India — now the world’s most populous country, as well as its fifth-largest economy — is a significant voice in evolving cyber norms, not least thanks to a predominantly young and tech-savvy population and rapid digitalization across every aspect of governance, the economy and society. However, without a contemporaneous cybersecurity strategy, it seems to be punching far below its weight.
Indeed, since assuming office as the prime minister of India in 2014, Narendra Modi has been vocal about cybersecurity, even as he underlines the pivotal role of “Digital India,” a flagship program of his government, for achieving the goal of “Viksit Bharat” — that is, to transform the country into a developed economy by 2047, independent India’s centenary year.
However, India’s challenge is to bypass the middle-income trap, the fate of most countries “unable to compete with low-income, low-wage economies in manufactured exports and unable to compete with advanced economies in high-skill innovations,” notwithstanding enthusiastic reforms and initial bursts of growth.
Jan-Dhan, the financial inclusion initiative; Aadhaar, the digital identity; and mobile connectivity represent the JAM vision in this digital transformation. As an extension, digital public infrastructure (DPI), an Indian innovation, is gaining traction across countries, as well as endorsement by the United Nations, the World Bank and the World Economic Forum, among others — a remarkable feat of digital diplomacy.
Modi also makes efforts to speak to Indians regarding their cybersecurity concerns, such as about identity theft and cyberstalking. For example, in October, which since 2003 has been recognized around the world as Cybersecurity Awareness Month, he used his monthly radio broadcast titled “Mann Ki Baat” (it roughly translates to “Matter of the Mind”) to clarify that Indian law enforcement agencies would never arrest citizens via phone or audio/video calls, noting the public’s concern over elaborate scams that had been extorting huge sums of money from individuals through threats of “digital arrest.”
At the same time, myriad regulations for enterprises are being proposed or are already enforced in India. Some, such as the reasonable security practices and procedures required under the Information Technology Act, apply horizontally across every sector and entity. Others apply to vertical sectors such as energy, transportation, telecom, health care, banking and financial services. Considering their pivotal function and role, specifically notified vide the official gazette “protected systems” such as the Aadhaar Central Identity Data Repository, they have to comply with additional rules.
However, such measures are challenged by the rapid development and deployment of artificial intelligence (AI). Use of AI for exploitation of vulnerabilities as well as for creation, curation and circulation of misinformation and disinformation is posing ever newer challenges, as seen during India’s 2024 parliamentary elections.
India’s National Cyber Security Policy, 2013, aimed for half a million cybersecurity professionals within India in five years. It also outlined the required institutional architecture — namely, the National Critical Information Infrastructure Protection Centre (similar to the Cybersecurity & Infrastructure Agency in the United States), the Indian Computer Emergency Response Team (CERT-In), and the national cyber security coordinator (similar to the national cyber director in the White House), in addition to the sector-specific entities.
A central clearing house may be more efficient and effective in alerting respective agencies, in that it could share relevant information by processing a singular report by the affected entity.
Admittedly, each government agency has its own respective functions, powers and priorities. However, incoherent and uncoordinated regulations, at times promulgated without adequate consultation, may create confusion rather than certainty, even if unintentionally. For example, the draft Telecommunications Critical Infrastructure Rules, 2024 mandate reporting a security event within two hours of its occurrence, while the 2022 Indian Computer Emergency Response Team (CERT-In) Direction has a six-hour mandate. Additional complexity may ensue once the rules are notified under the Digital Personal Data Protection Act, 2023 — which was finally enacted after 25 years of deliberations.
A central clearing house may be more efficient and effective in alerting respective agencies, in that it could share relevant information by processing a singular report by the affected entity rather than by burdening the latter with multitude of reports amid a firefighting situation.
However, even that would be insufficient, considering the transnational nature of the cybersecurity realm. Unanimously adopted by the world leaders during the UN Summit of the Future in September 2024, the “Pact for the Future, Global Digital Compact and Declaration on Future Generations” includes a commitment to make cyberspace safe and secure for one and all. Notably, India has not joined the Council of Europe’s Budapest Convention, the only transnational treaty on cybercrime, but supports the draft UN convention against cybercrime.
All the same, in 2019, India was the only one of the BRICS (Brazil, Russia, India, China, South Africa) countries opting out of both the World Trade Organization’s E-commerce Joint Statement Initiative and the G20 Osaka track for free flow of cross-border data. It also mandates data localization in several sectors and activities, even as it continues as the leading IT outsourcing destination predicated on transfer of data from foreign countries to India and back. To mitigate cyber risks from complex global supply chains, it has instituted several testing and sourcing norms, especially with respect to critical sectors. While it had joined the Common Criteria Recognition Arrangement in 2013, lack of adequate and accredited testing infrastructure within India has led to selective exceptions or to seeking impractical undertakings, both ineffective.
Although Modi had alluded to the National Cyber Security Strategy (NCSS) in his 2020 Independence Day speech, the NCSS remains elusive even after four years. However, now that the national cyber security coordinator has been formally tasked “to provide overall coordination and strategic direction for Cyber Security,” the NCSS must be unveiled sooner than later, albeit after a fresh consultation.
That strategy must be predicated on eight pillars — critical infrastructure protection; cross-border data flow; globally harmonized standards and certifications; innate linkages between cybersecurity and geopolitics; automation of the routine stuff; capacity building; partnerships; and user safety.
Last but not least, consistency and pragmatism would be crucial in its implementation.
