Home / Current Affairs / CA-21: Cybersecurity + Governance

🔐 Cybersecurity Policy in India

Legal Framework • CERT-In • NCIIPC • National Cyber Security Strategy • Critical Infrastructure Protection

High Yield GS-3 + Internal Security ⚡ Digital Governance + National Security
🔍 Quick Search: National Cyber Security Policy 2013, IT Act Section 66F, CERT-In directions 2022, NCIIPC critical infrastructure, UPSC notes on cybersecurity
  • What is Cybersecurity? → Practice of protecting systems, networks, programs, and data from digital attacks, damage, or unauthorized access.
  • India's Cyber Threat Landscape: 13.9 lakh cyber incidents reported to CERT-In in 2023; ransomware, phishing, data breaches, critical infrastructure targeting rising.
  • Policy Framework: National Cyber Security Policy (NCSP) 2013 is the cornerstone; draft National Cyber Security Strategy (2020) pending cabinet approval.
  • Key Institutions: CERT-In (nodal agency), NCIIPC (critical infrastructure), MeitY (policy), NTRO (intelligence), Defence Cyber Agency.
  • UPSC Angle: Tests understanding of digital governance, critical infrastructure protection, legal frameworks, and India's strategic autonomy in cyberspace.

📌 Legal Framework for Cybersecurity in India

  • Information Technology Act, 2000 (Amended 2008):
    • Section 43: Penalty for damage to computer/computer system — compensation up to ₹1 crore.
    • Section 66: Computer-related offences (hacking, data theft) — up to 3 years + ₹5 lakh fine.
    • Section 66F: Cyber terrorism — unauthorized access to critical infrastructure with intent to threaten unity, integrity, security, or sovereignty — life imprisonment.
    • Section 70: Protected systems — government can declare any computer resource as "protected"; unauthorized access punishable.
    • Section 70B: Established CERT-In as national nodal agency for incident response.
  • Digital Personal Data Protection (DPDP) Act, 2023:
    • Mandates data fiduciaries to implement security safeguards to prevent breaches.
    • Requires breach notification to Data Protection Board and affected individuals.
    • Penalties up to ₹250 crore for significant data fiduciaries failing security obligations.
  • Indian Penal Code (IPC), 1860:
    • Section 405/406: Criminal breach of trust (applicable to data misuse by insiders).
    • Section 420: Cheating (cyber fraud, phishing scams).

📌 Key Institutions & Their Roles

  • CERT-In (Indian Computer Emergency Response Team):
    • Nodal agency under MeitY for cybersecurity incident response.
    • Functions: Incident monitoring, vulnerability analysis, emergency response, capacity building.
    • April 2022 Directions: Mandated VPN providers, cloud services, data centers to retain logs for 5 years; report incidents within 6 hours.
  • NCIIPC (National Critical Information Infrastructure Protection Centre):
    • Established under IT Act Section 70A; operates under NTRO.
    • Identifies and protects Critical Information Infrastructure (CII): power, banking, telecom, transport, government networks.
    • Issues guidelines for CII operators; conducts audits and vulnerability assessments.
  • Defence Cyber Agency (DCA):
    • Tri-service command under Ministry of Defence for military cyber operations.
    • Focus: Offensive/defensive cyber capabilities, protecting defence networks, counter-terrorism in cyberspace.
  • National Security Council Secretariat (NSCS):
    • Coordinates national cybersecurity policy; chaired by National Security Advisor.
    • Oversees implementation of National Cyber Security Strategy (when approved).

📌 National Cyber Security Policy (NCSP) 2013: Key Objectives

  • Create secure cyber ecosystem for citizens, businesses, and government.
  • Strengthen regulatory framework for cybersecurity (led to IT Act amendments).
  • Enhance visibility and resilience of critical information infrastructure.
  • Develop indigenous security technologies and reduce import dependence.
  • Build human capacity: Target of 5 lakh skilled cybersecurity professionals by 2020 (revised).
  • Establish mechanisms for public-private partnership and international cooperation.

