NATIONAL CYBER SECURITY POLICY, 2013 

Nisha Chakraborty

Shyambazar Law College

I.ABSTRACT 

Under the banner of the National Cyber Security Policy, 2013 (NCSP), the under-discussion policy is essential for the Indian government to build up fundamentals to secure the country’s cyberspace. Presented by the Ministry of Communications and Information Technology, it aims to fight increasing threats of hacker attacks, data leakage, and infrastructure weaknesses. The policy goals targeted include the popularization of the policy, enhancing the innovation of indigenous people, and the support of institutional frameworks for the fight against cyber threats. However, the NCSP has been criticized for the poor implementation of the laid strategies, poor emphasis on emerging technologies & poor stakeholder harmony. This legislative commentary examines the policy, its provisions, and its challenges and arms the reader with knowledge of how it works regarding case law.

Keywords: Information and Communications Technology Security, Knowledge Protection, Access Infrastructure, Electronic Affordability, Cybersecurity Dangers 

II.OBJECTIVES OF THE POLICY

Seven key objectives are part of the NCSP, initiated by the Government of India in 2013, to enhance cybersecurity in the country. These objectives are aimed at reflecting greater concern for current and potential cyber threats and incidents that might happen against nations, companies, and people.

1. Critical Infrastructure Protection: NCSP acknowledges that important areas and branches like defense, energy, banking and health care, and telecommunications should be protected. These sectors are the primary foundation of its financial stability and its defense. An attack on such industries can cause great losses that will extend to public and private organizations. The policy calls for a strong framework to protect these sectors from cyber dangers.

2. Incident Response Mechanisms: The NCSP pays special emphasis to the identification of new techniques and procedures for timely identification and counteraction to cyber threats. Given the increase in many cyber risks such as data theft, ransomware, and denial of service attacks, the country needs to have effective ways of responding to such incidents. This is where the existence of CERT-In, as well as the setting of more specific sector-based CERTs, becomes important.

3. Capacity Building: These innovations present a shift towards dependability on technology and as a result, the newly created job openings for cybersecurity experts are in an increasing trend. The NCSP recognizes the quest for capacity enhancement by calling for the development of educational frames and set certifications in cybersecurity. India’s focus on transforming professionals as well as funding them for the desired skill set wants to combat the skill deficit area of cybersecurity.

4. Public Awareness: Another official goal of the NCSP is to engage communities in creating an understanding of cybersecurity. Campaigns aimed at raising people’s consciousness are crucial to informing a person about possible dangers of performing specific activities in the digital world and guidelines on possible dangers and how to avoid them. These campaigns include the general concept, password protection, unauthorized attempts at obtaining users’ information, unauthorized software installation, and the need to protect data.

5. Legal and Regulatory Strengthening: The NCSP urges that India’s legal systems be brought to ‘change to meet the demands of growing cybercrimes.’ It supports laws that make acts like hacking, identity theft, data breaches, and other kinds of cyber fraud to be criminal. Also, the policy emphasizes the importance of proper legislation that will protect people’s data from cyber criminals.

6. Research and Innovation: The NCSP aims to promote new research and development by the indigenous people in the area of computer security. It aims to support local innovation and the development of cybersecurity software to cut imports. India needs to support research to help develop the appropriate cybersecurity tools that fit the countries’ requirements to combat cyber threats within sectors.

7. International Cooperation: Cyber risks are global in many ways, and global cooperation is relevant in efforts to fight interconnected global cyber-crimes. Through the NCSP, India is called upon to engage with other countries and international organizations to share information, participate in cybersecurity training, and deal with cybersecurity-related challenges that affect the world. Cooperation in this context will encourage joint efforts in combating the increasing cyber threats in various nations. 

III.COMPONENTS AND FRAMEWORK

Background

In the past 10 years, aspects and usage of digital support in India have grown significantly through online governance, digital transactions, and IoT. Nonetheless, this sharp increase in the degree of digitization has raised new threats of cyber threats in India. Thus, healthcare, banking, and telecommunications organizations and personal data become the most attractive for cybercriminals. To deal with these threats the NCSP was initiated as a structural measure to protect Indian cyberspace.

