Ashish Kumawat, Former Security Professional with Reliance Group Support Services;
PhD in Public Policy and Law from Central University of Rajasthan
In any nation, laws and public policies are the torchlights for development within any domain. It sets forth the path to be followed, the existence of a liberal/ restrictive space within which the innovations can flourish or be curtailed. However, the main problem pertains to the long gestation period in the visibility of the outcomes, which may restrict the promptness of the governments to amend the policy or to resort to Parliament to amend the laws. The same may also hold for cyber-space in India. As per the Data Security Council of India (DSCI), India remains the second most cyber-attack-affected country globally.
Dr U.K. Vairagade, associate professor, Dr. (Sow.) IBP Women’s College (Aurangabad) says that the modern thief can still do more with a computer than with a gun. Dr Vairagade argues that today’s terrorists can do much more harm with a keyboard than with a bomb. In this age of artificial intelligence, internet of things and cloud computing, do people like Osama still need to hijack a narrow plane? The obvious answer, as we all may agree, is that today, a simple attack on critical infrastructure can be more devastating than any other attack. One of the best and most recent examples of this case is Russia’s cyber-attacks on Ukraine.
Therefore, the importance of cyber-security cannot be underestimated. Anju A. Singh, assistant professor, V.N. Patil Law College (Aurangabad), states that we cannot ignore cyber-security in India as it has become an indispensable asset to protect businesses, governments, institutions, and individuals.
Legal and policy strategies adopted in India
Given the importance of cyber-security and its potential to disrupt the political as well as socio-economic fabric of the nation, India did not remain aloof in the challenges brought about by growing cyberspace. It promptly adopted the following strategies.
Legislative strategies
A. The Information Technology Act, 2000 (IT Act, 2000) and its Amendment in 2008 (IT Act, 2008): It envisages a coalition of actors where responsibilities are fixed among various stakeholders. The important sections in these Acts are:
Section 43: It makes hacking anyone’s computer or network a punishable offence. It includes manipulation of storage, the introduction of contaminants or computer viruses, denial of access, damage to any associated component of computer vision network data etc.;
Section 43A: This section was introduced via amendment in 2008 to the original act. It makes a body corporate responsible for protecting the ‘sensitive personal data’ of its stakeholders. Here central government holds the right to prescribe what ‘sensitive personal data’ means.
Section 66F: The act of cyber terrorism shall be punishable with imprisonment which can be extended to life imprisonment.
Section 72A: This section makes it a criminal offence to disclose personal data without the data subjects’ consent or in any breach of a lawful contract. Here the person performing the contract is aware that their action can likely cause wrongful loss or gain. One of the critical institutional mechanisms that arose from the IT Act of 2008 was the establishment of the Computer Emergency Response Team – India (CERT-IN), which was responsible for scanning internet traffic.
B. Draft Digital Personal Data Protection Bill 2022:
An upgrade over the withdrawn Draft Data Protection Bill, 2019, it fixes liabilities on data fiduciaries (an institution which keeps the data of users/ citizens). It also gives necessary rights to citizens, like obtaining information and seeking necessary corrections. One crucial aspect is the right to seek the erasure of data once the data’s purpose has been met. However, there is an element of differentiality in this clause’s applicability to private and specific public organisations.
C. Indian penal code (IPC):
Section 500 (defamatory emails): it attracts imprisonment up to 2 years or a fine or both. IPC under sections 463 and 383 makes email spoofing and web jacking punishable crimes, respectively. Further, sections 201, 292, 294, 409,448 and 509 can be used to govern cyber-crimes. Also, the Supreme Court’s original jurisdiction under Article 21 of the Constitution can be invoked in cyber-crimes affecting privacy.
Policy and associated strategies:
A. National Cyber Security Policy 2013:
One of the most promising aspects of this policy was the set up of the National Critical Information Infrastructure Protection Centre (NCIIPC) under the National Technical Research Organisation (NTRO). India has successfully started leveraging this institution. For example, it’s a successful warning against the Shadow Pad attack.