📌 Draft National Cyber Security Strategy (2020): Proposed Enhancements

  • Institutional Architecture: Proposes National Cyber Coordinator (NCC) at PMO level for strategic oversight.
  • Supply Chain Security: Trusted sources framework for hardware/software in critical sectors; "Make in India" for cybersecurity products.
  • Offensive Capabilities: Explicit mandate for proactive cyber operations (deterrence, attribution, counter-strikes).
  • Public-Private Fusion: Mandated information sharing between government and private sector; liability protections for good-faith reporting.
  • International Engagement: Active participation in UN GGE, OSCE, bilateral cyber dialogues; norms development for responsible state behavior.
NCSP Launched 2013
CERT-In Established 2004 (under IT Act)
NCIIPC Operational 2014
Cyber Terrorism Section IT Act S.66F

✅ Quick Facts

  • Critical Information Infrastructure (CII): Defined under IT Act S.70 as computer resource whose incapacitation/destruction would have debilitating impact on national security, economy, public health, or safety.
  • CERT-In Directions (2022): Applied to VPN providers, cloud services, data centers; 5-year log retention; 6-hour incident reporting — challenged in courts on privacy grounds.
  • Cyber Swachhta Kendra: Botnet/malware cleaning initiative by CERT-In; free tools for citizens and SMEs to detect/remove infections.
  • Indian Cyber Crime Coordination Centre (I4C): Under MHA; integrates law enforcement response to cybercrime; includes National Cybercrime Reporting Portal.

✅ Recent Developments (2023-24)

  • National Cyber Security Coordinator (NCSC): Appointed at PMO level (2023) to coordinate policy implementation across ministries — interim step pending full Strategy approval.
  • Trusted Telecom Portal: Mandatory certification for telecom equipment suppliers in critical networks; part of supply chain security measures.
  • Cyber Surakshit Bharat: Awareness program for government officials; trained 1.5 lakh+ officers on secure digital practices.
  • India-US Critical and Emerging Technology (iCET): Includes cybersecurity cooperation: threat intelligence sharing, joint exercises, supply chain resilience.
💡 Prelims Trap: CERT-In is under MeitY (civilian), while NCIIPC is under NTRO (intelligence). Also, "cyber terrorism" (S.66F) requires intent to threaten sovereignty/security — not all hacking qualifies.

🎯 Cybersecurity Policy: Multi-Dimensional Analysis

🔹 Strategic Imperatives: Sovereignty & Resilience

  • Digital Sovereignty: Protecting critical data and infrastructure from foreign surveillance, coercion, or disruption; reducing dependence on imported hardware/software.
  • Economic Security: Cyberattacks on banking, UPI, stock exchanges can trigger financial instability; cybersecurity is prerequisite for digital economy growth.
  • National Security Nexus: Hybrid warfare includes cyber operations; protecting defence networks, command-control systems, and strategic sectors is vital for deterrence.

🔹 Governance Challenges: Coordination & Capacity

  • Institutional Fragmentation: Multiple agencies (CERT-In, NCIIPC, DCA, I4C, state police cyber cells) with overlapping mandates; need for unified command structure.
  • Public-Private Gap: 90% of critical infrastructure is privately owned; mandatory reporting and information sharing face resistance due to liability fears and competitive concerns.
  • Capacity Deficit: Shortage of skilled professionals (target 5 lakh vs. actual ~1.2 lakh); training infrastructure concentrated in metros; rural-urban digital divide exacerbates vulnerability.

🔹 Rights & Liberties: Balancing Security and Freedom

  • Privacy Concerns: CERT-In's 2022 directions (log retention, user identification) challenged as disproportionate under Puttaswamy proportionality test.
  • Freedom of Expression: Overbroad interpretation of "cyber terrorism" or "unauthorized access" may chill legitimate security research, whistleblowing, or journalistic investigation.
  • Due Process: Emergency takedown powers, encryption restrictions need judicial oversight to prevent executive overreach.

