Unit V
Introduction to Security Policies and Cyber Laws
Unit Overview
This unit covers the legal and policy framework governing cyberspace in India, including the Information Technology Act, 2000, the Digital Personal Data Protection Act, 2023, intellectual property considerations, and cybercrime reporting mechanisms.
Topics Covered
- Security Policy Components
- IT Act, 2000
- DPDP Act, 2023
- Intellectual Property
- Cybercrime Reporting
- Trademark Infringement & Remedies
- Privacy Threats in Cyberspace
5.1 Need for an Information Security Policy
Information Security Policy
A formal document that defines how an organization protects its information assets. It establishes the rules and procedures for all individuals accessing and using an organization's IT assets and resources.
Importance of Security Policies
- Guidance: Provides clear guidelines for employees and stakeholders
- Consistency: Ensures uniform security practices across the organization
- Compliance: Helps meet regulatory and legal requirements
- Risk Management: Identifies and addresses security risks systematically
- Accountability: Establishes responsibilities and consequences
- Protection: Safeguards organizational assets and reputation
Key Components of Security Policy
| Component | Description |
|---|---|
| Purpose Statement | Defines why the policy exists and its objectives |
| Scope | Identifies who and what the policy applies to |
| Roles and Responsibilities | Assigns accountability for security functions |
| Policy Statements | Specific rules and requirements |
| Compliance Requirements | Legal and regulatory obligations |
| Enforcement | Consequences for policy violations |
| Review Procedures | Process for updating the policy |
Types of Security Policies
1. Organizational Security Policy
High-level policy defining the overall security stance of the organization.
2. Issue-Specific Policies
- Acceptable Use Policy
- Password Policy
- Email and Communication Policy
- Remote Access Policy
- Incident Response Policy
3. System-Specific Policies
- Network Security Policy
- Server Security Policy
- Database Security Policy
- Application Security Policy
Policy Development Process
- Assessment: Identify security requirements and risks
- Drafting: Write policy documents
- Review: Stakeholder review and feedback
- Approval: Management authorization
- Communication: Distribute to all affected parties
- Implementation: Put policy into practice
- Monitoring: Track compliance and effectiveness
- Revision: Update based on changes and lessons learned
Key Points for Examination:
- Security policies provide formal guidance for protecting information
- Policies must be enforceable and regularly updated
- Different types address organizational, issue-specific, and system needs
- Management support is essential for policy effectiveness
5.2 Introduction to Indian Cyber Law
Information Technology Act, 2000
The Information Technology Act, 2000 (IT Act) is the primary legislation in India dealing with cybercrime and electronic commerce. It was enacted to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication.
Objectives of IT Act, 2000
- Legal recognition of electronic documents and digital signatures
- Facilitation of electronic filing of documents with government agencies
- Legal recognition of electronic records and digital signatures
- Prevention of computer-related crimes
- Facilitation of e-commerce and e-governance
Key Amendments (IT Amendment Act, 2008)
The IT Act was significantly amended in 2008 to address emerging cyber threats and issues. Key changes include:
- Introduction of Section 66A (later struck down by Supreme Court)
- Enhanced penalties for various cybercrimes
- Provisions for data protection and privacy
- Intermediary liability guidelines
- Cyber terrorism provisions (Section 66F)
Important Sections of IT Act
| Section | Offense | Punishment |
|---|---|---|
| Section 43 | Unauthorized access, damage, data theft | Compensation up to Rs. 1 crore |
| Section 65 | Tampering with computer source documents | Up to 3 years imprisonment and/or fine up to Rs. 2 lakh |
| Section 66 | Computer related offences (hacking) | Up to 3 years imprisonment and/or fine up to Rs. 5 lakh |
| Section 66B | Receiving stolen computer resource | Up to 3 years imprisonment and/or fine up to Rs. 1 lakh |
| Section 66C | Identity theft | Up to 3 years imprisonment and/or fine up to Rs. 1 lakh |
| Section 66D | Cheating by personation using computer resource | Up to 3 years imprisonment and/or fine up to Rs. 1 lakh |
| Section 66E | Violation of privacy | Up to 3 years imprisonment and/or fine up to Rs. 2 lakh |
| Section 66F | Cyber terrorism | Imprisonment for life |
| Section 67 | Publishing obscene material | Up to 5 years imprisonment and fine up to Rs. 10 lakh |
| Section 67A | Publishing sexually explicit material | Up to 7 years imprisonment and fine up to Rs. 10 lakh |
| Section 67B | Child pornography | Up to 7 years imprisonment and fine up to Rs. 10 lakh |
| Section 72 | Breach of confidentiality and privacy | Up to 2 years imprisonment and/or fine up to Rs. 1 lakh |
Authorities Under IT Act
- Controller of Certifying Authorities (CCA): Supervises digital signature infrastructure
- Certifying Authorities: Issue digital signature certificates
- Adjudicating Officers: Handle claims for compensation
- Cyber Appellate Tribunal (CAT): Appellate body for IT Act cases
- CERT-In: Indian Computer Emergency Response Team
Key Points for Examination:
- IT Act, 2000 is India's primary cyber law
- 2008 amendments strengthened cybercrime provisions
- Section 66F addresses cyber terrorism with life imprisonment
- CCA oversees digital signature infrastructure
5.3 Digital Personal Data Protection Act, 2023
DPDP Act, 2023:
The Digital Personal Data Protection Act, 2023 is India's comprehensive data protection legislation that governs the processing of digital personal data, establishing the rights of individuals and obligations of entities processing personal data.