The policy seeks to establish a professional approach to solving the issue of cyber security that has legal, technological, and institutional dimensions. The NCSP specifies the measures that the government, private sector, and an individual should take to protect cyberspace. It also raises the facts of capacity development, incident handling, and public education, mainly because of the dynamic and intricate nature of the cyber threat.

Scope

The scope of the NCSP is vast, encompassing a range of stakeholders across different sectors:

1. Government Institutions: Another priority of the NCSP is to guarantee that government agencies work in a secure digital environment and defend the vital information of the country. This comprises safeguarding e-governance services and addressing matters of privacy such as protecting classified information and website and database statuses.

2. Private Sector: In India, the digital economy engages the private sector significantly. The NCSP has identified the need for the private sector to incorporate robust cybersecurity measures in its important business infrastructures, financial systems, and customer information. It directs that the government and private sector should work together throughout the ecosystem and keep it safe.

3. Educational Institutions: Schools and universities are key players in the nation’s cybersecurity effort. The NCSP recommends the promotion of cybersecurity research initiatives as well as tasks with schools and universities' involvement. In line with the contributions of educational institutions towards human capital development and the promotion of cybersecurity education to users, India’s cyberspace benefits from protection by this generation of professionals.

4. Individual Citizens: This policy focuses on the users to act safely while operating in cyberspace. Popular campaigns’ main purpose is to inform people about existing threats, and risks, e.g. phishing, malware, identification theft, and cyber fraud. Pursuing a responsible behaviour policy the goal to decrease the risks connected with cyber threats can be achieved. 

Structure

The N CSP's structure revolves around the following core elements:

1. Policy Development: Designing policies and working structures of how best to safeguard the internet space in India.

2. Capacity Building: Establishing programs that would enable the training of professionals, scale up public awareness, and enhance cybersecurity-related certification.

3. Institutional Mechanisms: Upgrading the activities and importance of agencies which include Computer Emergency Response Team – India (CERT-In), National Critical Information Protection Centre (NCIIPC), National Cyber Coordination Centre (NCCC) where agencies are responsible for the regulation and supervision of cyber incidents and cybersecurity across the country as well as across various Departments & Industries.

4. Global Cooperation: Advising India to partner with other nations and international organizations so that it comes to know about the best practices in cybersecurity and potential threats in the world. 

IV. Analysis of the policy

Best Practice Benchmark: Constitution, International Standards, and the Policy

The NCSP is based on the Indian Constitution and article 21 of the Indian Constitution, Rights to Life and Personal Liberty including the Right to Privacy. The policy supports the constitutional provision to enhance personal data protection from cyber risks. Moreover, the NCSP complies with global standards such as the Budapest Convention on Cybercrime, and ISO/IEC 27001. 

Key Provisions

Key provisions of the NCSP include:

1. Strengthening Institutional Capacities: The policy also more heavily suggests the involvement of an integrated approach to handling cyber-crime through CERT-In this being the central body for response to any incident with national implications.

2. Public Awareness Campaigns: Awareness of safe online practices is important with the increase in the number of cybercrimes. According to the policy, campaign programs should be conducted across the entire country on subjects such as; Using strong passwords, and Phishing.

3. Capacity Building: Because of this, the NCSP highlights the imperative of competency-based training, and establishment of certification courses to produce a competent workforce to combat vulnerabilities.

4. Indigenous Development: Supporting domestic cybersecurity solutions will help India depend as little as possible on foreign technologies since these may not necessarily meet the requirements of India.

5. Incident Reporting Frameworks: Prescribing ways for reporting a cybersecurity incident serves to prove that an incident had occurred and that actions were taken to address the situation. 

Institutional Mechanisms

●       The NCSP: Relies on a set of institutional frameworks to ensure effective cybersecurity governance

●       CERT-In: The executive organization or unit responsible for response to computer crime, dissemination of information, or consultation.

●       NCIIPC: Concerned with safeguarding information infrastructure converged on important sectors like energy, banking, as well as defense.

●       NCCC: Offers threat detection and Canadian information sharing among stakeholders in real time.

●       Sectoral CERTs: These agencies concentrate mainly on fields to guarantee that their security necessities are well met.

●       Public-Private Partnerships: Promote the cooperation between the government and other industries to share more resources and study together the threats of cyber security. 