🔹 Critical Challenges & Way Forward

  • Supply Chain Vulnerabilities: Hardware backdoors, software dependencies on foreign vendors; need for indigenous R&D, trusted sourcing frameworks, and diversification.
  • Ransomware & Critical Infrastructure: Healthcare, power grids increasingly targeted; requires sector-specific resilience standards, backup systems, and incident response protocols.
  • International Norms: Cyberspace lacks binding treaties; India should advocate for UN-based norms that respect sovereignty while enabling cooperation against non-state threats.
  • Emerging Tech Risks: AI-powered attacks, quantum computing breaking encryption, IoT botnets; policy must be adaptive and anticipatory.

🔹 Mains Answer Framework

  1. Contextualize: Link cybersecurity to digital India ambitions, critical infrastructure protection, and India's strategic autonomy in an era of great power cyber competition.
  2. Analyze Framework: Legal (IT Act, DPDP Act), institutional (CERT-In, NCIIPC, DCA), policy (NCSP 2013, draft Strategy), and operational (incident response, capacity building) dimensions.
  3. Critically Evaluate: Implementation gaps (coordination, capacity), rights tensions (privacy vs. security), and strategic challenges (supply chain, emerging tech).
  4. Way Forward: Approve and implement National Cyber Security Strategy with clear institutional architecture; invest in indigenous R&D and skills; strengthen public-private fusion; lead Global South in cyber norm-setting.

📌 Case 1: AIIMS Ransomware Attack (2022)

  • Event: All India Institute of Medical Sciences, Delhi hit by ransomware; patient records, appointment systems offline for weeks.
  • Response: CERT-In deployed incident response team; MHA coordinated with international partners for attribution; manual processes restored critical services.
  • Lessons: Critical infrastructure (healthcare) lacked adequate segmentation, backups, and incident response plans; highlighted need for sector-specific cybersecurity standards.
  • UPSC Link: Critical infrastructure protection + Public health security + Incident response coordination + Public-private partnership gaps.

📌 Case 2: CERT-In Directions 2022 – Privacy vs. Security Debate

  • Policy: April 2022 directions mandated VPN providers, cloud services to retain user logs for 5 years; report incidents within 6 hours; verify customer identities.
  • Controversy: Privacy advocates challenged directions as disproportionate; some VPN providers exited Indian market citing compliance burden.
  • Outcome: Delhi High Court sought government response; directions remain in force but implementation selectively enforced pending judicial review.
  • UPSC Link: Proportionality test (Puttaswamy) + Regulatory overreach concerns + Balancing national security and fundamental rights.

📌 Case 3: India-US iCET Cybersecurity Cooperation

  • Initiative: Under India-US Critical and Emerging Technology (iCET) dialogue (2023), cybersecurity pillar includes threat intelligence sharing, joint exercises, supply chain resilience.
  • Components: (a) CERT-In and CISA (US) establish real-time threat data exchange; (b) Joint R&D on AI-powered threat detection; (c) Trusted telecom equipment supply chain framework.
  • Strategic Significance: Strengthens India's cyber deterrence against state and non-state actors; aligns with "friends-shoring" of critical technology supply chains.
  • UPSC Link: Strategic partnerships + Technology diplomacy + Supply chain security + Balancing autonomy and cooperation.

Q1. With reference to cybersecurity policy in India, consider the following statements:
1. Section 66F of the IT Act, 2000 defines and penalizes cyber terrorism.
2. CERT-In functions under the Ministry of Home Affairs.
3. NCIIPC is responsible for protecting Critical Information Infrastructure in India.

Which of the statements given above are correct?

✅ Answer: (b) 1 and 3 only

💡 Explanation: Statement 2 is incorrect: CERT-In functions under MeitY (Ministry of Electronics & IT), not Ministry of Home Affairs. Statements 1 & 3 are correct.

Q2. The National Critical Information Infrastructure Protection Centre (NCIIPC) operates under the administrative control of:

✅ Answer: (b) National Technical Research Organisation (NTRO)

💡 Explanation: NCIIPC was established under IT Act Section 70A and operates under NTRO, which is India's premier technical intelligence agency.

