The threats today are contemporary and new. The marriage between the internet and crime and terror has led to various security agencies stating that the future would be all about fighting cybercrime.

The latest WhatsApp breach is a clear indicator of how serious the threat is. Several persons were targeted for surveillance, using Israeli spyware Pegasus via WhatsApp. The government has demanded strict action and even sought an explanation from WhatsApp. Although WhatsApp stated that it had warned India about the same, the agencies said that it was vague.

The threat on cyber space:

In this context one must look at the policy India had formulated in 2013. It does not appear to be working and in 2017 India was ranked at the 23rd spot in global security arrangements. A cue could be taken from Britain which was ranked 12th in 2017 and 1st in 2018 when it came to global security arrangements.

Also read: Whatsapp breach: Time to inculcate and adopt cyber security as way of life 

Considering how large the threat is, there is a dire need to show urgency to tackle the problem. To counter such threats, it is also important that a large amount of money is spent. In Britain where a cyber-attack would take place every 50 seconds, the government allocated £1.9 billion in its budgetary allocation for five years starting 2016.

Statistics would reveal that the net banking and credit card scams in 2018-2019 stood at 1,477. In December 2018, the digital transactions were recorded at Rs 2,069 crore and by 2021 it is expected to be at Rs 8,707 crore.

Understanding the gravity of the situation, Rear Admiral Mohit Gupta, head of the newly created Defence Cyber Agency (DCA) said that the country needs a separate law, budgetary allocation and a task force to tackle cybercrime at the national level.

India today ranks 3rd in terms of highest number of internet users after USA and China. There has been a 6-fold growth between 2012 and 2017 and a compound annual growth of 44%. India is one of the top ten spam sending countries in the world. Symantec Corp in its report had said that India was ranked among the top five countries to be affected by cybercrime.

In this context several experts have said that those government agencies that are implementing IT projects shall allocate an appropriate budget with the security requirement of the IT Act of 2000 and State cybersecurity policy. Pavan Duggal, an expert on cyber security and advocate, Supreme Court said in a 2018 article that the 10% figure of allocation to cybersecurity in the entire IT budget is meagre. In the Financial Express article, Duggal said that in order to become a digitally empowered nation, there needs to be a bigger budget allocation for cybersecurity. He further states that India needs a leapfrogging mechanism rather than a traditional one.

The threat perception:

Statistics would reveal that 96% of the threat factors are external while the remaining internal. 96% of the motive has been financial, while the rest have been espionage.

The top players have been cyber criminals who seek commercial gain, cyber terrorists, who penetrate and attack, cyber espionage aimed at penetrating corporate and military databases and cyber hactivists, who have a political agenda. Statistics have also revealed that the majority of the cyber-attacks on India originate from China, Singapore, Russia and the Commonwealth of Independent State countries.

A report published by Indian cybersecurity research firm, Quick Heal says that the Indian cities of Delhi, Mumbai, Bengaluru and Kolkata were hit the most by cyber-attacks through 2019. The report further said that there were 973 million instances of attacks that were registered through the year and this meant an estimated 1,852 Windows machines were affected every minute of the year.

A report released by Subex in August said that India was the most attacked nation in the IoT space last quarter. The researchers registered 33,450 high grade attacks of which 500 were of very high sophistication. The study also identified 2,550 unique malware samples in the country.

The recently released NCRB statistics for 2017 said that there were 21,796 cases reported. This was a huge jump if one looks at the statistics for 2014, 2015 and 2016 where the number of cybercrimes reported stood at 9,622, 11,592 and 12,317 respectively.

According to a Niti Aayog report, the internet by 2020 would look somewhat like this. There would be 730 million internet users and 75% new users from rural areas. 75% new users would consume data in vernacular languages and there would be an 83% CAGR mobile video growth. In addition to this there would be 175 million online shoppers and 70% of the e-commerce transactions will be via mobile. Further, the travel transactions online will be at 50%. These are not small numbers and as India grows bigger on the internet, it becomes even more necessary to secure our cyber space.

India has witnessed some major attacks which include the Union Bank of India heist, Wannacry, Ransomware, Data theft at Zomato, PEYA Ransomware and now Pegasus.

A long battle:

BJP MP Rajeev Chandrasekhar has been extremely vocal about issues such as privacy, net neutrality and data protection. He has raised these issues on several occasions and had been very vocal about the manner in which Aadhaar had been introduced at first by the UPA. He had said that it was a classic example of how a government system would push for technology in governance without addressing the key bits of the ecosystem around the citizen as well as the consumer.

