Reforming India’s cyber framework: Security, privacy & more

Earlier this month, a national conference on cyber security- (Cyberix 2016) was held under aegis of PHD Chamber of Commerce and Industry. At the conference, RK Sudhanshu, joint secretary cyber laws and e-security, announced that India will be overhauling the existing cyber law framework to bring in new encryption and privacy policies.

India is not an exception.

With governments worldwide rushing to regulate encryption services– primarily because of the sudden proliferation in criminal activities over the internet- the need for a robust cybersecurity framework has never been more critical.

Use of technology for terror attacks in India

From Mumbai to Pathankot, the use of the Internet and cyber technologies by terrorist organisations has steadily gained momentum. As noted by a report published by the United Nations Counter-Terrorism Implementation Task Force, the use of the Internet for terrorist purposes [pdf] is a rapidly growing phenomenon, requiring a proactive and coordinated response.

From 2001 till 2015, India has faced 57 terror incidents, all attributable in varying degrees, to loopholes in the existing cyber security framework.

As noted by Arun Mohan Sukumar, the head of the cyber security and internet governance initiative at Observer Research Foundation, India’s infrastructure is susceptible to four kinds of digital intrusions,

Espionage, which involves intruding into systems to steal information of strategic or commercial value; cybercrime, referring to electronic fraud or other acts of serious criminal consequences; attacks, intended at disrupting services or systems for a temporary period; and war, caused by a large-scale and systematic digital assault on India’s critical installations.”

 Legal Landscape in India

The Information Technology Act, 2000 (Act) defines the term ‘cyber terrorism’ to mean,

Whoever with the intent to threaten the unity, integrity, security, or sovereignty of India or strike terror in the people denies authorized personnel access to computers, attempts to penetrate or access a computer resource without authorization, or introduced malware to any computer, is considered to be committing an act of cyber terrorism.

And the National Cyber Security Policy, 2013, albeit ambitious, leaves room for improvement. While it does an efficient job at protecting data of individuals and corporations, it falls short of according the same level of importance to strategic digital assets.

Given the rise in cyber crimes/terrors, it is imperative to have a robust cyber security system, which can- not only identify, but- rectify any security breach promptly.

Also, under the extant regime, cyber security management is spread among various agencies designed to tackle specific cyber concerns, with a second layer of governance functions being carried out by the Ministries of Home Affairs, External Affairs, Defence, and Communications and Information Technology.

In India, while there is no law which specifically grants citizens the right to privacy, the Courts have enforced this right by including it within:

  • Right to life under Article 21 of the Indian Constitution and;
  • Common right to privacy under the tort law.

While the right to privacy spans across various sectors such as medical and finance, this article will limit itself to the right to privacy within the digital space. The primary legislation governing digital privacy and security is the Act. Within this legislation, Sections 69 and 69B govern the legal landscape for cyber security.

It is under these sections that the Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009 have been framed.

Apar Gupta, a Delhi-based advocate who frequently tackles the implementation of the IT Act, explains the difference between Sections 69 and 69B,

Section 69 is primarily modelled after the safeguards provided for under the Indian Telegraph Act, 1885. Section 69 is intended to be a provision which provides government the authority to intercept data for the purpose of ‘surveillance’ whereas Section 69B, which as it exists, is for the power which is created for the basis of ensuring a network stability, because it’s applying to traffic data, not applying to individual packets of data.

And while Section 69B applies to metadata, Section 69 applies to the contents of the transmission itself.”

Directions under Section 69 can be used by the Secretary to the Ministry of Home Affairs, whereas directions under Section 69B can be issued by the Secretary of the Department of Information Technology.

The Act also seeks to address the issue of data protection through Section 43A and the Rules framed thereunder. It requires a body corporate who ‘receives, possesses, stores, deals, or handles’ any ‘ sensitive personal data’ to implement and maintain ‘reasonable security practices’, failing which, they are held liable to compensate those affected.

