3. Introduction
• The usage of technology in today’s world is inevitable. Whether it is
making reservations on our smart phones, or checking emails, or
checking in for flights, usage of technology is present. Further, the
globalization phenomenon we see today means we are living in a
world where almost everything is interconnected to one another.
• Governments, businesses and societies around the world are relying
more and more on technology and the Internet in their daily lives.
Whilst its benefits cannot be questioned, unfortunately the increase of
our reliance on technology implies that we are at higher risk of attack
and breaches – cyber-attacks. Companies are being hacked causing
millions of individuals to be victims of stolen identity and information.
• Governments worldwide are also facing the increasing threats of
cyber-attacks. Successful attacks put prosperity of economies and the
well-being of societies at risk.
• Consequently, governments are putting measures in place in hope of
having a resilient, healthy and secure cyberspace. Nonetheless, even
with these efforts, cyber security continues to dominate headlines in
the wrong way. Responding to this current scenario, current trends of
governments protecting their critical infrastructures is the
implementation of cyber security standards to their critical sectors.
4. Objectives
• The objective of these slides is to provide an
overview of the various approaches that
countries are taking with regard to the
implementation of cyber security standards.
• Further, these slides discusses the benefits of
the implementation of cyber security
standards to organizations as well as nations
as a whole.
5. Cyber-attacks – A global risk
• As the E-business began to increase online, there were no
signs of cyber threats and attacks on organizations
worldwide easing.
• Whether targeted to government entities or private
corporations, the threats from cyber adversaries continue
to grow in scale and sophistication globally.
• Public and private organizations in various sectors
worldwide now openly acknowledge that cyber threats are
one of the most common and high impact risks they face.
• Dealing with cyber threats is becoming a complex challenge
due to the evolving cyber security landscape.
• Organizations today face not only common and known
cyber threats, but new and emerging ones where targeted
and large scale attacks can impact not only the
organizations but may potentially lead to the adverse
impact on nations’ critical infrastructures.
6. Cyber-attacks on critical sectors
• The recent cyber-attack against an American entertainment
subsidiary of Japanese multimedia conglomerate in 2014 has not
only affected the company, but also the nation’s security as a
whole. Apart from releasing confidential data, the hackers had also
sent threatening messages if their demands were not met [1]. The
Financial sector has also become a regular target.
• The malware attack in 2013 in South Korea has resulted in the
malfunction of 48,000 personal computers and servers, disrupting
work at banks and television broadcasters in the country [2] .
• In 2012, a virus attack known as Shamoon on Saudi Arabia’s leading
Oil & Gas company had damaged approximately 30,000 computers
resulting in the disruption of oil and gas flow to the local and
international markets [3 ].
• Global technology companies have had their fair share of
experiencing cyber-attacks in recent years as well. These companies
were hacked, resulting in exposed proprietary information and
sensitive communications that was then used to target major
corporations.
8. Global cost of cybercrime
• From a global standpoint, a recent publication by McAfee estimated the
annual cost of cybercrime to the global economy is more than USD400
billion [8] .
• Facing the brunt of these losses are the 4 largest economies in the world;
the United States of America (USA), China, Japan, and Germany with an
accumulative figure reaching USD200 billion.
• The financial loss on the global economy is only expected to rise as
reliance on technology in the cyberspace increases. Consequently,
governments worldwide are realizing that cyber threats can not only
disrupt critical infrastructure networks, but also potentially escalate to the
level of a national security threat.
• Dealing with cyber threats and attacks is no longer just about being aware
or vigilant – but it’s about being resilient. Governments around the world
are putting measures in place to enhance resiliency in weathering the
cyber threats and attacks.
• Whilst the global community have undertaken actions and steps in
mitigating these cyber threats, it is important to ensure the critical
infrastructure remains resilient to withstand cyber-attacks. The term
‘resiliency’ can have many definitions, but generally it is the capability to
prepare, protect, respond and recover from threats and hazards.
9. How do countries or organizations remain resilient?
• The implementation of cyber security standards is by no means a silver bullet in critical
infrastructure protection.
• However, its implementation can establish a set of controls that contribute and build
better resiliency.
• The cyber security standards may support the capabilities of preparing, protecting,
responding and recovering from cyber-attacks.
