Why are Regulatory Framework, Institutional Mechanisms important in Cyber Security?
In first part of this blog, fundamentals of cybersecurity, evolving landscape of cyberspace, key challenges, major actors & Indian government initiatives to bolster cybersecurity were discussed. However as cyber threats continue to evolve need for robust regulatory frameworks, institutional mechanisms & alignment with global best practices becomes even more critical.
In this second part, we focus on regulatory landscape and institutional Frameworks for Cybersecurity in India, mention challenges & comment on global best practices.
For UPSC aspirants understanding of cybersecurity regulations & frameworks is essential for tackling governance, security & technology related questions in UPSC exam. APTI PLUS UPSC Coaching in Kolkata through its meticulously curated study material & expert guidance equips aspirants with knowledge needed to excel in such topics & develop strategic approach to cybersecurity issues in India.
Draft Information Technology (Intermediary Guidelines (Amendment) Rules), 2018
Intermediary Guidelines Rules, 2011 were formulated under Section 79(2) of Information Technology (IT) Act, 2000, to outline due diligence requirements for intermediaries such as internet service providers, telecom operators & online marketplaces. These rules provided intermediaries with exemption from liability for third party content hosted on their platforms.
Features of the 2018 Draft Rules
Prohibition on hosting content that threatens public health or safety in addition to existing restrictions (e.g. obscene content).
Intermediaries must provide assistance to government agencies within 72 hours of receiving request.
Platforms must enable tracing of originator of information to curb spread of fake news & cybercrimes.
Intermediaries are required to deploy AI driven automated tools to identify & remove unlawful content.
Platforms with more than 50 lakh users must set up registered company in India for better regulatory oversight.
Issues & Analysis
Restriction on content affecting public health or safety may infringe upon Article 19(1) of the Constitution which guarantees freedom of speech.
The requirement to deploy AI-driven moderation tools might conflict with a recent Supreme Court judgment which emphasized importance of human oversight in content regulation.
The draft rules do not clarify how the 50 lakh-user threshold will be calculated making compliance difficult for digital platforms.
National Digital Communication Policy (NDCP), 2018
Recognizing rapid growth of digital technologies Government of India unveiled NDCP-2018 to replace National Telecom Policy, 2012.
Objectives
Attract USD 100 billion in investments.
Generate 4 million jobs in the digital communications sector by 2022.
Three Pillars
Connect India
Strengthen digital communications infrastructure to ensure seamless connectivity nationwide.
Propel India
Foster next generation technologies, innovation, IPR generation to drive India digital revolution.
Secure India
Establish robust framework for sovereignty, safety, security of digital communications ensuring protection against cyber threats.
Cyber Resilience & Digital Payment Security Guidelines
| Aspect | RBI’s Draft Directions on Cyber Resilience and Master Digital Payment Security Controls | CERT-In Guidelines on Information Security Practices for Government Entities | SEBI Proposed Cybersecurity Framework for Regulated Entities (REs) |
| Coverage | Applies to authorized non-bank Payment System Operators (PSOs) | Applies to all Ministries, Departments, and Offices specified in the First Schedule to the Government of India | Applies to all SEBI-regulated entities (REs) |
| Aim | Ensure PSOs are resilient to traditional and emerging cybersecurity risks | Provide a common structure for multiple approaches to cybersecurity to prevent cyber risks/ incidents | Establish robust cybersecurity protocols in SEBI-regulated entities (REs) |
| Responsibility | Board of PSOs responsible for ensuring adequate oversight over cybersecurity risks | Under powers conferred by section 70B of the Information Technology Act, 2000 | REs must implement five concurrent and continuous cybersecurity functions |
| Cybersecurity Functions | Includes: Identify, Protect, Detect, Respond, Recover | NIST-defined functions for cybersecurity: Identify, Protect, Detect, Respond, Recover | Framework based on five continuous cybersecurity functions: Identify, Protect, Detect, Respond, Recover |
| Cybersecurity Audits | Mandatory cybersecurity audits every six months | Mandatory reporting of security breaches within six hours of being noticed | REs must conduct regular cybersecurity audits every six months |
| Cybersecurity Plan | PSOs must formulate a comprehensive Cyber Crisis Management Plan (CCMP) | No specific CCMP mentioned but focuses on incident response and security breach reporting | REs must formulate an up-to-date Cyber Crisis Management Plan (CCMP) |
| Employee Management | Employees must be logged out after 15 minutes of inactivity | Not explicitly mentioned | Employees to be logged out after 15 minutes of inactivity |
| Access Management | Admin access to the system must be approved by the chief information security officer | Not explicitly mentioned | Admin access to the system must be approved by the chief information security officer |
| Incident Management | PSOs must have a comprehensive incident response management plan and Standard Operating Procedures (SOPs) | Focuses on incident response and security breach reporting within 6 hours | REs must have an incident response management plan and respective Standard Operating Procedures (SOPs) |
| Reporting of Breaches | Security breaches must be reported within six hours of discovery | Security breaches must be reported within six hours of discovery | REs must have procedures for reporting security breaches in line with best practices |
APTI PLUS Best Coaching for UPSC through such insights tries to apprise IAS aspirants on its importance & prepare for UPSC exam.
