The growth and use of information technology in India over the last decade has been explosive. Content delivered via mobile phones now have the power to direct almost every human decision, from clothing choices to political preferences and even the very directions we follow in our daily lives (quite literally). Businesses are evolving to embrace digital or hybrid-models, and Governance itself is going online. Studies show that the number of Indians with access to the internet is increasing exponentially; the infographici below sets out several key indicators on India’s increasing dependence on the internet:
The result is that an immense amount of personal data has been left all over the internet by users, in the custody of private entities and the State. This represents a grave threat to the privacy, security and freedom of individuals, particularly in instances where the custodians of such data do not have adequate cyber security measures in place. This article examines the urgent necessity of a cyber security assurance framework in India, to be prepared and enforced by the Union Government.
State of Cyber Security in India
The regulatory framework pertaining to cyber security in India leaves much to be desired. To begin with, the Information Technology Act, 2000 (“Act”) and the Rules1thereunder, requires any entity dealing with sensitive personal information (“SPI”) to implement and maintain reasonable security practices, without specifying exactly what such practices should be, apart from the stipulation that such security practices should be “commensurate with the information assets being protected with the nature of business“2. Such leeway in adoption of standards has a negative effect, as there is no minimum standard applicable and most entities fail to implement basic protections. Further, a reference is made to the adequacy of the IS/ISO/IEC-27001 and standards of a similar nature3. Not only is this a highly utopian recommendation, as most small enterprises (world over) find the IS/ISO/IEC-27001 expensive, complex, and requiring substantial financial and human resources to maintain4, but a majority of Indian enterprises choose to ignore these standards with little consequence.
Moreover, the National Cyber Security Policy, 2013 (“NCS Policy“) which mandates the creation of a nationally applicable cyber assurance framework and contains several far-reaching recommendations, remains a largely unimplemented document5. While certain industries have seen regulators stepping up to prescribe necessary guidelines and policies, such as the Reserve Bank of India (“RBI“)6 and the Insurance Regulatory and Development Authority of India (“IRDA“)7, a vast majority of government agencies and departments remain without basic cyber security protocols in place. The efforts of the National e-Governance Division (“NeGD“) in formulating a security assurance framework to help the States assess the security risk to their critical assets and put appropriate controls in place8, have had no visible results till date.
Urgency for Reforms
In 2015, the National Security Advisor to the Indian Government highlighted adequate cyber security as one of the biggest national challenges that we currently face9. A study commissioned by the Delhi High Court and conducted by Symantec indicated that incidents of cyber-crime cost India over US$4 Billion between August 2012 and July 201310. And such instances, involving leakage, hacking and the inadvertent exposure of private data are numerous. The problem is particularly egregious at the State level, given the amount of SPI collected on behalf of the Aadhaar project. Government agencies are routinely guilty of leaking the Aadhaar data of citizens: for instance, in May 2017 it was discovered that four government departments using the Aadhaar pipeline exposed the sensitive personal information of over 135 million Aadhaar holders on their portals11, and in April 2017, a programming error on the website of the Jharkhand Directorate of Social Security made the Aadhaar numbers of lakhs of pensioners available to the public12.
In the present context, where privacy has been unequivocally confirmed as a fundamental right13, there is a constitutional duty on the State to ensure cyber security with regard the personal information of citizens in their keep. It is thus imperative that the Government fosters a culture of adequate investment in cyber security, and the simplest way to do that is to prescribe a cyber security assurance framework that meets the minimum criteria of cyber hygiene.
An India Specific Cyber Security Assurance Framework
The objective of an India Specific Cyber Security Assurance Framework (“ICSAF“) would be to create a basic set of rules and guidelines that must be mandatorily implemented by any entity dealing with SPI. Note that the ICSAF is not intended as a silver bullet solution, wherein implementation of the recommendations and achievement of certification will guarantee protection against all kinds of cyber-attacks. Rather than protecting against focused and advanced cyber threats, the ICSAF would act as an essential baseline against common cyber threats that form the bulk of all attack related incidents14. The implementation of such a blanket of basic protection would drastically raise the overall level of cyber security preparedness in the country. The infographic15 below illustrates the level of protection intended by the ICSAF vis-à-vis additional security measures that organisations could invest in for end-to-end protection (that might be necessitated by the nature of their industry):
There are four primary principles that the ICSAF must adhere to:
|A.||That the framework is mandatory for any entity dealing with SPI. Industry regulators are free to prescribe higher standards;|
|B.||That the framework is developed in consultation with the private sector stakeholders;|
|C.||That the adoption of the framework is cost-effective, the implementation is quick and efficient, and that certification is free; and|
|D.||That the framework is flexible enough to accommodate the dynamic nature of the internet16.|
Amongst these, the most important in the Indian context is for the ICSAF to be simple and inexpensive enough to be implemented by any organization irrespective of size. There are numerous international parallels in this context, wherein a nationally accepted and legitimized cyber assurance framework has been formulated by the State with the co-operation of the private sector, and thereafter mandated across the board for entities dealing with sensitive personal information, so as to maximize the preparedness of their critical infrastructure for cyber-attacks. These include the “Cyber Essentials” scheme of the United Kingdom17, and the “Cyber security Framework” of the United States18.