The most noteworthy of all discussions which have taken place with respect to the issue of recognition of privacy as a right, have been inked in the Justice A.P Shah Committee Report on Privacy, which forms the very basis for the Privacy Bill, 2014.

The Committee had studied the best international practices, and recommended, among other things, the establishment of a Privacy Commissioner at the State and Central levels, who may investigate complaints and impose fines and also, the establishment of Self Regulatory Organisations which will form a baseline legal framework and standards to be followed, akin to the Bar Council of India.

Apar adds,

It’s not only the substantive safeguards, but to some extent it is also the process which should be addressable to normal user in which they can enforce these substantive rights that have been conferred on them.”

The false dichotomy of privacy and security

While most would argue that privacy and security are conflicting in nature, it could actually be an “optimization problem. Privacy is a precondition for security, just as security is a precondition for privacy. What it demands is oversight and regulations. In fact, data retention is required in most jurisdictions for law enforcement, intelligence and military purposes.

A recent decision by the Court of Justice of the European Union held that general data retention (of metadata) as opposed to targeted data retention is acceptable so long it is used for the purpose of fighting serious crimes and has sufficient safeguards.

However, a complete surveillance approach, as adopted by the US administration, will lead to an Edward Snowden-like situation wherein a single point of failure will simply become another target of attack.

Therefore, while many policy-makers believe the only defense to counter emerging threats is increased control, such policies are far from effective in today’s complex and rapidly changing security environment. With the proliferation of internet-powered devices and increased connectivity, isolation of backdoor channels which can serve only particular governments for investigative powers has become nearly impossible.

In this new de-centralised cyber world, bad actors have the resources to create their own encryption tools and use stronger security networks.

Recommendations

While coming up with a new set of rules, here are some things which may be kept in mind:

Cooperation with different States: Following Modi’s recent visit to the US, both the countries have agreed to enter into a framework for cooperation on cyber issues, including to promote closer cooperation between their law enforcement agencies to combat cybercrime and also share information on real time on malicious cybersecurity threats and establish appropriate mechanisms to improve such information sharing.

Moving forward, India should enter to many such frameworks with other jurisdictions to strengthen the cyber security framework, for information sharing is key to establish a robust cyber security framework.

Enhanced cooperation between public and private: In many states, just like in India, critical infrastructure systems in areas such as utilities, finance and transport have been privatized.

The recent ‘Directive on security of network and information systems‘ enforced by the European Union (EU), also launched a new public-private partnership on cybersecurity which is expected to trigger 1.8 billion euros worth investment by 2020. To give effect to this, the EU has entered into an agreement with the European Cyber Security Organisation, for the purpose of industrial research and innovation.

Last month, Microsoft also launched a cyber security engagement centre in India which will help fight cybercrime and strengthen the cooperation with Indian businesses.

Talent acquisition: While the Union ministry of information technology estimated that India would require five lakh cyber security professionals in India by 2015, the actual number was close to 50,000.

By 2020, the number of cyber security professionals ‘required’ in India is expected to jump to 1 million. To bridge this gap, India may adopt the system followed in the US i.e. a cyber security workforce strategy, which, among other things, seeks to expand cyber security workforce through education and training and making it a lucrative career, to pool in talent.

Privacy: One of the methods suggested methods is data retention wherein the office of the Privacy commissioner (as envisaged under the Privacy Bill, 2014) generates a cryptographic key pair for each user and gives on key to the Internet Service Provider/ Telecom operator which can be handed over the to authorized agency on judicial authorization.

According to Apar,

The Government needs to engage in this conversation on the basis of a user rights interest as well, and that should be factored in while having the discussion on National Security, which is undeniably a very strong state interest and will always be there.

But National Security by itself needs further definition, a level of justification based on data and evidence, because it leads to curtailment of rights most immediately and leads to expansion of state power.

 (Image: Source)