Institutional Framework for Cybersecurity in India
| Institution | Description |
| National Cybersecurity Coordination Centre | It is the national cyberspace intelligence agency under CERT In. It screens communications metadata to detect real time cyber threats and coordinates with law enforcement agencies for intelligence gathering. It aims to strengthen the country’s cybersecurity posture but concerns have been raised regarding privacy and civil liberties. |
| India’s Computer Emergency Response Team (CERT-In) | Mandated under the IT Amendment Act, 2008, CERT-In serves as the national agency responsible for cyber security in India. Its mission is to enhance the security of Communications and Information Infrastructure through proactive actions and effective collaboration. It also includes CERT-Fin to address threats in the financial sector. |
| National Critical Information Infrastructure Protection Centre | The NCIIPC is designated as the national nodal agency responsible for protecting critical information infrastructure in India. It focuses on identifying critical information infrastructure elements and developing cooperation strategies for their protection. CII includes sectors like power, banking, healthcare and government services. |
| Indian Cyber-Crime Coordination Centre (I4C) | Established under the Ministry of Home Affairs (MHA), I4C is responsible for coordinating efforts against cybercrime, including threats like child pornography and online stalking. It also manages the National Counter Ransomware Taskforce to combat ransomware incidents. |
| Cyber Swachchta Kendra (CSK) | Launched under the Digital India initiative, CSK is dedicated to cleaning botnets and analyzing malware. It provides tools to prevent cyberattacks, including M Kavach (anti-virus for smartphones), USB Pratirodh (USB protector), AppSamvid (desktop whitelisting), and Browser JSGuard (blocks malicious web content). |
| Digital Army Programme | A dedicated cloud to digitize and automate processes, procedures and services for the Indian Army launched as part of Digital India similar to the Meghraj initiative for national cloud services. |
| State Government Initiatives | Telangana: Established a Cybersecurity Center of Excellence (CCoE) with DSCI. Kerala: Cyberdome, a Center of Excellence for Kerala Police, aims to address long-term security challenges in the digital space. Maharashtra: Launched the ‘Cyber Safe Women’ initiative to raise awareness about cyber safety. |
| TechSagar Platform | Launched by the National Cyber Security Coordinator’s office in partnership with the Data Security Council of India, TechSagar is an online portal providing insights into the capabilities of Indian industry, academia, and research in various technology areas like IoT and AI. |
| Bharat NCX (National Cyber Security Incident Response Exercise) | An exercise aimed at training senior management and technical personnel of government and critical sectors on contemporary cyber threats, handling incidents, and response. It is conducted by the National Security Council Secretariat (NSCS) since 2022. |
| Training of Information Security Personnel | Under the Information Security Education and Awareness Project (ISEA), 1.14 lakh people are being trained through 52 institutions to raise awareness and provide research, education, and training in information security. |
APTI PLUS UPSC Coaching in Bhubaneshwar provides comprehensive guidance & strategic insights helping IAS aspirants navigate complex topics like cybersecurity ensuring they are well prepared for evolving demands of civil services exam.