Detailed Explanation: The DPDP Act represents India's first comprehensive framework for data protection, aimed at balancing the right to privacy with legitimate data processing needs. It was enacted to provide individuals control over their personal data and establish accountability for organizations handling such data.
Historical Context:
- 2017: Justice K.S. Puttaswamy judgment recognized privacy as a fundamental right under Article 21 of the Constitution
- 2018: Draft Personal Data Protection Bill proposed by Justice B.N. Srikrishna Committee
- 2022: Previous bills withdrawn, new simplified approach adopted
- 2023: Digital Personal Data Protection Act passed by Parliament
Key Principles of Data Processing:
- Lawfulness, Fairness, and Transparency: Data must be processed legally, ethically, and with user awareness
- Purpose Limitation: Data collected only for specific, legitimate purposes
- Data Minimization: Collect only necessary data for stated purpose
- Accuracy: Ensure data is accurate and up-to-date
- Storage Limitation: Retain data only as long as necessary
- Security: Implement appropriate security safeguards
- Accountability: Data fiduciaries responsible for compliance
International Comparison: The DPDP Act is influenced by the EU's General Data Protection Regulation (GDPR) but has unique provisions tailored to India's context, including simplified consent mechanisms and specific exemptions for government processing.
Objectives of DPDP Act
- Protect the privacy of individuals with respect to their personal data
- Establish lawful grounds for processing personal data
- Define rights of data principals (individuals)
- Specify obligations of data fiduciaries (organizations)
- Create an enforcement mechanism through the Data Protection Board
- Enable cross-border data transfer with appropriate safeguards
Key Definitions
| Term | Definition |
|---|---|
| Personal Data | Any data about an individual who is identifiable by or in relation to such data |
| Data Principal | The individual to whom the personal data relates |
| Data Fiduciary | Any person who alone or in conjunction with others determines the purpose and means of processing personal data |
| Data Processor | Any person who processes personal data on behalf of a Data Fiduciary |
| Processing | Any operation performed on digital personal data |
| Consent | Free, specific, informed, unconditional, and unambiguous agreement |
Scope of the Act
- Applies to processing of digital personal data within India
- Applies to processing outside India if related to offering goods or services to persons in India
- Covers both automated and non-automated processing
- Includes data collected online and data digitized from offline sources
Rights of Data Principals
| Right | Description |
|---|---|
| Right to Information | Know what personal data is being collected and how it is processed |
| Right to Correction and Erasure | Request correction of inaccurate data and erasure of data |
| Right to Grievance Redressal | File complaints regarding processing of personal data |
| Right to Nominate | Nominate another person to exercise rights in case of death or incapacity |
Obligations of Data Fiduciaries
- Obtain valid consent before processing personal data
- Provide clear notice about data processing purposes
- Process data only for specified purposes
- Implement reasonable security safeguards
- Ensure accuracy and completeness of data
- Delete personal data when purpose is fulfilled
- Respond to data principal requests within specified time
- Report data breaches to the Data Protection Board
Significant Data Fiduciaries
Certain Data Fiduciaries may be classified as "Significant Data Fiduciaries" based on:
- Volume and sensitivity of personal data processed
- Risk to rights of Data Principals
- Potential impact on sovereignty and integrity of India
- Risk to electoral democracy
- Security of the State
- Public order
Additional Obligations for Significant Data Fiduciaries
- Appoint a Data Protection Officer
- Appoint an independent data auditor
- Conduct Data Protection Impact Assessments
- Undertake periodic audits
Penalties Under DPDP Act
| Violation | Maximum Penalty |
|---|---|
| Failure to take reasonable security safeguards resulting in data breach | Rs. 250 crore |
| Failure to notify Data Protection Board and affected individuals of breach | Rs. 200 crore |
| Failure to comply with obligations regarding children's data | Rs. 200 crore |
| Failure to comply with additional obligations for Significant Data Fiduciaries | Rs. 150 crore |
| Other violations | Rs. 50 crore |
Data Protection Board of India
The Act establishes the Data Protection Board of India as the enforcement body with powers to:
- Receive and adjudicate complaints
- Conduct inquiries
- Impose penalties
- Issue directions to Data Fiduciaries
Key Points for Examination:
- DPDP Act, 2023 is India's comprehensive data protection law
- Data Principal refers to the individual; Data Fiduciary processes the data
- Consent must be free, specific, informed, and unambiguous
- Maximum penalty is Rs. 250 crore for security failures
- Data Protection Board is the enforcement authority
5.4 Intellectual Property Issues
Intellectual Property (IP):
Creations of the mind, such as inventions, literary and artistic works, designs, symbols, names, and images used in commerce. IP rights protect the interests of creators by giving them exclusive rights over their creations for a certain period.
