Introductory: Indian Legislative Landscape on Critical Information Systems
In the wake of the COVID-19 pandemic, technology and digitization oiled the wheels of the global economy with swift responses such as work from home and remote learning. However, the critical infrastructure sector was the talking point amongst policy and law makers as the former market witnessed a staggering rise in cyber-attacks. Critical infrastructure mainly constitutes systems or assets quintessential for the functioning of an organization or a country, and includes the healthcare, transportation, and energy sectors, among others. Several countries such as the United States of America and China have revisited their respective cybersecurity policies and legislations to abate a rising cyber-pandemic. At present, India does not have dedicated cybersecurity legislation, nor have there been any revisions to the Indian National Cybersecurity Policy rolled out in 2013. As a response to the Supreme Court’s verdict on the recognition of privacy as a fundamental right in the landmark case of Justice K.S Puttaswamy v. Union of India, the Personal Data Protection Bill, 2019 (“PDP Bill”) was drafted.
The final draft of the Personal Data Protection Bill, 2019, which has been in the making for nearly two years under the aegis of the Joint Parliamentary Committee, was finally tabled before the two Houses of the Parliament in December 2021. The PDP Bill, however, does not expressly address the protection of critical information systems. The lackadaisical approach of the Indian government toward securing protections against critical infrastructure has prompted efforts to formulate a National Cybersecurity Strategy, which is set to be released in 2022.
Within the Indian legislative landscape, the Information Technology Act (“IT Act”) enacted in 2000, defines a critical infrastructure system to mean “any computer resource, the destruction or infiltration of which can have debilitating effects on national security, economy, public health and safety” under Section 70. The IT Act has further enshrined within it the term “protected system,” which includes facilities of critical infrastructure systems. Additionally, the Indian government has further established the National Critical Information Infrastructure Protection Centre (“NCIIPC”) under the IT Act, as a means to govern and respond to attacks against critical infrastructure systems. Apart from the IT Act, India has also enforced supplementary rules such as the Information Technology (“Information Security Practices and Procedure for Protected System”) Rules, 2018 to address cyber-related incidents against facilities of critical infrastructure.
The Indian government boasts of the establishment of several technical cybersecurity agencies and response teams, including the National Security Council Secretariat and the National Technical Research Organization, among other agencies. Regardless of the presence of the foregoing agencies, a record of “over 6.07 lakh cybersecurity incidents” were reported in the first six months of 2021 by the Computer Emergency Response Team (“CERT- In”), the nation’s nodal agency that manages and controls cybersecurity responses.
In July 2021, it was alleged that the email account of the secretary of the Indian Ministry of Electronics and Information Technology (“MeitY”), along with the accounts of several Indian government officials, had been compromised. In the same year, India witnessed cyber-attacks against the nation’s primary cybersecurity agencies including the Indian Cybercrime Co-ordination Centre, affiliated with the Indian Ministry of Home Affairs, and spear-phishing attacks through “compromised government domain email IDs” against the Indian Ministry of Defence and External Affairs. Indubitably, the aforesaid series of cyber-attacks presents the grave seriousness on the issue of inadequate protection and defense crisis management at the national level. The malicious use of Information Communication Technology (“ICTs”), as stated before, will have all the more catastrophic effects against critical infrastructure as identified by the NCIIPC which includes the finance, energy, transportation, government, strategic and public enterprises as well as the telecom sector. Surprisingly, the health-care sector is not identified as a critical system by the NCIIPC. The final draft of the PDP Bill categorically fails to acknowledge the regulation and security of data gathered from critical information infrastructure. The United States of America, China, Australia, and the European Union have dedicated legislation dealing with the cybersecurity of critical infrastructure. The advent and rollout of 5G technology in Indian cyberspace warrants the urgent need to adopt a specialized law on cybersecurity. While India is witnessing the mushrooming of rules propagating the use of technology, the Parliament has not undertaken equal efforts for the defense and protection of critical infrastructure developed on technology.
