Year: 2025

Major Sadhna SinghConsultant When the lock is no longer yours Picture this: you wake up one morning, log into your email, and find that your credentials no longer belong to you. Not because you forgot them, but because they’re now circulating on the dark web ready for anyone with malicious intent to exploit. For millions worldwide, this is no longer a hypothetical. The recent exposure of over 16 billion stolen login credentials is not just another cyber incident; it is the largest breach of its kind in the history of the internet. What makes this leak particularly dangerous is its composition, freshly stolen data from active devices, harvested quietly over years through infostealer malware. Unlike headline-grabbing hacks that crash systems or trigger instant shutdowns, this breach unfolded silently, siphoning credentials without detection. The anatomy of a breach Infostealer malware doesn’t announce itself with ransom demands or a dramatic system lockout. It operates in the background, harvesting usernames, passwords, session cookies, authentication tokens, and stored files from infected devices. Investigators report that the leaked database is an amalgamation of at least 30 different sources. While some of it is recycled from older leaks, a large portion is recent, well-structured, and tied to identifiable individuals. Compromised services span global tech giants like Apple, Google, and Facebook, developer tools like GitHub, secure communication platforms like Telegram, VPN services, and even government portals. This isn’t simply about stolen passwords, it’s about the systems, data, and critical infrastructure those passwords unlock. And for a nation with India’s scale of digital adoption, the implications are severe. Why India should be worried Given India’s rapid digital adoption, large user base, and reliance on Digital Public Infrastructure (DPI), the impact of this breach could be disproportionately severe if unaddressed. Economic Security Risks Governance Vulnerabilities National Security Concerns Social Impact & Public Trust The cybercrime economy connection A breach of this scale is a goldmine for the dark web economy. Stolen credentials, sometimes bundled with device fingerprints, are traded for as little as $5–$10 per set, depending on the platform compromised. These are then used for: Every credential set is a potential stepping stone to a much larger compromise. India’s response gap While the Digital Personal Data Protection Act (DPDPA) 2023 introduces some protections, its enforcement mechanisms and breach notification timelines are still maturing. Many organisations in India lack: In short, our laws exist, but our readiness to operationalise them in real time remains weak. What needs to happen now This breach is a wake-up call for every citizen, policymaker, and business leader. The response must be both urgent and systemic. Immediate Actions Mid- to Long-Term Measures Implementation Roadmap Timeline Action Lead Agency Supporting Agencies 0–3 Months National breach monitoring cell operational CERT-In NCIIPC, RBI, MeitY 0–3 Months MFA mandate across key sectors RBI, MeitY TRAI, NIC 0–3 Months Credential hygiene drive MeitY State IT Depts, Industry bodies 3–12 Months Cyber Hygiene Code notified MeitY BIS, CII, NASSCOM 3–12 Months DPI resilience audits MeitY NIC, Private audit firms 12–36 Months Legal amendments enacted MeitY, MoL&J Parliamentary committees 12–36 Months Digital Trust Campaign rollout MeitY, MIB Industry partners The Bigger Picture The 16 billion credential leak is not a one-off incident, it is a stress test for India’s digital resilience. If addressed decisively, it can serve as the trigger for a national shift towards proactive cybersecurity, integrating policy, technology, and citizen behaviour. If ignored, it risks undermining economic stability, national security, and public trust in the digital state. If you haven’t changed your passwords yet, do it today. If you lead an organisation, ask yourself if your systems could survive being part of the next 16 billion. Because in cyberspace, it’s not if, it’s when. 📌 Major Sadhna Singh, Consultant Read More

Dr Banusri VelpandianSenior Law Specialist J E Jaya DeviLegal Consultant Co-author In Indian criminal jurisprudence, offences against life, limb and liberty form the cornerstone. It embodies the State’s fundamental duty to safeguard life, bodily integrity, physical autonomy, and personal liberty. These offences spanning across spectrum of the gravest to heinous nature strike at the very heart of human dignity and social order, demanding a robust legal framework to ensure justice, deterrence, and rehabilitation. The total FIRs (First Information Reports) registered in the year 2022 was 58,24,946 for crimes under Indian Penal Code (IPC) and Special & Local Laws (SLL); and among them 32.5% are for offences affecting the human body as per the report of National Crimes Records Bureau (NCRB). Urban areas continue to have higher crime rates when compared to rural areas. The constitutional foundation for protection of life, limb and liberty lies in Article 21 of the Constitution of India, which guarantees the right to life and personal liberty – a right, judicially expanded to include dignity, bodily security, and freedom from physical harm. Articles 14, 15, and 20 further complement this protection by ensuring equality before law, non-discrimination, and safeguards against arbitrary punishment. Criminal law operationalises these guarantees through substantive, procedural, and evidentiary provisions that criminalise acts infringing life, limb, and liberty. The legal response to such crimes has undergone a profound transformation from the fragmented pre-colonial justice systems to the codified Indian Penal Code (IPC), 1860, and now to the transformative Bhartiya Nyaya Sanhita (BNS), 