Cyber espionage in India is not a new concept but has been in existence for the last decade. It may be carried out by an insider or an outsider by exploiting the vulnerabilities in the cyber security of an organisation. The real problem lies in the fact that cyber espionage is not only inexpensive and relatively easy to commit but also highly difficult to prove with absolute certainty. In short, without conclusive “authorship attribution”, countering cyber espionage is largely a lost battle.
Further, global terrorist groups like ISIS and Al Qaeda are increasingly using social media for radicalising the youth. There has been a steep increase in cyber-crimes in the country. Cyber-crime related cases have seen a spurt from 5,693 registered in 2013 to 9,622 in 2014 and 11,592 in 2015. The situation has deteriorated further during the course of this year, with 21,248 cases already reported till May 2016.1
Given this steady and accelerating increase in the recorded cases of breach of cyber security and since cyber-crime can only be checked by a highly specialized agency, the central government has decided to establish an agency to probe all such cases. The agency will work under the Ministry of Home Affairs. Rupees 400 crore has been earmarked for raising this agency. In addition to investigating cyber-crime, the proposed agency will also assist and provide technological support to the state police and other central agencies. One of the charter of duties of the agency is also to propose laws and guidelines for cyber terrorism as well as amendments to the existing laws. The raising of such an agency to investigate cyber-crime on the lines of the NIA, which has the mandate to investigate terror-related crime, was long overdue. The proposed agency will definitely strengthen the cyber capabilities of the country and also thwart attempts by non-state actors to engage in cyber-crime.
The proposed agency will derive its powers from the Unlawful Activities Prevention Act, 1967. It is likely to be a part of the Intelligence Bureau and will be headed by a Director who will report to the Director IB and the Home Secretary. States will be taken into confidence before the Centre carries out any operation in their territorial jurisdiction. The agency will execute counter-terror operations and collect, collate and disseminate data on terrorism, besides maintaining a data base on terrorists and their associates including their families. The agency has been empowered to analyse the intelligence shared by agencies like the Intelligence Bureau and select what it deems suitable. It has also been granted powers to conduct searches and arrests in any part of India and will formulate responses to terror threats.
Unlike the US National Counter Terrorism Centre (NCTC), which deals only with strategic planning and integration of intelligence without any operational involvement, or the US Joint Terrorism Analysis Centre, which too plays a purely coordinating role, the Indian agency will have not only intelligence functions but also the power to carry out operations. It is this concentration of powers that has led to states objecting to the establishment of this agency, arguing that such sweeping powers vested in a central agency will violate the autonomy of state governments given that law and order is a state subject according to the Constitution. It has also been argued that given the establishment of the National Investigating Agency in the aftermath of the 26/11 attacks, the establishment of a cyber agency would only add to the bureaucratic tangle in intelligence sharing and counter terrorist action.
As on date, India has neither a dedicated cyber security law nor mandatory cyber breach disclosure norms. Even the cyber security infrastructure is grossly deficient as it cannot tackle sophisticated cyber-attacks and malware. The country does not have a cyber warfare policy or cyber terrorism policy or critical infrastructure protection policy or cyber espionage policy. The constitution of the Tri-Service Cyber Command has skipped many deadlines and it is yet to be established. All that India has is a cyber security policy formulated in the year 2013.
In order to offset this major shortcoming, the government would do well to pursue a two-pronged strategy in the interim. First, advocate restraint in cyberspace as a global norm. India is an active participant in discussions around the Tallinn Manual, which is a set of non-governmental guidelines for engagement during war. A group of government experts will convene later this year under the aegis of the UN — India is expected to be at the table — to discuss norms that trigger cyber war. At these forums, India should underline the basic premise that it is impossible to thwart all cyber-attacks and the consequent imperative of encouraging states to restrain from deploying cyber weapons. Second, the government should draft recruitment guidelines to hire and train a cadre of cyber specialists for the proposed agency. Attracting such specialists may require high pay scales and other benefits — a model the US has aggressively pursued — but they would bring in India’s best minds. If India’s cyberspace has built-in vulnerabilities, it also has a highly skilled IT workforce, which should be harnessed by the government for strategic use.
To tackle cyber terrorism, India needs policies and laws in place and also a specialized and well equipped agency. The government has rightly decided to handle this important issue with the seriousness it deserves by deciding to establish a cyber agency with adequately trained and equipped manpower. The schedule for raising this agency has not been outlined, although it is felt that the nucleus should be in place in about a year’s time. This initiative is likely to improve the present state of affairs and make the country more self-reliant in cyber security.