Nationally Recognised Assurance Mark:
Another important feature of the ICSAF would be a nationally identifiable mark (“AssuranceMark“) to indicate certification under the ICSAF and compliance with the specified security measures. This Assurance Mark would denote a degree of trust to consumers unsure of whether an organization has implemented sufficient cyber security measures to ensure that their sensitive personal data is protected, thereby allowing the public to distinguish between organisations that have implemented the specific security measures and those that haven’t.
The Assurance Mark would have tremendous relevance in the present context, where customer faith in online businesses has severely deteriorated on account of poor security and frequent cyber-attacks. Currently, many consumers avoid transacting on lesser known and newer entrants in the e-commerce space on account of security concerns. The availability of an achievable certification popularized through a recognizable mark would not only provide the means of conveying trust, but also ensure a level playing field for small businesses across the e-commerce sector19.
Certification and Auditing:
As discussed above, the specific features of the ICSAF, and the mechanics of certification and auditing, should be decided through an open process involving. The ideal case scenario would be one where the certification and audit of compliance with the ICSAF is automated. This would ensure that costs and instances of fraud could be kept low. However, this depends entirely on the specific measures recommended in the ICSAF, and the investment made by the Indian Government in the compliance and verification mechanisms.
It is unlikely, going by the experience of other countries, that the implementation of the ICSAF would prevent cyber-attacks from occurring. However, inadvertent instances of leakage of SPI would be greatly reduced, and the privacy of citizens would be better protected. In the age of the Aadhaar, where mass surveillance and profiling of individuals is being made possible by the large-scale collection of SPI, the introduction of the ICSAF would be a step in the right direction.
1. Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“RSP Rules”).
2. Rule 8(1) of the RSP Rules.
3. See Rule 8 (2) of the RSP Rules. Reference is made to IS/ISO/IEC-27001-2013: “Information Technology – Security Techniques – Information Security Management System”, available here.
4. See “Government Response – Call for Evidence on a preferred standard in Cyber Security”, Dept. for Business Innovation and Skills, Govt. of UK, November 2013, available here.
5. National Cyber Security Policy 2013, released in July 2013, available here.
6. “Cyber Security Framework in Banks”, Reserve Bank of India Notification, June 2, 2016, available here.
7. S. Sinha, “Irda issues cyber security norms of insurers”, The Economic Times, April 10, 2017, available here.
8. Details available on the NeGD website, available here.
9. Speech by Ajit Doval at the Sardar Vallabhbhai Patel National Academy in 2015, “Internal Security Will be a Big Challenge for India: Ajit Doval”, NDTV, October 31, 2015, available here.
10. “Cyber Frauds cost India $4 billion”, The Hindu, 23/10/2013, available here.
11. A. Sinha, S. Kodali, “Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information”, Centre for Internet and Society Report, May 16, 2017, available here.
12. “Aadhaar data leak in Jharkhand raises doubts, again: Here are the details”, Business Standard, April 23, 2017, available here.
13. Justice K.S. Puttaswamy v. Union of India,
14. This is the underlying objective of the UK’s Cyber Essentials Scheme (“CES”) program as well. Refer the documentation pertaining to the CES, available here.
15. For the rationale behind a mandatory baseline of cyber security controls, refer: AFCEA Intl. Cyber Committee, “The Economics of Cyber Security”, October 2013 White Paper Series, available here.
16. There are several arguments for not having Government involvement in the regulation of cyber security, the primary one being that companies will focus primarily on meeting government mandated standards rather than focusing on new threats brought about by the dynamic nature of the internet. See: U.S. Chamber of Commerce. “Cyber security: More Government Regulation?” (2012), available here:
17. Refer the “Cyber Essentials” scheme developed by the Government of the United Kingdom, available here.
18. Refer the “Cyber security Framework” developed by the National Institute of Standards and Training in the United States, available here,
19. The ‘Cyber Essentials’ mark popularized by the UK Government is an example of such certification that aids small businesses build trust and allay fears of potential clientele.
i. Adapted to the Indian context from the infographic on the cyberspace landscape of Australia, available here. Data sourced from IAMAI research reports.