In June 2013, media reports disclosed information about extensive electronic surveillance programme deployed by United States agencies to collect internet and telecom data. As per media reports, United States agencies used a number of methods to gather intelligence including intercepting communication on fibre cables and infrastructure, collecting information from servers of global internet and Telecom Service Providers. Such companies include Google, Facebook, Microsoft, Apple, Yahoo, AOL, Youtube, Paltalk and Skype.

Rajeev Chandrasekhar said that the IT Act and Section 66 A were all flawed. Its language and vagueness were potential for misuse, and this was another example of the faults of bureaucracy or a political system of legislators trying to create solutions in the digital world. He also said that there has to be more debate on data privacy as there is an attempt to characterise it as some kind of an elitist issue, which it is not.

In 2010 there was an embarrassing incident in which the website of the Central Bureau of Investigation had been hacked. In fact, the site remained down for over three days. The government of the day while amending the IT Act had made a provision stating that a mere attempt to access a protected system would invite a jail term of up to 10 years. The big question was whether this would deter a Pakistani or Chinese sitting in his country from accessing a protected system.

Moreover, at the time of the amendment, the highly sensitive websites in India which were under the government had not been notified as protected systems.

While raising concerns about the US Prism Project, Rajeev Chandrasekhar had asked in the Rajya Sabha in 2013, whether the government had recently announced a policy to address the increasing cyber threats in the country. He had also asked for, “if so, the details thereof including the proposed structure of the agencies that would be set up as part of this policy and how these bodies would coordinate with the existing multiple agencies that are required to counter this threat, including local law enforcement agencies”.

Since long, Rajeev Chandrasekhar has said, digital rights, data protection and privacy have been on his agenda. To put forth his point, he had even tried moving a private member bill in 2010, which never saw the light of the day.

He has also been very vocal about the manner in which Aadhaar was introduced by the UPA and said that the manner in which it was introduced was a classic example of the manner in which the bureaucracy pushed technology without taking into account the attendant concerns.

He also pointed out that the UPA era Aadhaar had several issues. He was also very vocal about Section 66A as all this involved freedom of speech, security, digital security and autonomy. He had also gone on to say that national security must coexist with privacy and freedom of expression. As India becomes an online nation, there has always been a need for data protection, net neutrality and privacy, he also said.

In 2017, when the Rajya Sabha returned the Aadhaar Bill to the Lower House with some amendments, Rajeev Chandrasekhar delivered an address. He said that this government’s (NDA) efforts to reform public subsidy spending is unprecedented and he supports it fully. The focus on delivering cash subsidies to bank accounts of the needy with over Rs 36,000 crore deposited in 22 crore accounts is testimony to the focus on execution and getting things done by this Government, he said.

He termed the opposition to Aadhaar by the opposition as amusing and perplexing and added that neither the Left not the Congress raised a murmur when Aadhar was being rolled out since 2010 violating everything that they are complaining about – Privacy, without legal sanction etc.

He had also said that Aadhaar is simply a biometric data that contains only three pieces of information of the person - Name, Age and Address along with his/her biometrics. The country must know that this UPA-initiated database, ostensibly for the purpose of Identification, doesn’t have even the basic citizenship information. Let it be known to all that several thousand crores were spent compiling a database that will not even identify a person as a citizen. This question needs to be answered by those in the UPA who sanctioned this expenditure. Was it their contention that subsidies and identities will be spent on people who aren’t citizens?

He had further added that the UPA ought to have brought this Bill into Parliament before crores of taxpayer money were shovelled into this project. Perhaps they did not want a debate or discussion, or perhaps they were chasing numbers to show and talk about, rather than creating a substantive functional platform.

The MP also raised a few questions about subsidies and why it was being allowed to all residents. Is it the government’s contention that non-citizens should get taxpayer-funded subsidies and benefits? I would like the Government to clarify that this is not their intention, but rather forced on them due to how Aadhaar was built, he asked.

“Sir, Clause 4(3) suggests that the government intends to allow Aadhaar as Identify proof. Sir, I firmly and will steadfastly oppose this. The Government must realise the dangers of using an unverified or poorly verified database as identity proof. Sir, let me explain – Person X crosses over the border into, say, Assam, takes on an Indian name and easily enrols himself in Aadhaar with little verification. This is made easy because the Aadhaar enrolment process does very little verification and absolutely no verification of citizenship. If Aadhaar is then used as Identify proof, for say, passports or voter IDs or tax PAN Cards – you create a dangerous situation of easy identity conversion. It is a trapdoor for infiltration into formal identity processes like passports, voter IDs, and becomes an Identity Laundering Platform. The only way 4(3) can survive, Sir, is with an express prohibition on use of Aadhaar in all non-subsidy related Identify proofs. As I have written in 2014 and 2015 to the Government, the Aadhaar database needs a significant audit and clean-up over time before it can be used for anything else. I am aware that this Government isn’t responsible for this messy situation, but it is definitely responsible to ensure protection against improper use of this. The language needs change and it needs to be explicit, and not ambiguous.”

