On 27 September 2024, the Cabinet Secretariat issued a notification amending the Government of India (Allocation of Business) Rules whereby it outlined the roles of a few ministries and departments related to the handling of cyber security in the country. While the National Security Council Secretariat (NSCS) has been mandated "to provide overall coordination and strategic direction for cyber security," the Department of Telecom (DOT) under the Ministry of Telecom will deal with "matters relating to [the] security of telecom networks."
The Ministry of Electronics and Information Technology (MeitY) has been tasked with matters relating to cyber security as assigned in the Information Technology (IT) Act 2000 (as amended from time to time) and provide “support other ministries/departments on cyber security” and the Department of Internal Security under the Ministry of Home Affairs (MHA) assigned “matters relating to cybercrime.”
This is a good step towards more clarity about the domains of action in the face of the massive proliferation and sophistication of cyber attacks in the country. It is also a pertinent and optimal decision to prevent duplication of efforts and the resulting turf wars and clarifies the overall topmost role of the NSCS, giving more teeth to the National Cyber Security Coordinator (NCSC) beyond their coordination functions in line with ministries and other wings of the government ecosystem, while formulating cyber security strategies.
Evolution of India's Cyber Security Policy
The National Cyber Security Policy of 2013 laid the groundwork for a comprehensive approach to cyber security, emphasising the need for a secure computing environment and building capacity to anticipate and respond to threats. However, the rapid pace of technological change quickly rendered this policy outdated.
Recognising this, the Union government announced plans for a new National Cyber Security Strategy in 2020. This strategy, still in development, aims to address emerging challenges such as the security of 5G networks, the Internet of Things (IoT), and artificial intelligence.
Just two weeks before the notification, while addressing the National Security Strategies Conference 2024, the Union home minister had also mentioned that drones and online frauds were major emerging national security threats.
India's cyber security landscape involves a complex network of governmental bodies, each with specific roles and responsibilities. At the apex is the NSCS which oversees national cyber security policy. CERT-In, established in 2004 under MEITY serves as the national nodal agency for responding to computer security incidents. It works closely with other sector-specific CERTs, such as those dedicated to the financial and power sectors.
MeitY plays a crucial role in formulating policies related to cyber laws, and e-governance, and promoting cyber security awareness. The National Critical Information Infrastructure Protection Centre (NCIIPC), under the National Technical Research Organisation, focuses on protecting critical infrastructure from cyber threats. Law enforcement agencies, particularly the Cyber and Information Security Division of the MHA and the cyber cells of state police forces are responsible for investigating cybercrimes.
While this multi-agency approach allows for specialised focus areas, it also presents challenges in coordination and information sharing. From time to time to address these challenges, the Union government has taken steps to enhance inter-agency coordination.
The National Cyber Coordination Centre (NCCC), operationalised in phases since 2017, aims to provide real-time situational awareness and coordinated response to cyber security threats. However, the effectiveness of this centre in streamlining coordination remains a subject of debate.
The Indian Cybercrime Coordination Centre (I4C) was set up in 2019 under the MHA to provide a framework and ecosystem for law enforcement agencies (LEAs) to deal with cybercrime in a coordinated and comprehensive manner. This has also been a useful step but the volume of cybercrimes as well as time-bound actions that are required makes it good work also fall short. The nationwide cybercrime helpline number and the portal under the I4C today is getting popular with citizens for reporting crimes. As the country continues to digitalise at an unprecedented pace, driven by initiatives like Digital India, the cyber security approach must evolve to meet emerging challenges.
Much Needs to be Done
Providing the NSCS with the task of coordination as well as strategic direction for cyber security is the most prudent decision. Firstly, the NSCS has a broad, strategic view of national security that encompasses both traditional and non-traditional threats. As cyber security cuts across multiple domains including defence, intelligence, law enforcement, and critical infrastructure protection, the NSCS's holistic perspective allows it to effectively coordinate cyber security efforts across various government agencies and sectors.
Secondly, the NSCS already plays a crucial role in inter-agency coordination on national security matters and this existing framework and experience can be leveraged to coordinate the complex, multi-stakeholder landscape of cyber security. The NSCS can bring together diverse actors including intelligence agencies, armed forces, law enforcement, and civilian ministries to develop comprehensive cybersecurity strategies.
On the international front, the NSCS is well-positioned to represent India in global cyber security dialogues. Its deep understanding of India's strategic interests can align cyber security diplomacy with broader foreign policy and national security objectives. Moreover, the NSCS has access to classified intelligence and threat assessments from various agencies. This allows it to develop a nuanced understanding of the evolving cyber threat landscape facing India.
Such insights are crucial for both domestic policy formulation and international negotiations on cyber security norms and confidence-building measures.
Along with the business allocation notification, the Union government has to undertake a few quick steps. It has to expedite the finalisation and implementation of the National Cyber Security Strategy as well as bring changes to the IT Act. It has to massively enhance investments in capacity building for organisations like CERT-In and I4C. It has to foster more public-private partnerships to leverage expertise and resources from the private sector and build the trust ecosystem and expand significantly the cyber security awareness across the country and age groups so that it serves all purposes from combating cybercrimes to dealing with cyber terrorism.
The path ahead is challenging, but with a comprehensive strategy, effective coordination, and a commitment to continuous learning and adaptation, India can emerge as a leader in cyber security in the coming decades. In an era where digital infrastructure forms the backbone of national progress, India finds itself at a critical juncture in its cyber security journey.
(Subimal Bhattacharjee is a Visiting Fellow at Ostrom Workshop, Indiana University Bloomington, USA, and a cybersecurity specialist. This is an opinion piece. The views expressed above are the author’s own. The Quint neither endorses nor is responsible for them.)