• The implementation and compliance with cyber security standards may enable the
principles and better practices in cyber security management be applied in improving
the security and resilience of critical infrastructures.
• ISO/IEC 27032:2012 Information technology -- Security techniques – Guidelines for
cyber security
• ISO/IEC 27001 Information technology -- Security techniques -- Information security
management systems – Requirements
• ISO 22301 Societal security -- Business continuity management system Requirements
• ISO/IEC 15408 Information technology -- Security techniques -- Evaluation criteria for
IT security
• ISO/IEC 27035 Information technology -- Security techniques -- Information security
incident management
• ISO/IEC 27005 Information technology -- Security techniques -- Information security
risk management
• FIPS 140-1: Security Requirements for Cryptographic Modules
• FIPS 186-3: Digital Signature Standard
10. ISO/IEC 27032:2012 Information technology --
Security techniques – Guidelines for cyber security
• ISO/IEC 27032:2012 provides guidance for improving the state of Cyber
security, drawing out the unique aspects of that activity and its
dependencies on other security domains, in particular:
1. information security,
2. network security,
3. internet security, and
4. critical information infrastructure protection (CIIP).
• It covers the baseline security practices for stakeholders in the
Cyberspace.
• This International Standard provides:
1. an overview of Cyber security,
2. an explanation of the relationship between Cyber security and other
types of security,
3. a definition of stakeholders and a description of their roles in Cyber
security,
4. guidance for addressing common Cyber security issues, and
5. a framework to enable stakeholders to collaborate on resolving Cyber
security issues.
11. ISO/IEC 27001
INFORMATION SECURITY MANAGEMENT
• When it comes to keeping information assets secure, organizations
can rely on the ISO/IEC 27000 family.
• ISO/IEC 27001 is widely known, providing requirements for an
information security management system (ISMS), though there are
more than a dozen standards in the ISO/IEC 27000 family.
• Using them enables organizations of any kind to manage the
security of assets such as financial information, intellectual
property, employee details or information entrusted by third
parties.
• Like other ISO management system standards, certification to
ISO/IEC 27001 is possible but not obligatory.
• Some organizations choose to implement the standard in order to
benefit from the best practice it contains while others decide they
also want to get certified to reassure customers and clients that its
recommendations have been followed.
• ISO does not perform certification.
12. ISO 22301 Societal security
• ISO 22301 is the Business Continuity Management System standard.
The ISO 22301 BCM standard is designed to ensure that a robust
business continuity management system has been established, and
that internal staff members are fully aware of their role within the
system should an incident occur.
• ISO 22301:2012 specifies requirements to plan, establish, implement,
operate, monitor, review, maintain and continually improve a
documented management system to protect against, reduce the
likelihood of occurrence, prepare for, respond to, and recover from
disruptive incidents when they arise.
• The requirements specified in ISO 22301:2012 are generic and
intended to be applicable to all organizations, or parts thereof,
regardless of type, size and nature of the organization. The extent of
application of these requirements depends on the organization's
operating environment and complexity.
13. ISO/IEC 15408 IT Security Evaluation
• ISO/IEC 15408-1:2009 establishes the general concepts and principles of IT
security evaluation and specifies the general model of evaluation given by
various parts of ISO/IEC 15408 which in its entirety is meant to be used as the
basis for evaluation of security properties of IT products.
• The Common Criteria for Information Technology Security Evaluation (referred
to as Common Criteria or CC) is an international standard (ISO/IEC 15408)
for computer security certification. It is currently in version 3.1 revision 5.
• The Common Criteria (CC) was developed to facilitate consistent evaluations of
security products and systems. It is an international effort to define an IT
Security evaluation methodology, which would receive mutual recognition
between customers and vendors throughout the global economy.
• ISO/IEC 15408-1:2009 establishes the general concepts and principles of IT
security evaluation and specifies the general model of evaluation given by
various parts of ISO/IEC 15408 which in its entirety is meant to be used as the
basis for evaluation of security properties of IT products.
• The key concepts of protection profiles (PP), packages of security requirements
and the topic of conformance are specified and the consequences of
evaluation and evaluation results are described.
• ISO/IEC 15408-1:2009 gives guidelines for the specification of Security Targets
(ST) and provides a description of the organization of components throughout
the model.