A Clarion Call: Indian Cybersecurity Legislation
At present, India does not have legislation dedicated to cybersecurity. Therefore, it becomes a pressing priority for the government to formulate and release revised and well-devised cybersecurity law to tackle the unprecedented cyber-attacks on India’s critical infrastructure and cyberspace. Rapid advancements within the ICT ecosystem necessitate the adoption of confidence-building measures to specifically address cybersecurity concerns. The foregoing stands true in light of countries taking sovereignty over cyberspace, which has become the new normal. Sovereignty permits states to have exclusive control over their territory and self-determination of foreign policy. Sovereignty over cyberspace is when states exercise complete control over its cyberspace for the primary reason of abating wrongful intervention and attacks against its cyber infrastructure. However, the practice of “cyber sovereignty” has evolved to adversely affect cross-border flows of data, internet regulation, the digital ecosystem, and civil rights. China serves as a prime example of extreme cyber sovereignty due to presence of a stringent data localization and internet law, which is colloquially referred to as “The Great Firewall.”
On June 29, 2020, India banned nearly 59 Chinese phone applications “citing to concerns of data security and national sovereignty.” The foregoing decision was made in the wake of clashes between the Indian and Chinese armed forces at the India-China border in Ladakh. India’s interest in possessing sovereignty over its cyberspace can be further illustrated by the recent data localization norms on specific categories of data, such as payment systems data localization norms issued by the Reserve Bank of India. The intent of the Indian government to regulate Indian cyberspace is limpid from the presence of provisions within the PDP Bill which warrant a strict data localization regime. The inclusion of such data localization provisions implies increased accountability and capacity-building measures by the government towards the end goal of regulating cyberspace.
Applicability of International Law in Cyberspace
The principle of sovereignty is rooted in international law, therefore the primary rules of international law are to be made applicable in cyberspace by countries. The principle of sovereignty under international law has both internal and external dimensions. Under the internal dimension, nations are accorded equality concerning their rights and duties with other nations. As per the external dimensions, states are to exercise “supreme authority over all things and persons,” including the right to formulate their foreign policy. Sovereignty over cyberspace requires the state to responsibly and reasonably take decisions that shall not deprive its citizens of the opportunity of free, open, and secure internet. The Indian government is optimistic about the newly revised Indian National Cybersecurity Strategy, which is expected to be rolled out in 2022, as it aims to counter cybersecurity issues through an action-oriented plan rather than a policy.
Scrutinizing India’s Approach towards Policymaking in the Field of Cybersecurity
(i) Council of Europe Convention on Cybercrime
While India has been proactive in countering cybersecurity issues through its National Cyber Security Policy, national projects, and administrative measures, steps have not been taken to engage with other national stakeholders at the international fora. To illustrate, the Council of Europe Convention on Cybercrime (“Budapest Convention”), is an international treaty that focuses on the idea of fighting cybercrime through international cooperation. The primary objectives of the Budapest Convention are to ensure that states have harmonized national laws against cybercrime, enhanced cooperation, and procedural tools concerning the transnational investigation of cybercrimes. India, however, is not a member of the Budapest Convention. One speculated reason is that India did not participate during the drafting of the text. Additionally, India has justified its non-participation in the Budapest Convention based on Art.32(b) of the text, which requires the transborder access of data. India argues that the mandatory compulsion of transborder access of the data of Indian nationals comes at the cost of national security. In light of the PDP Bill, and several debates on the prospect of stricter data localization norms, India should reconsider its non-participation in the Budapest Convention, as its benefits outweigh the cons in the digital era, particularly with the introduction of the Digital India Mission (a flagship government program aiming to foster a “digitally empowered society and knowledge economy”). For instance, the Budapest Convention provides for efficient international cooperation and procedural tools for the investigation of cybercrimes, and it permits for dual criminality. Threats against critical infrastructure systems can be addressed through the Budapest Convention and can further bolster India’s cybersecurity strategy to target the extra-jurisdictional nature of cyber-crimes underpinned with international collaboration. Furthermore, the supplementary advantages of joining the Budapest Convention includes minimal lag time between incident response and information gathering of electronic evidence, therefore expediting the mechanism for international criminal law procedure. As the world inches towards the adoption of digital supply chains, it is highly important to expand the roles of cybersecurity and critical infrastructure strategies through international cooperation, as international law will serve as a benchmark in the global culture of cybersecurity. Imbibing international law in cyberspace will further ensure the application of the UN Charter in the event of human rights violations or cyberwar conflicts arising between states.