Another key feature of this policy was creating a talent pool of five lakh cybersecurity professionals by 2018. Further, it envisages the concept of shared responsibility for tackling social and economic issues in the form of emphasis on public-private partnerships. One of the successful initiatives has been Cyber Surakshit Bharat Initiative.
B. Cyber security and R&D:
there have been significant developments in the field of R&D, like the creation of the techno-legal National Cyber Security Database of India. Also, a Cyber Security Software Repository has been created. Further, many initiatives have been taken to advance cyber security at the individual, organisational level.
cases:
There have been certain landmark Indian cases related to the prevention of cybercrime and various interpretations related to the IT Act of 2000 and 2008, IPC. These also have implications for the evolution of the policies. These are:
Suhas Katti case: It is related to posting derogatory messages about a divorced woman. The accused was punished under section 67 of the IT Act, 2000 and section 469, 509 of IPC.
Pune City Bank case: Few Citibank employees won customers’ trust, got the pin numbers from them and transferred USD 3,50,000 to bogus accounts. Later, the accounts where the money was transferred had to be frozen.
Jogesh Kwatra case: Jogesh Kwatra, an employee of the plaintiff company, started sending defamatory, vulgar emails to his subordinates and customers worldwide. The aim was apparent- to defame the company. Finally, Delhi High Court assumed the jurisdiction in this case.
Bank NSP case: This case pertained to deception using fraudulent emails by a bank employee. The bank was held liable for this lacunae.
Delhi Public School case of MMS scandal: The CEO of the website Baazee.com was charged under sections 67 and 85 of the IT Act, 2000. The primary rationale is that his company permitted the auctioning of obscene material.
Challenges
The first and foremost challenge is determining the committed crime’s territorial jurisdiction. This challenge comes from the global nature of the internet. It was one of the significant points of contention against the Budapest Convention. Ellen S. Podgor, an expert in white-collar crimes, criminal law and adjudication, has discussed how the conflicting nature of territoriality can lead to the cyber-crimes going unpunished. First, the non-existence of geographical boundaries for the commissioning of crime; second, the existence of contradictory laws as determined across various sovereign states; third, the situation of either positive judicial claims where several countries intend to exercise jurisdiction or negative one where a single nation intends to claim the jurisdiction. An excellent example of this is the ‘Love Bug’ Case. In such situations, covering an issue within the scope of any single nation’s law becomes challenging.
Both the IT Act and the draft Data Protection Bill, 2022 assume extra-territoriality concerning cyber-crimes affecting India. But experts have argued that our earlier experiment with IT Act has not given desired results. Mrs Anita R. Deshmukh, Assistant Professor at Sri Shivaji Law College, has pleaded with respect to IT Act, 2000 that the law is supposed to deal with cyber-crime. However, the fact is that it is an act which is mainly promoting legal transactions for e-commerce.
Another challenge India has faced is with respect to implementing the IT Act. The execution has been below par in the eyes of a range of experts. Economist Lant Pritchett, in his paper titled, ‘Is India of flailing state?’ commented that in India, the head is not adequately connected to limbs via nerves and senews. The obvious corollary is that cutting-edge executors often fail to meet the spirit of the law. To the utter surprise of the Honourable Supreme Court of India, it observed in September 2022 that section 66A of the IT Act was being excessively used despite it being struck down in the Shreya Singhal case of 2015.
Further, the balance sheets of Indian companies can be another challenge in adopting solid strategies about cyber-security. The latter often suffers in the struggle between survival, profits and security investments. The same holds for good balance sheet companies as well. For example, in 2017, the data of 17 million users of Zomato was compromised.
One of the root causes behind such incidents is often the neglect of security audits. Also, regarding such leaking of data, there is a lack of reports which can confirm whether section 43A (Liability of data fiduciary) of the IT Act, 2008 was applied against Zomato.
One of the stated objectives of the National Cyber Security Policy of 2013 was to prepare 5 lakh cyber security professionals by 2018. it is unclear whether this objective was achieved. However, the need for an adequate human resource pool is a persistent challenge, as various industry bodies have repeatedly highlighted. Lawrence Arthur Bossidy, the former CEO of Allied Signal (later Honeywell), had rightly remarked, “At the end of the day, you bet on people, not strategies.”