14. ISO/IEC 27035 Security incident management
• ISO/IEC 27035:2011 provides a structured and planned approach to:
1. detect, report and assess information security incidents;
2. respond to and manage information security incidents;
3. detect, assess and manage information security vulnerabilities;
and
4. continuously improve information security and incident
management as a result of managing information security
incidents and vulnerabilities.
• ISO/IEC 27035:2011 provides guidance on information security
incident management for large and medium-sized organizations.
Smaller organizations can use a basic set of documents, processes
and routines described in this International Standard, depending on
their size and type of business in relation to the information
security risk situation.
• It also provides guidance for external organizations providing
information security incident management services.
15. ISO/IEC 27005 Information security risk management
• Scope of the standard
• The standard ‘provides guidelines for information security risk management’
and ‘supports the general concepts specified in ISO/IEC 27001 and is designed
to assist the satisfactory implementation of information security based on a
risk management approach.’
• It cites ISO/IEC27000 as a normative (essential) standard, and
mentions ISO/IEC 27001, ISO/IEC 27002 and ISO 31000 in the content. NIST
standards are referenced in the bibliography.
• Content of the standard
• The standard doesn't specify, recommend or even name any specific risk
management method. It does however imply a continual process consisting of
a structured sequence of activities, some of which are iterative:
• Establish the risk management context (e.g. the scope, compliance
obligations, approaches/methods to be used and relevant policies and criteria
such as the organization’s risk tolerance or appetite);
16. ISO/IEC 27005 Information security risk management
• Quantitatively or qualitatively assess (i.e. identify, analyze and
evaluate) relevant information risks, taking into account the
information assets, threats, existing controls and vulnerabilities
to determine the likelihood of incidents or incident scenarios,
and the predicted business consequences if they were to occur,
to determine a ‘level of risk’;
• Treat (i.e. modify [use information security controls], retain
[accept], avoid and/or share [with third parties]) the risks
appropriately, using those ‘levels of risk’ to prioritize them;
• Keep stakeholders informed throughout the process; and
• Monitor and review risks, risk treatments, obligations and criteria
on an ongoing basis, identifying and responding appropriately to
significant changes.
• Extensive appendices provide additional information, primarily
examples to demonstrate the recommended approach.
17. FIPS 140: Security Requirements for
Cryptographic Modules
• The 140 series of Federal Information Processing
Standards (FIPS) are U. S. government computer
security standards that specify requirements
for cryptography modules.
• As of December 2016, the current version of the
standard is FIPS 140-2, issued on 25 May 2001. Its
successor FIPS 140-3 was approved on March 22, 2019
and will become effective on September 22, 2019.
• FIPS 140-3 testing will begin September 22, 2020. After
FIPS 140-3 testing begins, FIPS 140-2 testing will
continue for at least a year, making the two standards
to coexist for some time.
18. Purpose of FIPS 140
• The National Institute of Standards and Technology (NIST) issues the 140
Publication Series to coordinate the requirements and standards for
cryptographic modules which include both hardware and software components
for use by departments and agencies of the United States federal government.
• FIPS 140 does not purport to provide sufficient conditions to guarantee that a
module conforming to its requirements is secure, still less that a system built
using such modules is secure. The requirements cover not only the cryptographic
modules themselves but also their documentation and (at the highest security
level) some aspects of the comments contained in the source code.
• User agencies desiring to implement cryptographic modules should confirm that
the module they are using is covered by an existing validation certificate. FIPS
140-1 and FIPS 140-2 validation certificates specify the exact module name,
hardware, software, firmware, and/or applet version numbers. For Levels 2 and
higher, the operating platform upon which the validation is applicable is also
listed. Vendors do not always maintain their baseline validations.
• The Cryptographic Module Validation Program (CMVP) is operated jointly by the
United States Government's National Institute of Standards and
Technology (NIST) Computer Security Division and the Communications Security
Establishment (CSE) of the Government of Canada. The use of validated
cryptographic modules is required by the United States Government for all
unclassified uses of cryptography. The Government of Canada also recommends
the use of FIPS 140 validated cryptographic modules in unclassified applications
of its departments.
19. FIPS 186-3: Digital Signature Standard
• Name of Standard: Digital Signature Standard (DSS) (FIPS 186-3).
• Category of Standard: Computer Security. Subcategory. Cryptography.
• Explanation: This Standard specifies algorithms for applications requiring a
digital signature, rather than a written signature.