Types of Intellectual Property
| Type | Description | Protection Period |
|---|---|---|
| Copyright | Protection for original works of authorship including literary, dramatic, musical, and artistic works | Lifetime of author + 60 years (India) |
| Patents | Protection for inventions that are novel, non-obvious, and useful | 20 years from filing date |
| Trademarks | Protection for distinctive signs, symbols, or expressions identifying products or services | 10 years, renewable indefinitely |
| Trade Secrets | Confidential business information providing competitive advantage | Indefinite (as long as secret is maintained) |
| Industrial Designs | Protection for aesthetic aspects of articles | 15 years (India) |
IP Issues in Cyberspace
1. Software Piracy
- Unauthorized copying and distribution of software
- Use of unlicensed software
- Counterfeiting of software products
- Cracking and distribution of activation keys
2. Digital Copyright Infringement
- Unauthorized sharing of music, movies, and other media
- Illegal streaming services
- Website content copying
- Plagiarism of digital content
3. Domain Name Disputes
- Cybersquatting: Registering domains with intent to profit from trademarks
- Typosquatting: Registering misspelled versions of popular domains
- Domain hijacking: Unauthorized transfer of domain ownership
4. Trademark Issues Online
- Use of trademarks in metatags and keywords
- Trademark infringement in domain names
- Counterfeit goods sold online
- Unauthorized use in social media
5. AI and Emerging Technology IP Issues
- AI-generated content ownership: Unclear who owns copyright — the AI developer, the user who prompted it, or neither (currently no legal protection for AI-generated works in India)
- Deepfakes: AI-generated synthetic videos/audio misusing individuals' likeness without consent — raises privacy and IP concerns
- Training data copyright: Large language models and image AI trained on copyrighted content without licensing agreements — ongoing lawsuits globally (e.g., Getty Images vs Stability AI)
- Voice cloning: AI replication of celebrity voices for unauthorized commercial use
- NFTs and blockchain art: Digital ownership claims that may not align with copyright law
- Automated plagiarism: AI tools generating content that inadvertently reproduces copyrighted material
Challenges in IP Protection Online
- Easy reproduction and distribution of digital content
- Global nature of the internet complicating jurisdiction
- Anonymity of infringers
- Rapid technological changes
- Volume of potentially infringing content
Key Points for Examination:
- IP includes copyrights, patents, trademarks, and trade secrets
- Software piracy is a major cybercrime affecting IP
- Cybersquatting involves bad-faith domain registration
- Digital environment creates unique IP protection challenges
5.5 Overview of Intellectual Property Related Legislation
Indian IP Legislation
1. The Copyright Act, 1957
Governs the protection of original literary, dramatic, musical, and artistic works, including computer programs and databases.
- Computer programs protected as literary works
- Section 63B: Penalty for knowing use of infringing copy of computer program
- Section 65: Penalty for making or possessing plates for making infringing copies
- Fair dealing provisions for research, criticism, and education
2. The Patents Act, 1970
Governs the grant and protection of patents in India.
- Software per se is not patentable in India
- Technical applications of software may be patentable
- Process patents available for manufacturing methods
3. The Trade Marks Act, 1999
Provides for registration and protection of trademarks.