The then Minister of State Communications and Information Technology, Milind Deora had said that to address the issues of cyber security in a holistic manner, the government had released the national Cyber Security Policy of 2019 for public use and implementation by all relevant stakeholders.

However, there were several issues that this policy had not addressed. For instance, the provisions to take care of security risks due to use of new technologies such as cloud computing were not addressed. Tackling the risks due to the increased use of the social media by anti-national elements and criminals had not been addressed. Further it was also pointed out that there was an urgent need to add cybercrime tracking, creating a platform to share and analyse information and also the capacity to build a cyber forensic capacity.

Following the Prism incident, Rajeev Chandrasekhar had suggested that it would be advisable for the government to reach out to the US and discover actual facts. If it is found that the privacy of Indians was breached, the Government of India must contemplate steps to fix the issue.

He also pointed out that national security, lawful interception and monitoring are critical to our national objectives, but this is the time to remain balanced and lead an inter-governmental dialogue for establishing a truly multi stakeholder discourse on how to improve privacy and overall internet governance.

The wars of the future:

In 2018, the Cabinet Committee on Security cleared the formation of a Defence Cyber Agency, Defence Space Agency and Special Operation Division. This was a major decision and the same had been taken after the Chief of Staff Committee had recommended the same in 2012.

This was a major move and the development came in the wake of a new military doctrine that was released in 2017. The doctrine underlined the need to prepare for future combat and spoke about the emerging threat from cyber space.

Experts have said that the new wars would be fought on cyber space. The DCA would move away from the compliance audit of cyber warfare to an audit based on the potential threat perceptions and risks. Further the DCA would also exploit the technology that is available with the young technocrats and software entrepreneurs.

The Defence Cyber Agency would have 1,000 personnel and would work in coordination with the National Cyber Security Advisor. These personnel would be distributed to the Army, Navy and IAF and the focus would be on safeguarding the critical infrastructure.

Intelligence assessments on cyber threats say that the attackers are constantly looking for vulnerabilities. They will always look to breach our firewalls and hence it is time to ensure that the action is strong and constant.

The way forward:

Rear Admiral Gupta, who heads the DCA while speaking about the need for a bigger budgetary allocation also spoke about the need for a cyber strategy. He said that the cyber security strategy for the country was in the works.

He also said that the current Information Technology Act did not have the adequate provisions for cyber security, while also adding that the Act passed in 2008 needed a serious overhaul. While pointing out the need for a dedicated Cyber Security Act, he also says that there are countries which have a separate Cyber Security law, while others have by-laws built into the IT Act.

While speaking about a dedicated budgetary allocation, he said that the government must allot at least 10% of the IT budget for cyber security. He also said that unlike 2013, where the IT Policy was released by the IT ministry, this time it would be done by the Prime Minister’s Office, which is a clear indicator that cyber security would not be the domain of a single ministry.

The Cyber Security Strategy Policy would be released in January. This would be a major step forward in securing our cyber space and also realising the $5 trillion economy.  According to Rajesh Pant, the national cyber security coordinator, the most important requirement for internet safety is increased effective coordination between the ministries that are overseeing the various aspects of cyber security, proper critical infrastructure protection and public-private partnership. Since the critical information infrastructure does not only lie with the government, the partnership with the private sector becomes essential.

Several experts have spoken often about a bigger budget allocation for cyber security. Israel spends $20 million annually. Considering India’s size, the rough estimate required annually would be Rs 25,000 crore annually according to Ajeet Bajpai, director general of the National Critical Information Infrastructure Protection Centre.

Bajpai also says that there is a need for high-decibel awareness on the issue and hence it would be necessary to make it a mandatory subject in the university level.

While Rs 25,000 crore is a huge amount, the question is where would India generate it from? Data is the new oil. India could, by taxing, use data mining as the new revenue generating avenue. By taxing data being mined from India, we can open up a new pool for generating tax revenue says national co-coordinator of the Swadeshi Jagran Manch Ashwini Mahajan.