In the light of recent hacking of the website of the Indian Space Agency’s commercial arm, Antrix Corporation and government’s Digital India programme, cyber law expert and advocate Supreme Court of India, Pavan Duggal speaks to EC’s Mohd Ujaley. He says, “The push towards building massive IT infrastructure that will transform the country into a connected economy and realise the vision of Digital India, necessitates the need for strong cyber security mechanism to keep the citizen data safe and secure.”
A massive digitisation drive is underway currently under the Digital India programme. Is the cyber security system in India robust enough to safeguard the public data that will go online under this programme?
In today’s world, the word crime has become inseparable from the word cyber. Under the Digital India programme lot of vital information and public data will be put online for providing all kinds of services to the people. One of the touchstones on which the success of Digital India programme will be analysed is the aspect of cyber security. Ultimately, the Digital India programme can only be as secure as its weakest link. Unfortunately not much is happening for ensuring that proper security is in place for all the IT systems that we are creating. Presently our focus is not on cyber security. I would say that we should try to learn from China; in July the country came up with a new law, which states that cyber sovereignty is an integral part of national security. India has also made some laws in the area of cyber security, but we need to do a lot more. Our National Cyber Security Policy of 2013 is only a paper document, lot more needs to be done in this area.
You are saying that not much has happened in the area of Cyber Security Policy of 2013, so what should be done to improve the situation?
India requires a new legislation that is wholly dedicated to cyber security. It is not sufficient to merely put cyber security as a part of the IT Act. We have to see cyber security not only from the sectoral perspective, but also from the national perspective. In our country, the critical IT infrastructure is primarily in the private hands, hence it is imperative to define the duties of the private sector, and also the government entities, in the area of cyber security. Even the IT Act of 2008 does not do much in this area. A dedicated cyber security legislation is a key requirement for us. Once again, I will reiterate that we need to learn from what China has done in this area.
In your view what is the reason for India being unable to pass a dedicated legislation on cyber security?
Such legislation has never been a priority for the country. In 2002, when we passed the IT Act 2002, the focus was on having a legislation to promote e-commerce. As a nation, we were not concerned about cyber security then. After the Mumbai terror attack, the government amended the 2002 Act in 2008 and this led to an enlargement of the umbrella of cyber crime. From 2008 to 2015, lot of water has flown under the bridge. Today the cyber criminals are capable of launching much more sophisticated attacks as compared to those in 2008. We need to take our fight against cyber crime to a new level in order to meet the challenges of 2015 and the coming years. Unfortunately, we are not able to move forward in the direction of having stringent legislation.
Are you saying for robust security framework in Digital India, a dedicated legislation is must?
Absolutely, because legislation will be the important component for the new government to move forward if it has to make its digital India programme a success. IT Act of 2008 lacks the basic parameters to make Digital India a success. But I agree, you can’t blame the law because it did not have even the vision in year 2002. But now as the focus on participating governance increases, the priority of the government is to ensure that governance delivered on mobile platform to ensure the emergence of a knowledge economy. And, for all these we do need a new legislation in the area of cyber security.
Other than having a dedicated legislation to combat cyber crime, what else can the nation do to fight this menace?
We need to do far more than what is being currently done on capacity building among the law enforcement agencies for cyber security. We need to realise that we are behind the curve on handling cyber security. In the current scenario, the cyber security breaches are not being given enough attention by the law enforcement agencies. This needs to change. We can’t have national security unless we pay adequate attention to cyber security. A successful attack on the IT systems of a vital infrastructure like power grid, airport, etc., can have an impact on the economy of the country.
Many of the cyber attacks on private enterprises and government organisations go unreported. What can be done to ensure that the security breaches get reported and investigated?
Unfortunately, the under reporting of cyber security incidents is a norm these days. People in our country do not report about cyber breaches, because they feel that they may not get a conducive response from governmental agencies. They also fear that if they report a security breach, the reputation of their company might take a hit. Also, currently it is not mandatory for companies to report the breaches.
Are you of the view that a regulatory body like SEBI should make it mandatory for companies to report cyber breaches in the same way that they report other aspects of their performance?
The primary responsibility is of the government. They need to come up with strong provision. The IT Act 2000, recognises the concept of intermediaries or service providers who provide any service on the network—they are mandated under Section 79(2)(c) of IT Act to conduct due diligence while they discharge their obligation. Now the government needs to specify the protection and preservation of cyber security as an integral part of the due diligence conducted by the intermediaries. Also, the sectoral regulator must play a proactive role. For instance, on 6 July 2015, SEBI came up with new set of guidelines for all the repositories and depositories in the context of their protecting cyber security. This is a very limited exercise, but it is a small step in right direction.
Do you think that India needs to come up with a system to compensate people when they make losses due to cyber security breaches?
Absolutely, we need to define the rights, duties and obligations of all the key stakeholders. The government should come up with cyber security guidance for breach victims. It can list steps that an organisation should take to prepare for potential breach . Currently we have some limited ground under the IT Act 2008 but those are not adequate as it was never really drafted keeping in mind exigencies of protecting cyber security.