Challenges and Shortcomings

Despite the NCSP’s ambitious goals, several challenges and shortcomings persist:

1. Implementation Gaps: It is found that cybersecurity standards and compliance mechanisms are not effectively enforced in sectors that produce inconsistent protection levels throughout the country.

2. Workforce Deficiency: Currently, the policy is not efficient due to the scarcity of specialized talents in the field of cybersecurity.

3. Emerging Threats: The policy has not been reviewed with the evolving new threats such as AI-driven cyberattacks, quantum computing threats, and the current complex ransomware attacks.

4. Legal Weaknesses: Currently there is a lack of legal grounds that could provide efficient means to combat cybercrimes and protect personal data.

5. Limited Private Sector Involvement: Joint efforts between the public and the private sector face many obstacles including lack of trust and lack of authoritative assignments.

6. Outdated Framework: The NCSP is over a decade old and does not align itself to technological developments of today and tomorrow, thus is less effective against threats now and in the future.

7. Inadequate Public Awareness: As for the people’s awareness of cybersecurity threats, there are no large-scalable and all-encompassing campaigns across the country.

The following case studies and their application in practical implementation are explored.

V. CASE STUDIES AND PRACTICAL IMPLEMENTATION 

Wanna Cry Ransomware Attack Conti/Impact Target (2017)

The Wanna Cry ransomware attack in 2017[1] It turned out to be one of the largest cybersecurity incidents which impacted thousands of organizations globally including the health sector, financial, telecommunications, and those of the United Kingdom. The virus processed the document containing the files of the affected systems and asked for a ransom in cryptocurrency. India was not spared this raid, and major industries such as health and finance were paralyzed.

Impact: This prompted a series of cyberattacks leading to several serious damages in different sectors witnessed through the Wanna Cry attack. Records of patients could not be retrieved, and automated teller machines were out of use, whether in the bank or in service to the public. Some businesses were for a long time closed due to the disaster and this made them incur some losses and finished their reputation.

Lessons Learned:

1. Patch Management: The attack, therefore, brought into sharp focus the issue of updating software code having security holes. Some of the attacked systems did not update their applications, and the ransomware was attacked through known bugs.

2. Incident Response Protocols: This emphasized having a good mechanism for responding to incidents as experienced by the Wanna Cry attack. Such threats have to be easily recognizable and addressed before they form a threat to the system in question.

3. International Cooperation: Cyberspace was attacked again proving the fact that no nation can deal with cybercrimes individually and they need global support along with cybersecurity departments of other countries. 

Aadhaar Data Breach (2018)

The Aadhaar data breach[2] is another major event in the Indian Information Security Map. This year alone, it has been reported that several million Aadhaar card holders’ data has been stolen. The breach was one that only got the attacker access to Aadhaar information, biometric data included, which is highly sensitive.

Impact: ‘The attack was not one on specific organizations, but on the individuals using their computers, and violated the privacy rights of millions of Indian citizens.’ This created some doubts about the security of the Aadhaar system that is today used in most governmental service delivery such as welfare, income tax, and identification.

Lessons Learned:

1. Encryption and Authentication: This exposed the organization to the need to ensure secure data encryption, particularly for sensitive data. Biometric and other personal data processing requires encryption of data during storage as well as during their transfer between the processor and other parties involved.

2. Regulatory Oversight: It also brought into light the requirement of compulsory regulatory compliance and regularity to verify compliance with data protection norms.

3. Data Protection Law: The event underlined the need for substantive data protection laws in India to enhance the security of personal data from abuse by other persons. 

Cosmos Bank Cyber Heist 2018

In 2018, cybercriminals successfully attacked Cosmos Bank.[3], a large Indian cooperative bank with a switching company ATM. Through malware, hackers were able to transfer ₹94 crore (approximately $13 million) through several fraudulent transactions in various countries.

Impact: The loss was not only quantifiable by summarizing the financial damage but also the exposure of weaknesses in India’s banking system, especially regarding aged security measures. 

Lessons Learned:

1. Advanced Threat Detection: This experience pointed out the need for constant monitoring of financial institutions as well as the development of sophisticated threat identification techniques.

2. Multi-layered Security: The attack focused on the policy of interacting with external actors, strongly encrypted communication, and the presence of two firewalls, as well as the examination of user behavior to identify suspicious actions.

3. Global Coordination: As the money was transferred globally, the heist showed where global financial organizations and cyber security agencies could improve their cooperation. 

