India Needs to Reboot Cyber Laws Before Signing Up with U.S.

Commentary | June 27, 2016

In a blog post for The Economic Times, EWI Distinguished Fellow Kamlesh Bajaj advocates for a shift in India's approach to digital governance following the recent cybersecurity meeting between U.S. President Barack Obama and Indian Prime Minister Narendra Modi.

The White House ‘Framework for the U.S.-India Cyber Relationship’ release issued on June 7, soon after the Modi-Obama summit in Washington, has taken cyberspace cooperation to a new level. It was on March 1 last year—the silver jubilee celebrations of Nasscom—that Prime Minister Narendra Modi had highlighted the concern of global leaders for cybersecurity, which according to him presented an opportunity for the Indian IT industry to innovate in services and products, in an attempt to capture parts of the global market. As an avid user of IT, the internet in particular, he is very much aware of the potential of cyberspace for the growth of the Indian economy, as also of the threats and cyberattacks that can disrupt the Digital India programme. No wonder that he has kept cybersecurity on top of his agenda with the US.

Key areas of cooperation that can be gleaned from this text relate to sharing of cybersecurity best practices; practical cooperation to mitigate cyber threats; joint R&D with focus on standards, security testing of products; cooperation between law enforcement agencies (LEAs) on cyber crimes; capacity building of LEAs in cyber forensics; skill development in solving cyber crimes and updating legal frameworks.

What stands out is “sharing information on a real-time or near real-time basis, when practical and consistent with existing bilateral arrangements, about malicious cybersecurity threats, attacks and activities, and establishing appropriate mechanisms to improve such information sharing”. It is a positive development, since India too is a victim of major cyberattacks, and with information about attackers being locked in servers in the U.S.

However, India needs to scale up its own capabilities—notably in online national network of criminals, online feeds on cyber threats from networks across the country into a central repository for collating and relaying them to all those likely to be impacted. Above all, the capabilities of LEAs in understanding the nature of threats, the changes in digital forensics analysis tools and techniques, and the manner of collecting evidence to present in courts of law—these have to be long-term sustained efforts, because the threat landscape and attack vectors are changing rapidly.

Digital India will spawn more cyber crimes. Because of the borderless nature of the cyberspace, evidence has to be collected from trails that maybe in networks and servers anywhere in the world. Partnership with the United States augurs well for India, because most of the services emanate from there; accessing these trails requires cooperation with the U.S. But we need to update our own laws too.

There is no encryption policy under section 84A of the IT Act 2008, even after eight years. The government was supposed to have promulgated it long ago. Moreover, data retention by service providers and enterprises—the metadata—under section 67C was to be mandated by the government. There is no word on that either. Then there is the need of state-of-the-art forensic labs—and these are to be set up, and notified as expert examiners of digital evidence under section 79C of the IT Act. Due to lack of these facilities, the forensic data collected in several crimes cannot be presented in courts; criminals go unpunished.

Training our police officers in cyber forensics is a mammoth task considering the sheer numbers in all the states. Bureau of Police Research and Development is ill equipped to carry out this job. Data Security Council of India (DSCI), a Nasscom initiative, had set up cyber labs in cyber crime police stations in eight major cities, to train police officers in cyber forensics, some eight years ago. But to expand and sustain the programme, the ministry of home affairs refused to own the programme at the minimum level—costing no more than Rs 5-10 crore.

While the U.S.-India agreement is a great step, India must wake up to digital governance that calls for change of mindset in the ministries and bureaucracies. Can they keep pace with PM Modi?

Dr. Kamlesh Bajaj was the founder and CEO of the Data Security Council of India (DSCI). He was also the founder and director of the Computer Emergency Response Team (CERT-In). 

To read this article on The Economic Times, click here.