• Applicability: This Standard is applicable to all Federal departments and
agencies for the protection of sensitive unclassified information that is not
subject to section 2315 of Title 10, United States Code, or section 3502 (2)
of Title 44, United States Code. This Standard shall be used in designing
and implementing public key-based signature systems that Federal
departments and agencies operate or that are operated for them under
contract. The adoption and use of this Standard is available to private and
commercial organizations.
• Applications: A digital signature algorithm allows an entity to authenticate
the integrity of signed data and the identity of the signatory. The recipient
of a signed message can use a digital signature as evidence in
demonstrating to a third party that the signature was, in fact, generated
by the claimed signatory. This is known as non-repudiation, since the
signatory cannot easily repudiate the signature at a later time. A digital
signature algorithm is intended for use in electronic mail, electronic funds
transfer, electronic data interchange, software distribution, data storage,
and other applications that require data integrity assurance and data
origin
20. “ Some countries implement cyber security
standards through mandatory requirements,
whilst others provide guidelines and
frameworks.”
21. Cyber security framework under the
IT Act in India
• India enacted the Information Technology Act, 2000 (“IT Act”) on 09 June
2000. The IT Act is based on the UNCITRAL model law on e-commerce.
• The preamble of the IT Act simply indicates that the Act is centered
around affording legal recognition to transactions carried out
electronically. However, the scope of the IT Act goes much beyond its
preamble. It covers multiple areas including data protection and security,
cybercrimes, adjudication of cyber disputes, government mandated
surveillance of digital communication, and intermediary liability.
• The IT Act was amended last in 2011. Despite an unprecedented increase
in cyber frauds, data breaches and general cyber security concerns, no
changes have been made in the IT Act in almost 9 years. In February 2020,
the Ministry of Electronics and Information Technology (“MeitY”)
announced that it will revamp the IT Act with a stronger focus on
framework for cyber security.
• Emerging technologies, explosion of digital business models and a
substantial increase in the instances of cybercrimes have triggered the
government to take steps to fast track the process of amending the IT Act.
22. A. Key developments in the cyber
security framework in India-
• 1. The Indian Computer Emergency Response Team-
• On 23 February 2003, the MeitY designated the Indian Computer
Emergency Response Team (“CERT-In”) as the authority to issue
instructions for blocking websites under the IT Act to prevent online
obscenity. In 2009, CERT-In was later nominated as the national
agency to respond to cyber-security incidents. The CERT-In is
currently tasked with the following functions:
• a. Collecting, analysing and disseminating information on cyber
incidents;
• b. Raising awareness about cyber security among citizens;
• c. Issuing guidelines, advisories, vulnerability notes on information
security practices, procedures, prevention, response and reporting
of cyber incidents. For instance, in December 2019, the CERT-In
issued a vulnerability note on a vulnerability in the Android
operating system called the StrandHogg.
23. 2. Constitution of committee of experts to review the IT Act-
• In 2005, a committee of experts was constituted by the erstwhile Ministry of Communications
and Information Technology to review the IT Act. In their report, the committee proposed to
strengthen the framework for computer based crimes. It also proposed to build a robust
mechanism to deal with data protection and privacy challenges. Accordingly, the following
notable amendments were suggested:
• a. Treatment of computer based crimes– Section 43 of the IT Act provided for compensation in
various cases including unauthorized access to a computer system, data theft and introduction of
viruses through a computer system. Section 66 of the IT Act penalized the offence of hacking a
computer system. The committee suggested to substitute section 66 for a new section that
comprehensively dealt with computer based offenses. The substituted section 66, which
penalized computer offences done ‘fraudulently’ or ‘dishonestly’ was worded to be in line with
the section 43 of the then IT Act.
• b. Data protection – To ensure security of data and protection of information from unauthorized
damage, the committee suggested to hold a body corporate processing, dealing or handling
sensitive personal data in a computer resource liable for failure to implement and maintain
reasonable security procedures and measures.
• c. Stringent provisions to deal with cybercrimes– Provisions addressing the issue of child
pornography and video voyeurism with higher degree of punishment were proposed.
• d. Power of interception-Based on the recommendations of Inter-Ministerial Working Group on
Cyber Laws & Cyber Forensics, wide powers of monitoring, interception and decryption of any
information through any computer resource was proposed to be transferred from the Controller
of Certifying Authority to the central government.