(ii) Tallinn Manual 2.0
Reliance can also be placed upon the Tallinn Manual 2.0, an influential manual that addresses the applicability of international law to cyber operations. This manual will enable India to combat malevolent cyber-attacks, particularly against its critical infrastructure. In the absence of a specialized law on cybersecurity, India can benefit from the existing international law framework to fill in the extant legal vacuum. Industry experts have recommended that the Indian government establish a central apex cybersecurity body similar to the Cybersecurity and Infrastructure Security Agency (“CISA”) in the United States or the Cybersecurity Agency (“CSA”) in Singapore. The establishment of a national cyber command center will ensure the growth of capacity-building measures to combat cybersecurity threats.
National Data Localization Measures
India’s pro-data localization policies could impede sharing of ICT vulnerabilities between nations and undermine efforts to combat cybersecurity at an international level. Data- localization measures could lead to privacy issues on account of potential back door access by the government and corresponding unchecked state surveillance under the garb of such policies. Another unfavorable consequence arising from data localization is the likelihood of trade barriers on organizations, whose core business models concentrate on the cross-border flow of data.
Cybersecurity Framework for a Critical Infrastructure System in India & Addressing Anomalies in the Indian Policymaking Space
The sharp rise of cybersecurity attacks, underpinned by inadequate and ineffective government policies, mandates concerted efforts by the government towards addressing the loopholes in policymaking. The formulation of cybersecurity legislation will provide advantages such as maintaining the integrity of the digital supply chain in technology. This is critical in the wake of rising cybersecurity attacks against critical information systems such as electrical grids, the telecom sector, and the energy sector since the shift to the virtual space due to the COVID-19 pandemic. The formulation of dedicated cybersecurity legislation, or a revised national cyber security policy in 2022, should incorporate mandatory annual risk assessments of identified critical infrastructure. Additionally, the establishment of a security protection department for each identified critical information system, and setting up a central nodal agency on cybersecurity, will strengthen cyber resilience within the country. The adoption of international best practices, including ensuring India’s participation in the Budapest Convention or inclusion of practices present in the Tallinn Manual 2.0, can serve as a blueprint to create a secure policy and statutory environment for Indian cyberspace. The rollout of 5G presents itself as a litmus test, as it is one of the primary objectives under the Digital India Mission, Currently, the distressed Indian telecom sector is a critical infrastructure system that has also seen recent reforms, and this sector ought to be categorically addressed in India’s revised cyber-security policy to ensure continuous sustainability. Moreover, India is engaging with inter-governmental organizations such as the International Telecommunication Union (“ITU”) by conducting cyber drills to protect critical infrastructure systems. India participated in the Sydney Dialogue in 2021, an annual summit on cyber and critical technologies that discussed the nation’s development on the cyber technologies front. While India recently ranked tenth in the ITU Cybersecurity Index, research conducted by Microsoft in the field of technical support scams revealed that cyber-fraudsters duped seven out of ten Indian consumers. The Microsoft research report stands in stark contrast to India’s top rank in cybersecurity by the ITU. To eliminate such contrasting reports, the nation must develop and formulate regulations specifically catered towards facilities and systems of critical infrastructure. Countries such as China have recently issued regulations on critical infrastructure security protection touted to provide a secure protection enforcement regime for critical infrastructure systems. In view of several other countries adopting measures to protect their critical infrastructure, it is paramount for India to take strides by developing a dedicated statutory framework for its critical information infrastructure to accommodate the evolving nature of cyberspace and defend the same against advancing cyber-threats.
Karen Aloysia Barreto is a final year law student majoring in intellectual property law at NMIMS University’s Kirit P. Mehta School of Law, Mumbai, India. The views expressed herein are personal. Karen takes a keen interest in the field of TMT, data protection, technology law, media & entertainment law and public policy. She currently serves as a volunteer for All Tech is Human, a New York based think-tank which is focused on diversifying the tech pipeline and building a better future.