2023. “The soul of our criminal justice system must reflect the spirit of our Republic, not the shadows of colonial governance” – Extract from the Parliamentary Debate in 2023 on amending the Indian Penal Code. This article presents a structured commentary on the transition from the IPC to the BNS and relevant legal principles. STATUTORY FRAMEWORK For over 160 years, the IPC’s Chapter XVI, ‘Offences Affecting the Human Body,’ defined how the State would respond when life, limb, and liberty were violated or harmed. Since 2023, Bhartiya Nyaya Sanhita, (BNS, 2023) ushers a modernised statutory framework that preserves the substantive core of the IPC while refining its drafting, structure, and penalties based on contemporary realities. It adopts a graded punishment structure based on severity and culpability, thereby upholding public order, human dignity and evidentiary rules remain responsive to evolving forms of violence, advances in technology, and the expectations of victims. Historical background and evolution of the IPC Historically, India’s criminal justice system was a fragmented amalgamation of religious, customary, and colonial laws and marked by inconsistency and bias. This includes justice delivery in terms of Manusmriti, Yajnavalkya Smriti, Arthashastra or Sharia. Among tribal communities, justice was administered through unwritten customs, community mediation, and compensation in the form of livestock, land, or goods. The arrival of the British East India Company in the seventeenth century introduced partial codification, most notably through the Cornwallis Code of 1793 in Bengal, which sought uniformity but retained the elements of religious law for personal matters. Punishments for similar offences varied drastically between regions, undermining fairness and public trust. This patchwork system created inconsistency and administrative inefficiency. The consolidation of British rule promoted the need for a uniform penal law to ensure consistency, fairness, and effective governance drawing from English common law, the Napoleonic Code, and utilitarian principles. In 1834, the First Law Commission under Lord Thomas Babington Macaulay drafted the IPC, which was passed on 6 October 1860 and came into force on 1 January 1862. Comprising 511 sections in 23 chapters, IPC became the comprehensive criminal law framework for British India. Since then, IPC has undergone numerous amendments and few cardinal ones are as given hereunder; Year & Amendment Key Changes Purpose / Context 1870 Amendment Clarified provisions for abetment (Sections 107–120); clarified joint liability (Sections 34, 149) Strengthened accountability for group crimes such as gang-related murders or assaults. 1983 & 1986 Amendments Introduced Section 304B (dowry death) Addressed dowry-related violence and rising incidents of bride-burning, influenced by feminist activism and public outrage. 2013 Amendment (Post-Nirbhaya) Added Sections 326A & 326B (acid attacks); expanded definitions of sexual offences Response to 2012 Delhi gang-rape; aimed at stronger protection for women and deterrence against sexual violence. 2018 Amendment Strengthened laws on sexual offences against minors; alignment with POCSO Act, 2012 Tackled child abuse and exploitation; enhanced penalties and protections. There are several landmark decisions that also shaped up the evolution of IPC. Four such case laws are picturised below; Transition from IPC to BNS, 2023 The Indian Penal Code (IPC), drafted under colonial era in archaic language had significant gaps in addressing modern crimes including cyber offences, victim protection etc. Its punitive focus overlooked rehabilitation, and limited victim rights clashed with contemporary justice principles. The focus was also to deliver justice rather than to penalise i.e., from ‘dand’ to ‘nyay.’ In 2023, the Bharatiya Nyaya Sanhita (BNS), 20231 , was enacted as part of a legal reform trio alongside the Bharatiya Nagarik Suraksha Sanhita, 20232 and the Bharatiya Sakshya Adhiniyam,20233 replacing the IPC, CrPC, and Evidence Act respectively. Effective from 1 July 2024, the BNS reduces 511 sections of the erstwhile IPC to 358, uses plain and culturally resonant language, and incorporates gender-neutral and victim-centric provisions. It introduces community service for minor offences, clearer definitions, and new categories such as mob lynching (Section – 103(2)), organized crime (Section – 111), petty organized crime (Section – 112), and enhanced penalties for acid attacks (Section – 124). By modernising certain terminology, recognising emerging crimes, and embedding restorative justice, the BNS seeks to decolonise India’s criminal law and align it with constitutional ideals and global human rights standards. Significant Legal Principles and Maxims ● Cognizable and non-cognizable: ‘cognizable offence’ means an offence for which, and ‘cognizable case’ means a case in which, a police officer may, in accordance with the First Schedule or under any other law for the time being in force, arrest without warrant (BNSS section 2 (1) d). ● ‘Non-cognizable offence’ means an offence for which,…

