduciaries regarding data processing, security safeguards, breach notifications, and consent management.[8]

It is important to note that this framework is constantly evolving. New amendments and regulations are introduced to address emerging threats and technologies. However, legal gaps and challenges remain, which need to be addressed.

Understanding the Current Landscape: Challenges

Legal Gaps

Outdated IT Act: India’s core cybercrime law struggles with new threats like AI attacks and cryptocurrencies. Unclear definitions and weak penalties create loopholes for criminals.
Limited Scope for International Crimes: The legal framework lacks clear guidelines for handling cross-border cybercrimes. This hinders investigations and prosecutions of foreign attackers, despite some existing Mutual Legal Assistance Treaties (MLATs)[9].
Low Conviction Rates: Shortage of trained investigators and lack of sophisticated tools hamper investigations. Challenges with digital evidence and lengthy court processes further contribute to low conviction rates for cybercrimes.

Critical Infrastructure Vulnerability

India’s critical infrastructure, including power grids, transportation systems, and communication networks, faces significant vulnerabilities to cyber-attacks.
Example: In October 2019, there was an attempted cyber-attack on the Kudankulam Nuclear power plant, highlighting the potential risks to public safety and national security.[10]

Financial Sector Threats

The financial sector in India is highly susceptible to cyber attacks aimed at stealing money or extorting funds.
Example: A malware attack on the City Union Bank’s SWIFT system in March 2020 led to unauthorized transactions worth USD 2 million, underscoring the financial risks associated with cybercrime.

Data Breaches and Privacy Concerns

India’s transition to a digital economy has led to an increase in the volume of personal and government data stored online, raising concerns about data breaches.
For instance, in May 2021, the personally identifiable information (PII) and test results of 190,000 candidates for the Common Admission Test (CAT) were leaked, exposing individuals to privacy risks and identity theft.

Cyber Espionage

India faces threats from cyber espionage activities aimed at stealing confidential information and gaining strategic advantages.
For instance, operation SideCopy, a cyber espionage campaign uncovered in 2020, targeted Indian military and diplomatic personnel with malware and phishing emails, posing risks to national security and foreign policy.

Advanced Persistent Threats (APTs)

APTs are sophisticated and prolonged cyber-attacks that pose challenges in detection and mitigation.
For instance, in February 2021, a China-linked APT group targeted entities in India’s power sector with malware capable of causing power outages, highlighting the potential impact of APTs on critical infrastructure.[11]

Supply Chain Vulnerabilities

Weaknesses in software and hardware components used in government and business operations expose India to supply chain vulnerabilities.
Example: The global cyberattack on SolarWinds in December 2020 affected Indian organizations, including the National Informatics Centre (NIC) and Bharat Heavy Electricals Limited (BHEL), demonstrating the ripple effects of supply chain compromises.[12]

Addressing the Challenges

Strengthening Legal Frameworks

Update the IT Act: The IT Act needs revisions to address contemporary cyber threats like cyber terrorism and data breaches. Clearer definitions, procedures, and penalties for cyber offenses are crucial.
Improve Conviction Rates: Bridging the gap between reported cybercrimes and successful convictions requires more robust investigation methods and legal strategies.

Enhancing Cybersecurity Capabilities

Invest in Resources: India needs to invest in training a skilled cybersecurity workforce, establishing state-of-the-art cyber forensics facilities, and developing national cybersecurity standards.
Collaboration and Information Sharing: Fostering collaboration and secure information sharing between government agencies, private sectors, and academic institutions is essential.

Establish a Cyber Security Board

Centralized Response: A dedicated cyber security board with public-private participation can analyze major cyber incidents, recommend improvements, and oversee national cyber defense strategies.
Standardized Playbook: Implementing a standardized response plan for cyber vulnerabilities and incidents ensures a unified and effective approach.

Expanding International Cooperation

Global Collaboration: Cybercrime transcends borders. India should actively engage with international organizations and other nations to exchange best practices, share threat intelligence, and collaborate on investigations and prosecutions.
Regional and Bilateral Efforts: Participating in regional forums and bilateral dialogues allows India to build trust, address shared cyber issues, and learn from international partners.

Preventing Cyber Crimes

Advanced Frameworks and Technologies: Implementing advanced cybersecurity frameworks and investing in cutting-edge security technologies can significantly improve the protection of critical systems and networks.
Cyber Hygiene: Promoting good cyber hygiene practices among individuals and organizations, such as regular software updates, strong passwords, and secure online behavior, is crucial for basic defense.

Public Awareness and Education

Widespread Campaigns: Educating the public about cyber threats, safe online practices, and the importance of cybersecurity is vital to creating a more secure digital environment.
International Cooperation: Collaborating with international organizations can help develop and implement effective public awareness campaigns.
Cyber Insurance: Encouraging the adoption of cyber insurance allows organizations to financially recover from cyberattacks and invest in better security measures.

Conclusion and Looking Forward

India’s rapid digital expansion faces a critical challenge: cybersecurity. Legal loopholes, vulnerable infrastructure, and ever-evolving cyber threats expose the digital ecosystem to risks. However, this can be addressed by strengthening legal frameworks, building robust cybersecurity capabilities, fostering international collaboration, and promoting public awareness. Moving forward, proactive measures, collaborative initiatives, and continuous adaptation to emerging threats are essential.

[1] https://pib.gov.in/PressReleaseIframePage.aspx?PRID=2003158.

[2] https://www.indiacode.nic.in/bitstream/123456789/13116/1/it_act_2000_updated.pdf.

[3] https://eprocure.gov.in/cppp/rulesandprocs/kbadqkdlcswfjdelrquehwuxcfmijmuixngudufgbuubgubfugbububjxcgfvsbdihbgfGhdfgFHytyhRtMTk4NzY=.

[4] https://www.meity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf.

[5] https://www.meity.gov.in/writereaddata/files/Information%20Technology%20%28Intermediary%20Guidelines%20and%20Digital%20Media%20Ethics%20Code%29%20Rules%2C%202021%20%28updated%2006.04.2023%29-.pdf.

[6] https://www.meity.gov.in/writereaddata/files/downloads/National_cyber_security_policy-2013%281%29.pdf.

[7] https://www.dsci.in/files/content/knowledge-centre/2023/National-Cyber-Security-Strategy-2020-DSCI-submission.pdf.

[8] https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf.

[9] https://legalaffairs.gov.in/documents/mlat.

[10] https://www.vifindia.org/sites/default/files/cyber-attack-on-kudankulam-nuclear-power-plant.pdf.

[11] https://indianstrategicknowledgeonline.com/web/Chinese%20Cyber%20Exploitation%20in%20India%E2%80%99s%20Power%20Grid%20.pdf.

[12] https://hbr.org/podcast/2024/01/how-solarwinds-responded-to-the-2020-sunburst-cyberattack.