New cybersecurity laws need of hour
NEW DELHI, APRIL 21: The current IT Act contains a thin list that doesn’t recognise newer cyber crimes such as spoofing, phishing, smishing, web jacking, salami-slicing
Some recent incidents have indicated that India may face severe cybersecurity challenges in the near future that would necessitate the framing of a robust cybersecurity mechanism. A plethora of cases have been reported in the recent past in which people were duped of a large amount of their money by falling prey to the tactics of cyber fraud online. Such incidents took place while doing simple acts such as booking a cab online or lodging an online complaint with the bank etc.
Such incidents are not confined to individuals, even the government and business houses fall prey to cybercrimes. The recent case of a ransomware attack on health data of the All India Institute of Medical Sciences (AIIMS) and the much talked about phishing scam with the ICICI Bank when its customers reported receiving phishing emails asking for their sensitive information and directing them to a forged link, are an alarming eye-opener.
Cyber security is hindered in various ways and forms, such as cyber spoofing, phishing, vishing, smishing, ransomware, malware, password attack, denial of service attacks, crypto-jacking, and web-jacking to name a few. A recent report by the US Federal Bureau of Investigation revealed that India ranked 4th in the list of victims of cybercrimes in the world and among all types of cyber attacks, phishing is the most common sort of cyber attack. Even the Indian Government also reported the same statistics as its body Indian Computer Emergency Response Team (CERT-In), India recorded nearly 13.91 lakh cyber security incidents in the year 2022.
The impact of cyber attacks is grave. For businesses, it causes a loss of productivity, revenue and reputation, breaks customers’ trust, and they may even be fined if they failed to adhere to due diligence requirements regarding cyber-attack notifications of the government. For the government, the effects may range from loss of sensitive data to posing threat to national security. For individuals, the effect can be financial loss, personal data loss, loss of faith in government and businesses and even consequent mental trauma.
The Information Technology Act, of 2000, the main legislation dealing with cyber security issues in India, is a 23-year-old law and was introduced to provide legal recognition to transactions carried out by means of electronic data and documents and to facilitate electronic filing of documents with government agencies.
The present IT Act contains a narrow list of cybercrimes that doesn’t recognize various newer types of cybercrimes such as spoofing, phishing, smishing, web jacking, salami-slicing, etc. Moreover, those that are recognised as cybercrimes are vaguely defined, such as cyber-terrorism etc. The Act has no provisions for measures for cyber awareness and digital literacy enhancement schemes, nor does it provide for certification requirements for the assurance level of whether any of the ICT products and services is cyber-secured to be offered to the users. The only body under the Act, i.e. the CERT-In, is burdened with all the responsibilities and functioning in relation to cyber security in India. The functioning of the CERT-In is limited in scope and restricted to the collection, analysis and dissemination of information on cyber incidents, forecasting cyber incidents, coordination, issuing guidelines and cyber security.
The CERT-In must be further empowered to carry out regular monitoring of the critical infrastructure vulnerable to cyber attacks, provide for ex-post technical inquiries of incidents having a significant impact on the cyber security of the country, develop expertise in the field of cyber security in different sectors such as health, defence, agriculture, e-commerce etc. It must provide an ‘informational hub’ on its portal regarding the information on cyber security originating in India, promoting education in the field of cyber security, and also raising cyber-hygiene and digital literacy.
The existing Act has no additional due diligence requirements on the Intermediaries or entities providing ICT products and services. They are not required to comply with risk audit, security-by design, cyber threat assessment, cyber-skill capacity building in the organisation and other requirements for creating a cyber-safe environment. Along with this, presently there is a divided response mechanism in case of a cyber security incident, a whole of government response is missing, and there is no single body that is involved in cyber security incidents.
Increased digitalisation and connectivity increase cyber security risks, thus making society as a whole more vulnerable to cyber threats and exacerbating the dangers faced by individuals, including vulnerable persons and children. In order to mitigate those risks, all necessary actions need to be taken to improve cyber security in the country and for this, updated cyber security legislation is needed.
The aim for the development of advanced digital infrastructure for India would be fulfilled through the establishment of a new, enhanced, and updated regulatory framework for bolstering and safeguarding the cyber security of the nation.
(Sidharth Mishra is a Senior Assistant Professor at the Faculty of Law, University of Delhi, and Dr Bhawna Sharma is a Senior Associate at Data Privacy & Cyber Security, Advisory, PwC India)
-TNIE