Sreekumar NarayananChief Growth Officer,BNB Security & Automation solutions The inflection point that no one can ignore For two decades, India’s Global Capability Centers (GCCs) and IT MNC campuses have been built on a familiar blueprint – design the ELV and MEP systems to code, tender them out as capital projects, commission, hand over fat as-built folders – and move on. Meanwhile, resilience was ‘someone else’s problem,’ usually a business continuity or facilities footnote. That mental model is collapsing. Chronic flooding in tech corridors, rolling cyber-physical attacks and a regulatory landscape that now demands evidence (not promises) are forcing enterprises to rethink the way buildings, people and technology are protected. The era of the point-in-time compliance audit is giving way to a continuous, sensor-driven assurance fabric; and at the center of that transformation stand MEP/ ELV Specifiers – if they choose to step up. This article lays out a practical, standards-aligned roadmap for Specifiers to evolve from traditional ‘BoQ writers’ into architects of resilience-as-a-service. It shows how to embed Sensor-as-a-Service (SaaS²) commercial models and how to design Key Risk Indicators (KRIs) that naturally roll up into business-facing Key Performance Indicators (KPIs) at the Operations Command Center – or the now-converged GSOC. From hardware lists to metric Bills of Materials Specifiers have historically been judged on the elegance and completeness of drawings, schematics and hardware schedules. Tomorrow’s value will be judged on how well you define what to measure, why to measure it and how fast that insight reaches decision-makers. Enter the metric Bill of Materials (mBOM) Instead of only listing ‘300 smoke detectors, addressable, UL listed,’ the specification now states the metric it supports (e.g., Life Safety Loop Integrity KRI), the sampling frequency, acceptable downtime percentage, calibration windows and the API payload through which that metric will surface at the GSOC. Think of it as a parallel BoM that makes the system talk in the language of resilience. Key shift Sensors are no longer just hardware – they are sources of regulated evidence. If the detector fails silently, you haven’t just lost a device; you have lost a compliance control. The business model pivot: Sensor-as-aService (SaaS²) GCCs want predictable OPEX, faster refresh cycles and guaranteed outcomes. Specifiers can enable this by insisting that bidders price two parallel tracks: SaaS² aligns incentives. Vendors are paid to keep the metric healthy, not just to install hardware. Specifiers should specify: By codifying these in the specification and RFP, one opens the door for integrators to offer true lifecycle value while keeping clients off the CapEx treadmill. KRIs, KPIs and the GSOC as the Single Scoreboard Resilience as a concept fails when it lives in slide decks. It succeeds when it’s visible, trended and tied to incentives. That’s why the GSOC (or any Command Center) must display a balanced set of metrics: Each phase outputs measurable KRIs that reinforce or recalibrate KPIs. Anchor everything in standards (so audit teams nod, not frown) A metric-first, service-based design must still feel familiar to auditors and regulators. Use standards as your scaffolding: Including a cross-reference matrix in the spec that links each metric to a clause turns dashboards into audit evidence factories. Rewriting the RFP: Structure for outcomes, not just outputs A reimagined RFP should lead with intent and outcomes, not boxes and ducts. Below is a high-level outline you can adapt: Section 1: Intent & Outcomes State resilience and continuous compliance as strategic outcomes. List the KPIs/ KRIs expected on the GSOC wall. Section 2: Technical Scope (Metric BoM) For each system/ space, capture sensor type, accuracy, sample rate, protocol, data tag list, threshold, owner. Section 3: Commercial Models Demand both CapEx and SaaS² quotes. Include templates for – setup fee, monthly fee, refresh % per year, SLAs, service credits. Section 4: Data Governance & Security DPDP roles (controller/ processor), retention policies, anonymization/ pseudonymization options, API authentication (OAuth2), encryption. Section 5: Playbooks & Integrations Ask for at least three SOAR playbooks mapped to your risk register (e.g., flood event, fire pre-alarm, OT network anomaly). Require integration approach with existing SOC, BMS, CAFM, ERP, HRMS. Section 6: Evaluation Matrix Build a scorecard with heavy weightage on KPI/ KRI coverage, openness of protocols, scalability of the SaaS² model and proven performance metrics (MTTD, MTTR, Uptime). By scripting the RFP this way, you are signalling to bidders – “Don’t just drop a BoQ – show me how you will keep my resilience metrics green for five years.” Contracting: From lump-sum EPC to master service agreements “For two decades, India’s Global Capability Centers (GCCs) and IT MNC campuses have been built on a familiar blueprint – design the ELV and MEP systems to code, tender them out as capital projects, commission, hand over fat as-built folders – and move on. Meanwhile, resilience was ‘someone else’s problem,’ usually a business continuity or facilities footnote” 1. Master Service Agreement (MSA) 5–7 Years Bundle technical schedules (Sensor lists, APIs), commercial schedules (fee tables, indexation), compliance mapping and service credit mechanisms. 2. Performance Clauses & Service Credits If breached, apply fee abatements or demand remedial action plans. This ensures that resilience is enforceable, not aspirational. 3. Tech Refresh & Exit Clauses 4. Data & Privacy Addendum Clearly state data ownership, processing rights, breach notification timelines (e.g., 72 hours), and log/audit export rights. DPDP compliance must be explicit, not implied. Delivery methodology: Design → Build → Operate → Optimise (DBOO) Classic EPC handovers trap value in PDFs. A DBOO approach creates a living system: Data Governance: The new drawing register If drawings and schedules were the holy-grail of old projects, JSON payload schemas and API docs are the new scripture. Specifiers should insist on: By setting these expectations, you ensure the integrator is contractually obliged to deliver not just functioning systems, but structured data you can trust and prove. Toolkits specifiers should carry “Specifiers have historically been judged on the elegance and completeness of drawings, schematics and hardware schedules. Tomorrow’s value will be judged on how well you define what to measure, why to measure…