• The set of amendments proposed to be introduced by these recommendations paved the way
for the government to consider the issues of data protection and cyber security in its subsequent
attempts to amend the IT Act
24. 3. Recommendations of the standing committee on IT on the IT
(Amendment) Bill 2006-
• Based on the recommendations of the committee of experts, the government introduced the IT
(Amendment) Bill, 2006 (“Amendment Bill”) in December 2006. It was later referred for review to the
standing committee on IT. In its 50th report released in 2007, the standing committee on IT criticized the
government’s approach of amending the existing IT Act, rather than bringing a new and exclusive
legislation for governing information technology. The standing committee on IT highlighted the following
issues in its report:
• a. Specific issues of cybercrime and cyber terrorism– The committee pointed out the inadequacy of the
Amendment Bill to deal with the issues of cybercrime including cyber terrorism. It noted that cyber
terrorism was not defined in the proposed amendments to the IT Act. The committee expressed its
concerns over government’s proposal to introduce penalties that aligned the IT Act with the Indian Penal
Code (“IPC”). The report noted that the IPC was an archaic law and ill equipped to encompass varied
cybercrimes including cyber terrorism. The committee recommended to incorporate adequate, stringent,
specific and self-enabling provisions in the IT Act itself to effectively deal with such offences.
• b. Cross border cybercrimes– The committee opined that entering into Mutual Legal Assistance Treaties to
deal with cross border cybercrimes with one country at a time offered a solution in a ‘piecemeal manner’.
Accordingly, the committee recommended that the government must build a roadmap to become a part
of an omnibus international convention on cybercrimes to effectively address this issue.
• c. Child pornography– The committee recommended that the Amendment Bill should have explicit
provisions to deal with child pornography. This would align it with the laws in other advanced countries
and Article 9 of the Council of Europe Convention on Cyber Crimes.
• d. Powers of interception – The committee questioned the rationale of vesting the central government
with the power to issue directions for interception or monitoring of any information through any
computer resource. It noted that since ‘public order’ and ‘police’ are state subjects as per the Constitution
of India, the power to intercept any information should be vested in the state governments. This will also
align the proposed law with the powers of interception given to state governments in the Indian Telegraph
Act, 1885.
• e. Status of the CERT-In– The committee in its report noted that even though CERT-In has been nominated
as the national agency on cyber security, the status of the body has not been defined. Accordingly, the
committee suggested that the agency should be defined as a government body to clarify its status beyond
doubt. Doing so will instill confidence in foreign investors regarding existence of a bona fide legal
framework in the country.
25. 4. The Information Technology (Amendment) Act, 2008-
• In December 2008, the Parliament enacted the IT (Amendment) Act 2008[ (“Amendment
Act”). The following notable amendments were introduced through the Amendment Act:
• a. Computer related offences– The Amendment Act prohibited transmission of offensive
messages or any information for the purposes of causing annoyance, inconvenience, etc. by
means of a computer resource and communication service. However, this provision was
struck down later by the Supreme Court of India in the Shreya Singhal case.
• b. Power of interception– Based on the recommendations of the standing committee on IT,
the Amendment Act empowered both the central and state governments to issue directions
for interception/monitoring of any information under section 69. The scope of the
information intercepted was broadened to include its transmission, generation and storage,
as opposed to just transmission in the original provision. The amended section also made
issuance of such interception orders subject to additional safeguards introduced through the
Information Technology (Procedure and Safeguards for Interception, Monitoring and
Decryption of Information) Rules, 2009 (“Interception Rules”).
• c. Critical information infrastructure– The Amendment Act introduced the term ‘critical
information infrastructure’ (“CII”) i.e.a computer resource whose destruction will have a
huge impact on the national security, public health and safety and economy. Further, any
computer resource facilitating such CII was designated as a protected system. Accordingly,
the government was empowered to exercise control over such protected systems, in addition
to prescribing information security practices and procedures for such a system.
