Just imagine that with one click, your most intimate secrets, financial information, and even your digital identity become the signature across the globe. That is some rather chilly news, isn’t it? True to that, that is our reality. In 2023, India alone faced 79 million cyber attacks, three in the top list of phishing attacks globally. Even with the National Cyber Security Policy and the establishment of CERT-In, much remains to be done. Why should you care?

Trust and confidentiality in our interdependent world are no longer up for debate. Today, we will discuss why India needs a full-fledged Cyber Security Act to further beef up its digital infrastructure and citizens’ security by developing a strong and vibrant digital economy. This Act would promote uniformity in security standards, impose incident reporting to incident response teams, ensure greater coordination among the interested parties, and thereby present a more robust digital society.

Australia’s Cyber Security Act: Plans for a Secure Digital Life

The Australian Cyber Security Bill seeks to establish a detailed framework to strengthen the country’s cyber defence system. It is an initiative of the newly formed Albanese Labour Government to respond to increasing cyber threats that may disrupt national security and economic stability.

1. Cyber Security Standards for Smart Devices

Mandatory cyber security standards underpin one of the key pillars of the Bill, the security of smart devices. This means that home assistants and industrial control systems must be designed with security in mind, along with regular software updates, secure default settings, and robust authentication methods. Imagine that your digital doorman is always on duty and up to date. This is in line with the developments happening in the EU in the form of the Cyber Resilience Act. The EU’s Act contains similar provisions for digital devices.

2. Ransomware Reporting Requirements

Organisations must report ransomware attacks as soon as possible. This immediate reporting will allow responding organisations to respond immediately and reduce the impact. As the proverb goes, the best time to call the firemen is when the smoke begins to appear. It may yet save the whole house from burning down. While early reporting reduces the damage caused by a ransomware attack, it also helps track cyber crime activities, according to a Coveware report.

3. Establishment of the Cyber Incident Review Board (CIRB)

The proposed Bill also seeks to establish the Cyber Incident Review Board (CIRB). CIRB will examine significant cyber incidents to determine what went wrong and how to avoid it in the future. This is a constantly evolving exercise, so the more we do, the better we get over time. Moreover, the Board will publish anonymised insights to improve good cyber security practices in the country.

4. Safe Harbour Provisions

The Bill features safe harbour provisions to protect organisations that report cyber incidents in good faith from legal consequences. This would, therefore, mean maximum openness and cooperation. Even if mistakes are committed, they serve the greater cause of general cyber security. Such provisions are indispensable for developing an openness and learning culture within the cyber security community.

The Current State of Cyber Security in India

India has made strides in enhancing its regulatory framework on cyber security, but challenges remain.

1. Existing Framework

Apart from the rules issued under the Information Technology Act, 2000, relevant guidance usually comes from the Indian Computer Emergency Response Team (CERT-In) and the National Critical Information Infrastructure Protection Centre (NCIIPC). Sector-specific regulators such as RBI and SEBI have their own regulatory frameworks for cyber security for covered entities. Meanwhile, based on the ongoing news reports, the Digital Personal Data Protection Act, 2023 (“DPDP Act”) will come into effect anytime soon.

2. Recent Cyber Attacks and Their Impact

India has experienced several high-profile cyber attacks in recent years. The Air India data breach in 2021 exposed the personal information of 4.5 million passengers. The Domino’s data breach led to public disclosure of the order history of over 180 customers. More recently, the Aadhaar data breach in 2023 exposed the personal information of over 815 million citizens. These incidents have resulted in significant economic losses and operational disruptions, underscoring the need for stronger cyber security regulations.

3. Gaps in the Current Framework

Despite these efforts, gaps remain. There is a lack of standardisation across sectors, insufficient reporting mechanisms, and challenges in compliance and enforcement. Additionally, the Information Technology Act, 2000 has only seen two significant amendments since its introduction in 2000. The recently proposed Digital India Act may aim to fill these gaps by introducing more comprehensive regulations and enforcement mechanisms that align with the DPDP Act. Otherwise, the gaps remain and affected individuals and organisations will have barely any recourse to pursue.

Why does India need its own Cyber Security Act?

The frequency and sophistication of cyber attacks are increasing, and it is high time for a comprehensive law in India. A report from Rubric Zero Labs suggests that 75% of Indian organisations reported an increase in ransomware attacks in the past year, with 96% of these incidents targeting backups specifically. Additionally, the average cost of a data breach in India is now a staggering ₹19.5 crores (~$2.2 million). These numbers reflect the impact of modern cyber threats’ increasing complexity and disruptive nature.

There is no denying that cyber attacks are growing in their impact and sophistication. To fight back against them, we need robust mechanisms to report incidents with streamlined reporting mechanisms. There is a need for a standard reporting mechanism instead of each sectoral regulator prescribing it in its own manner. Moreover, the consequences of security incidents in critical infrastructure such as energy, healthcare, and finance can be disastrous, impacting millions simultaneously. For instance, a cyber attack on hospital information systems could compromise the delivery of medical services and imperil patients’ lives. Beyond this, organisations should follow a minimum baseline of cyber security practices regardless of size and industry. This is where this dedicated Act can come in and fill the gap.

Potential Challenges

Implementing a comprehensive Cyber Security Act in India is a bold step towards safeguarding our digital landscape. While it comes with its own challenges, strategic planning and collaboration can pave the way for success. Complying with new regulations can be daunting for small and medium enterprises (SMEs). Streamlining compliance processes and providing support to SMEs can help mitigate these concerns. The Regulatory Compliance Portal launched by DPIIT aims to simplify and rationalise these compliances.

Another challenge is the availability of skilled resources. The shortage of skilled cyber security professionals in India is 9% higher than the global average. Government-funded training programmes and partnerships with educational institutions can bridge this gap, ensuring businesses have the expertise they need. Moreover, collaboration between the government, private sector, and international organisations is crucial. Industry consortiums can share best practices and threat intelligence, creating a united front against cyber threats. For example, Cyber Surakshit Bharat and Cyber Swachhta Kendra are examples of collaborative efforts to enhance the country’s cyber security posture.

Conclusion

India must strive to be better placed in this fast-changing regulatory landscape of cyber security. A comprehensive Cyber Security Act modelled along international success stories would provide a much-needed framework to safeguard our digital infrastructure. Challenges are inevitable, but benefits from enhanced security, transparency, and trust are far outweighed by these obstacles. And in this digital age, remember: an ounce of prevention is worth a terabyte of cure. So, patch up those vulnerabilities, encrypt your data, and do not forget – cyber security is not just a practice but a mindset. Stay proactive, and stay protected!