The Danish philosopher Soren Kierkegaard is often credited with coining the dictum "life can only be understood backwards, but it must be lived forwards". This quote is sometimes translated into military speak as "fighting the last war" – in other words, building intelligence and capabilities to combat a threat that has already faded in its potential to do harm.
Today, this philosophy echoes throughout law-making and on-ground compliance. In India, regulations historically lag behind business innovations, and regulators find themselves playing catch-up from one crisis to the next. Indian industry and businesses also suffer from having to adhere to laws and practices that remain rooted in the past and which do not possess the requisite flexibility and nuance to be future ready.
In 2022 alone, India suffered from nearly 50 reported cases of hacking of government websites and eight data breaches. The year 2022 also saw one of the biggest data breaches, in which India's premier medical institution – the All India Institute of Medical Sciences (AIIMS) – was hit with a ransomware attack. The AIIMS servers were offline for nearly two weeks before authorities could recover data and systems went back online. The government and corporate sectors of India also finds themselves playing catch-up, with ransomware attacks and data breaches becoming worryingly frequent especially in the finance and health sectors.
Regulatory overview and gaps
Several pieces of legislation, rules and sector-specific regulations govern India's legal, regulatory and institutional framework for:
promoting maintenance of security standards;
defining cybercrimes; and
requiring incident reporting.
Under section 70-B of the Information Technology Act (IT Act), the government in 2004 established the Computer Emergency Response Team (CERT-In), a nodal agency tasked with responding to computer and cybersecurity incidents. A 2008 amendment to the IT Act saw CERT-In tasked with more cybersecurity functions, such as:
collecting and disseminating information;
implementing emergency cybersecurity measures; and
forecasting and alerts on cybersecurity incidents.
The government then brought forth the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties Rules 2013, which put down the administrative structure and processes to be followed by CERT-In. These rules also put in place obligations on intermediaries and service providers to report cybersecurity incidents to CERT-In.
On 28 April 2022, the Ministry of Electronics and Information Technology notified a new set of directions relating to cyber-incident:
information security practices;
These directions were aimed at providing a safe and trusted internet, and were set out under section 70-B(6) of the IT Act. They became effective from 27 June 2022 and have had far-reaching implications on IT service providers, intermediaries, data centres and corporations.
Given the emergent threats in cyberspace, constant updating of regulatory tools is the need of the hour. However, the 2022 cybersecurity directions seem to have diluted focus; they enhance due diligence requirements applicable to certain online parties such as virtual private networks (VPNs) and revise timelines for breach reporting to six hours.
While these directions are meant to fix loopholes and lacunae in the (still very recent) safe harbour rules brought under section 79 of the IT Act, there was a sense of missed opportunity when they were released. The 2022 safe harbour rules were hardly perfect – they attracted blowback for:
being targeted primarily at large social media companies;
bringing in news and current affairs within their regulatory ambit; and
expanding the government's surveillance powers by requiring identification of users and decryption.
Indian cyber laws consequently lag behind in encouraging organisations to adopt good data security measures. They are quite selective and targeted, with limited on-ground impact. It is difficult to explain how even quite recent Indian laws are helping with data breaches, especially in respect of provisions like a six-hour breach reporting timeframe.
The regulations disproportionately emphasise the reporting of data breaches, while neglecting to offer guidance on security measures that organisations can adopt to prevent such incidents. This leaves organisations without clear mandates on essential measures like standard operating procedures (SOPs) and other preventative actions.
Indian companies usually have good IT security, as well as decent physical security measures like access cards. Where they are lacking is in writing things down (eg, having updated policies and SOPs) and having consistent training around those policies. Employees may not be aware that there is a data breach policy in place; how many employment agreements refer to data or have a cybersecurity portion? If it is not a condition of service, how can employees be expected follow it? Most Indian companies do not have a data breach SOP, or even a written IT security policy. So even defining a "data breach" is difficult – there is no reference point. Would a physical break-in constitute a "breach" if no computer system was compromised? What if a pen drive is stolen from an employee's backpack, is that a "data breach"? Such nuances are still missing from most IT policies and documents in India.
When policies are written down, they are aften not backed up with consistent enforcement. Enforcement actions should be consistent and documented, and refresher training provided regularly for policies to be cemented. Organisations should also have "living" documents that evolve with the times.
Cyberthreats have proliferated at unimaginable rates in the past few years. At the same time, cybercrime operations have become a lot more sophisticated and well organised, evolving to take down bigger and bigger prey. The response needed is a combined regulatory and business one; most importantly, this is a war that one cannot look to the past to fight. Given the depth of IT talent in India, enabling regulation is of the utmost importance.
The creation of regulations that move the needle for cybersecurity protections is possible. Australia has recently overhauled its cybersecurity apparatus and has even appointed a Minister for Cyber Security. Australian regulations have also extended support to businesses, in addition to merely mandating security and reporting. In certain instances, the Australian government can provide direct assistance in respect of critical infrastructure that is important to national security. Such innovative and direct approaches in regulation will help bridge the regulatory gap.
The example to follow is Indian sexual harassment laws, which require training and reporting on a consistent basis. While not perfect, these bring the subject matter of the law to a senior governance level. A law that provides a pathway to compliance is required, not just a law that punishes non-compliance.