• d. Nodal agency for CII– In January 2014, the National Critical Information Infrastructure
Protection Centre (“NCIIPC”) was designated as the national nodal agency under the
provisions of the Amendment Act. The NCIIPC is responsible for undertaking all measures to
protect CII from unauthorized access, modification, use or disclosure
26. 5. Bill on Intelligence agency reforms-
• In March 2011, the Intelligence Services (Powers and Regulation) Bill,
2011 (“Intelligence Bill”) was introduced as a private members bill by Shri
Manish Tewari. He was a Member of Parliament in the Lok Sabha and
currently a member of the Joint Parliamentary Committee examining the
Draft Personal Data Protection Bill, 2019. The Intelligence Bill proposed to
regulate the functioning of three major Indian Intelligence Agencies-
Research and Analysis Wing (“RAW”), Intelligence Bureau (“IB”) and
National Technical Research Organization (“NTRO”)- by putting in place an
oversight mechanism. The Bill stated that surveillance operations
undertaken by such intelligence agencies infringe the right to privacy of
individuals. To prevent intelligence agencies from misusing their
surveillance powers, it proposed a National Intelligence and Security
Oversight Committee (“NISOC”). The NISOC was empowered to seek any
information that these agencies possessed. Additionally, the Intelligence
Bill provided for a National Intelligence Tribunal to hold these agencies
accountable. The tribunal was empowered to investigate complaints filed
by any person for action taken against her or her property by these
agencies. However, the Intelligence Bill, like most private member bills,
never came up for discussion and ultimately lapsed.
27. 6. National Cyber Security Policy, 2013-
• In July 2013, the erstwhile Ministry of Communication and Information
Technology notified the National Cyber Security Policy (“NCSP”).
• Based on the objectives envisioned in the NCSP 2013, the following
strategies/initiatives were introduced by the Indian government:
• a. Designation of the NCIIPC as the nodal agency to undertake measures
to secure the country’s CII.
• b. Cyber Swachhta Kendra initiative under the CERT-In to combat and
analyse any malicious infections/attacks that damage computer systems.
The initiative is aimed at securing the cyber ecosystem by preventing such
attacks from taking place and cleaning the systems that have already been
infected.
• c. Development of multilateral relationships in the area of cyber security.
In 2016, India partnered with the US for coordinating best practices in
relation to cyber security and exchanging information in real time about
malicious cyberattacks, among other things.
• d. Setting up of the National Cyber Coordination Centre (“NCCC”) to create
situational awareness about cyber security threats and enable timely
information sharing for preventive action by individual entities.
28. 7. Standing committee on IT report on ‘Cyber Crime, Cyber Security and
Right to Privacy’-
• In February 2014, the standing committee on IT made the following recommendations in its
report on cybercrime, security and privacy –
• a. The committee observed that there are 20 different kinds of cybercrimes. Recognizing the
impact of cyber threats on critical sectors (such as power, atomic energy, space, aviation, etc.),
it recommended establishing a national protection centre to protect the CII in the country.
• b. In dealing with issues pertaining to cyber frauds, the government may have to coordinate
with multiple institutions, such as the Reserve Bank of India and the SEBI. Accordingly, the
committee recommended to form a centralized agency to deal with all the cases of
cybercrimes.
• c. The committee noted that multiple agencies including Ministry of Defense (“MoD”), Ministry
of Home Affairs (“MHA”), IB, NTRO, NCIIPC, etc. are involved in securing the Indian cyberspace.
It also noted that to minimize overlaying responsibilities between such agencies, it has tasked
the National Security Council Secretariat (“NSCS”) to oversee compliance of cyber security
policies. However, this could act as a hindrance in combating cyber threats at the earliest, given
the multiple agencies involved. Recognizing the need for a collaborative effort between the
government and the industry to address this issue, the committee suggested to implement the
recommendations made by a Joint Working Group (“JWG”) that was set up under the Deputy
National Security Advisor in this regard. The JWG recommended putting in place a permanent
mechanism for a Public Private Partnership (“PPP”) on cyber security as a solution, among
other things.
• d. The committee acknowledged that despite the cost advantages in hosting servers outside
India, the accompanying technical and legal security concerns posed to the nation and citizen’s
privacy have to be given due consideration. Accordingly, the committee recommended that
government should take all steps to ensure that as far as possible, the servers should be hosted
locally.
29. 8. Surveillance order issued by MHA–
• In December 2018, the MHA passed an order under the
Interception Rules which authorized 10 security and
intelligence agencies to intercept/monitor/decrypt any
information transmitted, generated, received or stored on
any computer resource.