Non-reporting of cybercrimes by companies to prevent reputational loss and protect their share value is another big challenge. This non-reporting can also operate at the level of individuals, where it is more starkly visible. Most cases of cybercrime at the individual level often go unrecognised, leave aside non-reporting. In many cases, police have also been found reluctant to register cyber crimes, given the lack of technological assistance to them.
Solutions
A range of solutions can be adopted across various levels. A few of them are:
At the individual level:
It is a common proverb within the security domain that security starts with me. A question asked is – “where is our biggest unplugged security loop?” The obvious answer is- little or no understanding of cyber security among the citizens. We, security professionals and technology partners, can attempt to provide security solutions, but they will always be adequate untill the end users productively demand them. An excellent way to start for citizens is to exercise caution by using following basic rules among many-ensuring that our computers have the latest anti-virus software. The firewall settings should be on our computers. Wild granting permissions, whenever in doubt, exercise deny option. Avoiding passwords which are in common usage. At the same time, cyber workshops can be organised at block, sub-district and district levels to increase awareness among netizens. Wider publicity can be given to these workshops using offline-online modes.
Resorting to the calling of conscience: any cybercriminal worldwide would have gone through some sort of education. At the level of India, the National Education Policy, 2020 has rightly emphasised ethical reasoning and traditional Indian values. No child can grow aloof from the societal value system, and ultimately, the education system does contribute to the shaping of societal values. Though it will be a long-term measure if we want to nip the cause in the bud, persistent efforts in this direction are needed in the education system worldwide.
At the policy level and legal level:
Organising cyber security month or cyber security pakhwada can be a good way. Dr S. Kandasamy, Associate Professor at Central University of Rajasthan, rightly points out that criminals have now changed their modus operandi. Therefore, citizens need to be updated timely via all possible means.
The import dependence on telecom equipment, a major structural impediment against cyber Surakshit Bharat, must be addressed promptly.
A range of policy responses, like the recent Performance Linked Incentive Scheme as part of the Atmanirbhar Bharat strategy, has been taken to counter import dependence on telecom equipment. Such efforts need to be sustained to bring in desired results.
Experts have argued that since it has been ten years since the last National cyber security policy, it is time to update the policy to reflect current needs and challenges. The incumbent government’s action to do away with many obsolete and archaic laws can serve as an important precedent. Following the suit, it can be instrumental if sunset clauses are given within the Laws and Policies themselves so that they can be periodically renewed in keeping with contemporary demands.
Technology is the weapon to counter the backdrops of technological evolution. Several organisations have resorted to using cryptographic techniques to ensure the security of data and communication. Can any law or policy mandate it on organisations is a debatable issue. However, organisations can definitely be nudged to adopt it wherever possible.
Likewise, the police system must be technologically upgraded proactively to ensure that citizens and organisations remain cyber-secure.
Undoubtedly, India has taken big lips since the world community has seen Budapest Convention (though India has not signed it for our genuine reasons). It also took a range of efforts. However, between 2009 and 2023, the nature and extent of cyber-crimes have changed significantly. One of the most significant changes has been brought about by cryptocurrencies and their ability to influence many crimes using the dark web. At the same time, a uniform code which comprehensively considers the Optional Protocol to the Convention on the Rights of the Child on the Sale of the Children, Child Prostitution and Child Pornography; Convention on Elimination of Discrimination Against Women, Protection of Women from Sexual Harassment Act (2013) is the need of the hour.
Ukraine’s head of cyber-security, Victor Zhora, rightly pointed out that the world needs ‘efficient legal instruments to confront cyber terrorism.’ The world needs to reach a consensus, particularly to resolve the issue of extra-territoriality in terrorist and criminal matters through cyberspace.
As the closing remark, all stakeholders concerning the cybersecurity ecosystem need to gear up and tighten their belts to tackle the upcoming issues together.
*Views expressed in the article are solely of the Author