Gaps in Cybersecurity in India
| Category | Key Challenges |
| Structural | Rapid sector growth outpacing security architecture development.
Internet’s design for openness rather than security and unauthorized access prevention. Slow adaptation of security to the rapid proliferation of technology. |
| Administrative | Absence of best practices and statutory backing for cybersecurity protocols.
Security audits lack periodicity and international standards adherence. Lack of measures to protect critical information infrastructure. National Cyber Security Coordinator (2014) lacks state-level liaison officers. |
| Human Resource Related | Severe under-staffing of CERT-In. |
| Procedural | Public apathy and ignorance towards cybersecurity issues.
Insufficient cybersecurity research and development in academia. Local police lack awareness of IT Act, 2000, and IPC provisions for cybercrimes. Push for cashless transactions without adequate device and transaction security knowledge, increasing vulnerability. Smart city infrastructure dependent on IT, generating vast amounts of citizen data, with inadequate protection under current laws. |
Global Cybersecurity Initiatives
| Initiative | Description | Key Focus Areas | Challenges | Geographical Scope | Established By |
| Budapest Convention | The only multilateral treaty on cybersecurity addressing Internet and computer crimes. | Harmonizing national laws
Enhancing investigative powers International cooperation on cybercrime |
Developing countries including India have not signed citing lack of consultation and US-led drafting. | Global (except for some developing countries) | Council of Europe (1997) |
| Ground Zero Summit | Asia’s largest collaborative platform for cybersecurity experts and researchers to discuss emerging challenges and showcase tech. | Cybersecurity challenges
Cutting-edge cybersecurity technologies Public-private sector collaborations |
Limited to Asia and not yet global Need for increased participation from other regions |
Asia (with an emphasis on India) | Indian Infosec Consortium (IIC) |
| ICANN | A global, non-profit organization managing domain names, IP addresses and autonomous system numbers on the Internet. | Internet governance
Management of domain name systems International community-driven governance |
Some countries challenge the U.S. influence despite its global role Ensuring equal global participation |
Global | U.S. Government (now independent) |
| OECD Cybersecurity Strategy | A strategy aimed at improving global cooperation and sharing best practices on cybersecurity. | International collaboration Policy development Cybercrime and cyberattack prevention |
Gaps in implementation across different nations
Lack of uniform cybersecurity policy adoption |
Global | Organisation for Economic Co-operation and Development (OECD) |
| APEC Cybersecurity Initiative | A regional initiative by Asia-Pacific Economic Cooperation to enhance regional cybersecurity cooperation. | Cybersecurity best practices
Regional capacity building Cybercrime prevention and response |
Limited to APEC member countries Variations in national policies and enforcement |
Asia-Pacific Region (APEC members) | Asia-Pacific Economic Cooperation (APEC) |
| Global Forum on Cybersecurity (GFCS) | A global platform for dialogue on tackling cybersecurity challenges and threats in the digital space. | Promoting cybersecurity awareness
Strengthening international cooperation |
Challenge in aligning interests of various stakeholders (government, private sector, etc.) | Global | International Telecommunication Union (ITU) |
World Economic Forum Framework with Deloitte
Conclusion
Cybersecurity is critical aspect of our increasingly digital world requiring robust measures to protect sensitive data, systems & infrastructures from various threats.
For more such articles on important topics for UPSC, please visit Resources at APTI PLUS
Practice Questions
- How can India balance cybersecurity regulations like IT Rules, 2018 with fostering digital economy?
- Does traceability of online content under IT regulations compromise free speech & privacy? Critically examine.
- Analyze cyber threats to India smart cities & financial systems. Suggest global best practices.
- Assess effectiveness of India cybersecurity agencies like CERT-In & NCSC. How can coordination be improved?
- Compare India cybersecurity policies with GDPR & NIST standards. What reforms are needed?