• These agencies include the IB, Narcotics Control Bureau,
Enforcement Directorate, Central Board of Direct Taxes,
Central Bureau of Investigation and the Delhi Police. The
order was heavily criticized and challenged before the
Supreme Court on the grounds of violating the
fundamental right to privacy, as laid down in
the Puttaswamy case.
• The central government defended the order by claiming
that it has been passed to pursue a legitimate state aim.
Furthermore, for authorized agencies to intercept any
information, the government has submitted that they will
have to seek the permission of the competent authority.
The matter is currently pending before the Supreme Court.
30. 9. National Cyber Security Strategy 2020-
• In another one of its attempts to address the issues
pertaining to cyber threats and data vulnerabilities, the
Indian government has proposed to come out with the
National Cyber Security Strategy (“NCSS”) 2020.
• The NCSS aims to examine various facets of cyber
security under three pillars- securing the national
cyberspace; strengthening the structures, people,
processes, capabilities; and synergizing the resources
including cooperation and collaboration.
• The government had sought comments and
suggestions on different aspects of the NCSS by
10th January 2020 and is currently in the process of
framing the policy
31. B. Key Issues on cyber security–
• 1. Surveillance and privacy-
• a. The Interception Rules designate the Secretary in the Union Ministry of Home
Affairs/Home Department of a state government (“Home Secretary”) as the
‘competent authority’ for approving data surveillance/monitoring requests under
the IT Act. Additionally, the Interception Rules provide for a review committee to
oversee the directions issued by the competent authority to intercept/monitor
such information. Per the Interception Rules, the review committee is mandated to
meet at least once in two months. Similarly, a committee headed by the chief
secretary reviews directions passed by state governments.
• b. This means that the central government has to approach the Home Secretary
before it issues any directions to intercept/monitor any digital communication.
However, given the large number of interception/monitoring requests made by the
government, it becomes unfeasible for Home Secretary to objectively assess each
request. Thus, the Home Secretary becomes a mere rubber stamp authority for
approving government interception requests.
• c. Interestingly, the Srikrishna Committee report mentioned that an application
filed under the RTI Act revealed that the review committee has a task of reviewing
15,000-18,000 interception orders in every meeting. This unrealistic target poses a
threat to safety and security of personal data of individuals. The committee noted
that surveillance should not be carried out without a degree of transparency that
can pass the Puttaswamy test of necessity, proportionality and due process
32. 2. Multiplicity of institutions
• The issue of multiplicity of cyber security agencies was
highlighted by the Standing Committee on IT in its
52nd report. Several institutions tasked with securing
the cyber space leads to lack of coordination between
them.
• In 2015, the standing committee on IT in its 17th report
outlined the action taken by the government on the
recommendations of the JWG to deal with the issue of
multiplicity of cyber security agencies.
• The report noted that the government, in July 2014,
had identified the objectives that would promote the
overall cooperative framework for a PPP on cyber
security. However, an action plan for implementing
these recommendations was still being worked out.
33. • The issue as such appears to be unresolved with the following agencies dealing
presently with the issue of cyber security:
• a. Cyber and Information Security Division, MHA: This division under the MHA is
tasked with handling the matters related to cyber security and cyber-crimes.
• b. CERT-In: CERT-In functions under the aegis of MeitY. Its main functions include
responding to cyber-security incidents and issuing security guidelines, advisories
and alerts.
• c. NCIIPC: It acts as the national nodal agency for the protection of CII in India.
• d. NCCC: It is responsible for creating situational awareness about existing and
potential cyber security threats and enable timely information sharing for ‘proactive,
preventive and protective’ actions by individual entities.
• e. Indian Cyber Crime Coordination Centre (“I4C”): The I4C scheme consists of
seven components which will be established on a rolling basis by the MHA in 2018-
2020. The scheme consists of seven components, including a National Cybercrime
Threat Analytics Unit, National Cybercrime Forensic Laboratory Ecosystem and
National Cyber Research and Innovation Centre.
• f. National Cyber Security Coordinator (“NCSC”): It was formed under the NSCS as
the nodal agency for cyber security. The NCSC coordinates with different agencies at
the national level for cyber security matters.
• g. Defence Cyber Agency: The agency has been established to address the issues
pertaining to military cyber security and cyber warfare. It is governed by the
Defence Intelligence Agency under the MoD.
2. Multiplicity of institutions