Cyber Security - Challenges and Framework for UPSC

Cyber Security in India: Threats, Critical Infrastructure, and Governance Architecture

Cyber threats now span ransomware on hospitals, grid intrusions, phishing, deepfakes, and disruption of payments. India’s expanding digital footprint—UPI, Aadhaar, Smart Grids—makes resilience vital. This note outlines key threats, what counts as critical infrastructure, India’s institutional setup, major incidents, and priority actions.

Key Threats

• Ransomware and data theft: AIIMS Delhi (2022) showed how hospital systems can be paralysed; ransomware hits municipalities, MSMEs, and sometimes critical suppliers.
• Phishing and social engineering: Credential theft via emails/SMS/calls fuels financial fraud; deepfake audio/video raises new social engineering risks.
• DDoS and service disruption: Flooding servers to take down sites or overwhelm critical services.
• Supply-chain and zero-day exploits: Attacks on software updates or vendors can cascade to many victims.
• State-sponsored espionage/sabotage: Targeting power grids, telecom, defence, and key data stores.

Critical Information Infrastructure (CII)

• Definition: Systems whose disruption impacts national security, economy, public health, or safety—power grids, financial networks, telecom, transport, nuclear, and major government data systems.
• Protection: Air-gapping or strong network segmentation; whitelisting; strict access control; insider risk mitigation.
• Custodian: National Critical Information Infrastructure Protection Centre (NCIIPC) sets advisories and coordinates protection for CII.

Institutional and Legal Architecture

• CERT-In: National incident response; mandates logging/reporting of specified incidents within 6 hours; issues advisories and coordinates response.
• Cyber Swachhta Kendra: Botnet cleaning and malware analysis centre with free tools.
• I4C (Indian Cyber Crime Coordination Centre): Helpline 1930 for cyber fraud, platform for state police coordination; focuses on investigation/awareness.
• Defence Cyber Agency: Handles military cyber ops and defence of networks; separate from civilian CERTs.
• Laws: IT Act 2000 (amended), CERT-In directions (2022), DPDP Act 2023 on personal data; UAPA and IPC/CrPC for cyber terror/crime.

Recent Incident Lessons

• AIIMS breach: importance of network segmentation, offline backups, patching, and basic cyber hygiene even in public sector institutions.
• Power grid targeting reports: need for OT/IT segregation, strict USB/device policies, and red-teaming of control systems.
• Telecom fraud surge: SIM swap, spoofing, mule accounts—requires KYC enforcement and rapid payment blocking via 1930/I4C.

Sectoral Readiness

• Finance: RBI cyber security frameworks, board oversight, and drills; banks/UPI rely on velocity checks, MFA, and 24x7 fraud blocking.
• Health: Hospitals often under-secured; need basic hygiene, segmentation, and frequent backup/restore tests.
• Energy/OT: Sectoral CERTs (CERT-Trans etc.), strict vendor access control, and isolation between control and corporate networks.
• Government cloud and data: NIC/state data centres must enforce least privilege, strong logging, and regular audits.

Preparedness and Best Practices

• For government/enterprises: Regular audits, patch management, MFA, segmentation, immutable/offline backups, SOC with 24x7 monitoring, tabletop exercises, and vetted cloud practices.
• For CII/OT: Strict change control, whitelisting, protocol restrictions, and physical security; limit remote access; regular drills for incident response and isolation.
• For citizens: Awareness on phishing, strong passwords/MFA, reporting via 1930 and cybercrime.gov.in, and verifying links/calls before transacting.

Governance and Policy Issues

• National Cyber Security Strategy: An updated strategy is awaited to address workforce, PPP models, incentives, and international alignment.
• Attribution and response: Proving state involvement is hard; calibrated diplomatic and technical responses are needed to avoid escalation while deterring hostile activity.
• Procurement/security-by-design: Secure coding, SBOMs, vetted hardware, and contractual security requirements for vendors reduce supply-chain risk.
• Capacity gaps: Skilling responders, cyber ranges, and retained experts for states/PSUs are essential; many breaches exploit basic hygiene lapses.
• Privacy and data minimisation: Security must align with DPDP Act; minimising data collected and strict access control reduce breach impact.

International and Policy Context

• Budapest Convention: India is not a party (concerns on sovereignty/data sharing). India prefers UN processes and bilateral/legal assistance treaties.
• Standards and cooperation: Engagement with QUAD, INTERPOL, and other partners on cyber threat intel and capacity building.
• Data localisation vs flows: Security needs must be balanced with interoperability and trade; DPDP Act enables cross-border transfers via government-notified safeguards.

Emerging Areas

• AI and deepfakes: Need detection tools, provenance standards, and awareness to curb misuse for fraud/disinformation.
• IoT and 5G: Expanded attack surface; certification, secure-by-design norms, and supply-chain vetting are crucial.
• Crypto crimes: Money laundering, ransomware payments; PMLA amendments bring VASPs under reporting; better blockchain analytics and coordinated enforcement are needed.

Metrics to Track

• Incident reporting volumes and response times; sectors most hit.
• Audit and compliance status of CII; proportion with network segmentation and MFA.
• 1930 recovery rates for fraud; botnet cleanup statistics.
• Training/awareness coverage for officials and critical-sector staff.

Resilience and Recovery

• Business continuity plans with tested RTO/RPO targets; regular restore drills for backups.
• Cyber insurance for enterprises to manage financial exposure; needs strong controls to be effective.
• Post-incident forensics to learn and plug gaps; sharing anonymised lessons via CERT-In improves ecosystem maturity.

Takeaway: Cyber security demands layered defence: resilient CII, rapid reporting and response, legal clarity, skilled teams, and citizen awareness. Regular drills, patching, and segmented architectures are as vital as new tech. Policy should pair security with privacy and cross-border cooperation to keep the digital economy trusted and resilient.