Q3. Consider the following pairs:
Provision/Initiative | Purpose
1. IT Act Section 70 | Declaration of "protected systems" with enhanced penalties for unauthorized access
2. Cyber Swachhta Kendra | Free botnet/malware cleaning tools for citizens and SMEs
3. Trusted Telecom Portal | Certification framework for telecom equipment in critical networks

How many pairs are correctly matched?

✅ Answer: (c) All three

💡 Explanation: All three pairs are correctly matched. Section 70 enables protected system designation, Cyber Swachhta Kendra provides cleanup tools, and Trusted Telecom Portal addresses supply chain security.

Q4. CERT-In's April 2022 directions mandated intermediaries to report cybersecurity incidents within:

✅ Answer: (b) 6 hours

💡 Explanation: CERT-In's directions require service providers, intermediaries, and data centers to report cybersecurity incidents within 6 hours of noticing them — significantly faster than previous norms.

Q5. Which of the following is NOT a stated objective of the National Cyber Security Policy (NCSP) 2013?

✅ Answer: (c) Establish mandatory encryption backdoors for law enforcement access

💡 Explanation: NCSP 2013 does not mandate encryption backdoors; this remains a contested policy issue. The policy focuses on ecosystem security, indigenous development, and capacity building.

🔁 Cybersecurity Policy in 10 Seconds

  • NCSP 2013: Foundational policy; objectives: secure ecosystem, regulatory framework, CII protection, indigenous tech, capacity building
  • Legal Framework: IT Act (S.43/66/66F/70/70B), DPDP Act 2023, IPC provisions
  • CERT-In: Nodal agency under MeitY; incident response, vulnerability analysis, 2022 directions (6-hr reporting, 5-yr logs)
  • NCIIPC: Under NTRO; protects Critical Information Infrastructure (power, banking, telecom, transport)
  • Draft Strategy (2020): Proposes National Cyber Coordinator, supply chain security, offensive capabilities, public-private fusion
  • Key Challenge: Balancing security imperatives with privacy rights, federal coordination, capacity deficits
  • Way Forward: Approve Strategy, invest in R&D/skills, strengthen public-private fusion, lead Global South cyber norm-setting

🧠 Mnemonic: "CYBER INDIA SECURE"

C → CERT-In: Nodal agency under MeitY for incident response

Y → Year of NCSP: 2013 (still operative; Strategy draft pending)

B → Backdoors debate: Encryption access remains contested policy issue

E → Ecosystem approach: Legal + Institutional + Technical + Human capacity

R → Rights balance: Proportionality test (Puttaswamy) for security measures


I → IT Act Sections: 43 (damage), 66 (offences), 66F (cyber terrorism), 70/70B (protected systems/CERT-In)

N → NCIIPC: Under NTRO; protects Critical Information Infrastructure

D → Draft Strategy (2020): Proposes National Cyber Coordinator, supply chain security

I → Indigenous focus: "Make in India" for cybersecurity products and R&D

A → Attribution challenge: Technical/political difficulty in identifying attackers

📌 Prelims Traps to Avoid

  • ✘ CERT-In is under MeitY, not Ministry of Home Affairs
  • ✘ NCIIPC is under NTRO, not CERT-In or MeitY
  • ✘ "Cyber terrorism" (S.66F) requires intent to threaten sovereignty/security — not all hacking qualifies
  • ✘ NCSP 2013 is still operative; draft Strategy (2020) not yet approved by Cabinet
  • ✘ CERT-In 2022 directions mandate 6-hour reporting (not 24/72 hours) and 5-year log retention

🎯 Mains One-Liners

  • "Cybersecurity policy = Legal framework + Institutional architecture + Technical capacity + Human capital"
  • "Critical infrastructure protection requires sector-specific standards, public-private fusion, and resilient system design"
  • "Proportionality test ensures security measures respect privacy and free speech under constitutional framework"
  • "Supply chain security and indigenous R&D are strategic imperatives for technological sovereignty"
  • "Way Forward: Approve Strategy, invest in skills/R&D, strengthen coordination, lead Global South cyber governance"
← Back to Current Affairs Index Next: CA-22 →