Cyber Security and Power System Cyber Attacks on Power Grids and their Impacts (2021)[4]

This year in March and April, a wave of cyberattacks was directed at the Indian power grid with apparent links to a state actor. Of these, some of the attacks were to target the country’s energy infrastructure and if executed could have had serious repercussions on the nation’s security and social amenities.

Impact: The cyber physically targeted attacks on the power grids posed to black out electricity supply to some parts of the country to include some cities and industrial areas. Although the blow was softened, the event revealed that Indian critical infrastructures are not immune to cyber threats and that cyber threats could be dangerous for some aspects of national security.

Lessons Learned:

1. Critical Infrastructure Security: This incident exposed the cybersecurity weakness of vital infrastructure. Organizations need to invest more in protecting sectors such as energy, defense, and telecommunications.

2. Collaboration Between Government and Private Sector: Protection of strategic assets is possible only through the participation of both government bodies and businesses to introduce effective protection measures.

3. Incident Response and Recovery: Effective response measures which comprise an organized procedure for handling cyber threats affecting core infrastructures require a common action plan including quick recovery approaches. 

VI. Judicial Insights

There have been some legal decisions concerning cybersecurity and privacy in India that have shed light as to how law can to some extent help understand technology. Two key rulings are:

1. Justice K.S.Puttaswamy (Retd.) v. Union of India (2017)[5]: In Puttaswamy's case the right to privacy was held as a fundamental right under the Constitution of India. This ruling has had far-reaching consequences now prevalent for cybersecurity as it sought to affirm the protection of personal data from access and cyber criminals.

2. Shreya Singhal v. Union of India (2015)[6]: This historical ruling connected Section 66A of the Information Technology Act, 2000 under which the Supreme Court gave a ruling. It underlined the necessity of protecting the principles of cardinal human rights and freedoms together with cybersecurity measures including freedom of speech. The case created a benchmark for how India needs to appreciate freedom of internet use while formulating laws to address undesirable behaviors. 

VII. CONCLUSION

The National Cyber Security Policy (NCSP) approved in February 2013 put in place a critical architecture for responding to an evolving digital threat landscape in India, by touching upon CIIP, incident management, capacity development, and cross-border collaboration. Although constant changes in the technological environment are mainly attributed to AI innovation, quantum computing, and blockchain require frequent updates to protect against new attacks, including those waged by AI, ransomware, and quantum attacks. That’s why challenges such as low private sector participation, poor public enlightenment, and inadequate supply of skilled workers call for policy changes. Therefore, prevention in the future will require raising awareness among the people of India; legislation change- to provide data protection; developing penalties for cyber-crimes; and international cooperation. Various adjustments in the NCSP are needed to guarantee an effective and safeguarded digital environment for essential structures and individuals’ confidentiality. 

REFERENCES

1. National Cyber Security Policy, 2013

2. Constitution of India, 1950

[1] "WannaCry Ransomware: Who It Affected and Why It Matters." 19 May. 2017, https://developers.redhat.com/blog/2017/05/19/wannacry-ransomware-who-it-affected-and-why-it-matters.

[2] "Understanding the Aadhaar Data Breach: Causes, Consequences, and Future ...." https://www.legalserviceindia.com/legal/article-18193-understanding-the-aadhaar-data-breach-causes-consequences-and-future-safeguards.html.

[3] "Pune court convicts 11 accused in Cosmos Bank cyber fraud case." https://www.hindustantimes.com/cities/pune-news/11-convicted-for-2018-94-crore-malware-attack-on-cosmos-cooperative-bank-101682270525442.html.

[4] "(PDF) A Comprehensive Review on Cyber-Attacks in Power Systems: Impact ...." 01 Jan. 2024, https://www.researchgate.net/publication/377903560_A_Comprehensive_Review_on_Cyber-attacks_in_Power_Systems_Impact_Analysis_Detection_and_Cyber_security. 

[5] "Justice K.S. Puttaswamy (Retd.) vs Union Of India on 26 September, 2018." https://indiankanoon.org/doc/127517806/.

[6] "Shreya Singhal vs U.O.I on 24 March, 2015 - Indian Kanoon." 24 Mar. 2015, https://indiankanoon.org/doc/110813550/.