Senior cyber group partners of the Quad met in New Delhi recently and agreed to enhance cyber security based on commonly established practices. This is particularly important in the context of an increasing number of cyber-attacks backed by adversary states. With rapid digitalisation, it becomes an imperative to develop robust internal cyber security frameworks to protect India’s cyberspace. Therefore, India needs to develop an effective cyber security regime coupled with wide immersion across the board, so that digitalisation does not suffer from the vicissitudes of cyber-attacks.
India is one of the most attacked countries in the cyberspace. In recent times, there has been an increase in cyber threat to India’s critical infrastructure like power grids, government establishments like UIDAI, nuclear installations, and hospitals such as AIIMS. For example, the recent cyber-attack on AIIMS compromised the records of about 3-4 crore patients including high-profile personalities. Major reasons for these attacks are the presence of old infrastructure and software in Indian public systems, or legacy systems, and the lack of a scrupulous cyber security framework.
READ I India looks to arm antitrust law with stringent penalties
Cyber security strategy a non-starter
In 2020, the government of India announced the developing of the National Cyber Security Strategy to address the cyber security issues of the modern, digitalised India. It has been more than two years and there is still no sign of it being crystallised. Currently, there are a mix of laws, penal provisions, and other policies to counter cyber security threats.
The Information Technology Act 2000, Indian Penal Code, and National Cyber Security Policy, 2013 are dated and don’t sufficiently address the cyber risks emanating from the use of new and advanced technologies e.g., artificial intelligence and cloud computing. Further, multiple regulations having jurisdiction on the subject matter also create confusion and deter effective cyber security.
In this context, the Quad members’ agreement becomes important as it would promote uniform policies regarding cybersecurity based on international practices and follows their previous engagements. In 2021, the members pledged to promote public-private-cooperation in cybersecurity, while in 2022 the Quad Cybersecurity Partnership based on 10 joint cyber principles was formulated.
Other measures include information-sharing among the countries’ Computer Emergency Response Teams (CERTs), Quad Cyber Challenge (a campaign to raise awareness among people and drive action to improve cyber security), and improving software standards for Quad governments’ procurement by the use of enhanced cybersecurity measures.
India must join global efforts
Recognising the importance of semiconductor supply chain, trusted vendors in telecom infrastructure, especially 5G and 6G, and the global technical standards in cybersecurity; the members also released a Common Statement of Principles on Critical Technology Supply Chains in Tokyo summit to enhance supply chain resilience. They also agreed to establish International Standards Cooperation Network (ISCN) with the objective of cooperating in international standardisation organisations like International Telecommunication Unit (ITU) and Telecommunication Standardization Bureau (TSB).
As good as these Quad initiatives are for ensuring secure cyberspace in India; there is also a need to boost its internal cyber-security capabilities. The 2023 budget’s focus on cyber security with fund allocation of Rs 600crores is a good step; however what India needs first is a long-term vision for cybersecurity. The government has to formulate a dedicated cybersecurity law, with a focus on new and emerging technologies.
The law must define cyber-attacks and identify information infrastructure, and legacy systems along with measures to replace them. It should also incorporate ways to track cyber-crime, building cyber forensic capacities, and create a platform for continuous sharing and analysis of information between public and private sectors.
The focus must also be laid on strengthening human and institutional capacity building through skilling missions, spreading awareness, and organising hackathons. Apart from this, the government should promote the use of cloud infrastructure for its cyberspace, adopt public-private-partnership, and increase the budgetary allocations for cyber security research, development and operations.
India should also strive towards leveraging the technological prowess of its Quad partners, especially the US and Japan. In addition, it must push for the formation of Quad Semiconductor Resilience Fund as has been argued, facilitating technology transfers, and developing a Standard Operating Procedure (SOP) for cyber-attribution i.e., tracking and identifying cyber-attack perpetrators. However, there are certain challenges with regard to Quad cyber diplomacy, which need to be addressed for reaping maximum benefits from the initiative.
These challenges include differences in technological governance, regulation of the big tech companies, which are mainly based in the US, digital trade barriers, and ensuring competition policies that promote innovation. Resolution of these challenges requires strong and decisive political will on the members’ part.
As India moves forward on its path of ‘Digital India’ incorporating technology in all aspects of the country’s economy; it is imperative that the country does not fall behind in the race to ensure a secure cyberspace. This is particularly important in the context of data localisation pursued by the government. Thus, it is the need of the hour that India launches an updated cyber security law and engages actively with its quad partners to ensure a secure cyberspace.
(Krishaank Jugiani works with CUTS International, a global public policy research and advocacy group.)