- Domain names can be protected as trademarks
- Infringement actions available for unauthorized use
- Passing off remedies for unregistered marks
4. The Information Technology Act, 2000
Contains provisions relevant to IP protection in cyberspace:
- Section 43: Compensation for unauthorized access and copying
- Section 65: Tampering with computer source code
- Section 66: Computer-related offenses
International IP Frameworks
| Agreement/Treaty | Focus Area |
|---|---|
| TRIPS Agreement | Minimum standards for IP protection in WTO member countries |
| Berne Convention | International copyright protection |
| Paris Convention | Protection of industrial property |
| WIPO Copyright Treaty | Digital copyright issues |
| Patent Cooperation Treaty | International patent applications |
| Madrid Protocol | International trademark registration |
Digital Rights Management (DRM)
Technological measures used to protect copyrighted digital content:
- Encryption of content
- Access control systems
- Copy protection mechanisms
- Watermarking and fingerprinting
Enforcement Mechanisms
- Civil Remedies: Injunctions, damages, account of profits
- Criminal Prosecution: Fines and imprisonment
- Administrative Actions: Customs seizure, takedown notices
- Self-Help Measures: Technical protection measures
Key Points for Examination:
- Copyright Act, 1957 protects computer programs as literary works
- Software per se is not patentable in India
- TRIPS sets minimum IP protection standards for WTO members
- DRM provides technological protection for digital content
5.6 Relevant Indian Penal Code Provisions
Several provisions of the Indian Penal Code (IPC) apply to cyber offenses in conjunction with the IT Act:
| Section | Offense | Applicability to Cybercrime |
|---|---|---|
| Section 292 | Sale of obscene materials | Distribution of obscene content online |
| Section 354D | Stalking | Cyber stalking |
| Section 379 | Theft | Data theft, identity theft |
| Section 406 | Criminal breach of trust | Misuse of entrusted data |
| Section 420 | Cheating | Online fraud |
| Section 463-471 | Forgery | Digital document forgery |
| Section 499-500 | Defamation | Online defamation |
| Section 503 | Criminal intimidation | Online threats |
| Section 509 | Word, gesture or act intended to insult modesty of a woman | Cyber harassment of women |
5.7 Reporting Cybercrime in India
Reporting Mechanisms
1. National Cyber Crime Reporting Portal
Website: cybercrime.gov.in
- Online complaint registration facility
- Tracking of registered complaints
- Categories for different types of cybercrimes
2. Cyber Crime Cells
- Dedicated units in state police departments
- Specialized investigation capabilities
- Technical expertise for digital evidence
3. CERT-In
Indian Computer Emergency Response Team handles:
- Cyber incident reporting
- Vulnerability disclosures
- Security alerts and advisories
Information to Include in Complaint
- Detailed description of the incident
- Date, time, and duration of the incident
- Evidence (screenshots, emails, URLs)
- Details of the suspect (if known)
- Financial loss details (if applicable)
- Previous complaints (if any)
Key Points for Examination
- cybercrime.gov.in is India's national cybercrime reporting portal
- CERT-In handles national-level cyber incidents
- Evidence preservation is crucial before reporting
- Cyber crime cells exist in major cities
5.8 Trademark Infringement: Prevention and Remedies under Indian Law
Trademark Infringement
The unauthorized use of a registered trademark (or a confusingly similar mark) in relation to goods or services for which the mark is registered, in a manner likely to cause consumer confusion about origin.
What Constitutes Infringement (Trade Marks Act, 1999)
- Using an identical or similar mark for the same/similar class of goods or services
- Using a registered trademark in online advertising, metatags, or domain names without permission
- Cybersquatting — registering a trademark as a domain name in bad faith
- Manufacturing, selling, or distributing counterfeit goods bearing a registered mark
Prevention Strategies
1. Trademark Registration
- File with the Trade Marks Registry of India under the Trade Marks Act, 1999
- Protection for 10 years, renewable indefinitely
- Register across all relevant Nice Classification classes (1–45)
- Use ™ for unregistered marks and ® only after registration is granted
2. Domain and Online Monitoring
- Register multiple domain TLD variations (.com, .in, .net)
- Monitor e-commerce platforms (Amazon, Flipkart) for counterfeit product listings
- Use Google Alerts to track unauthorized brand name use online
- ICANN UDRP (Uniform Domain-Name Dispute-Resolution Policy) for international disputes
- INDRP (IN Domain Name Dispute Resolution Policy) for .in domain disputes in India
3. Proactive Enforcement
- Issue cease-and-desist notices before pursuing litigation
- Send DMCA-style takedown notices to platforms for infringing content
- Engage brand protection services (MarkMonitor, BrandShield)
Remedies Under Indian Law
Civil Remedies (Section 135, Trade Marks Act, 1999)
| Remedy | Description |
|---|---|
| Injunction | Court order stopping infringing activity immediately (can be ex-parte for urgent cases) |
| Damages | Financial compensation for losses caused by infringement |
| Account of Profits | Infringer must surrender profits earned from infringing activity |
| Delivery Up / Destruction | Infringing goods ordered to be surrendered and destroyed |
Criminal Remedies (Sections 103–104, Trade Marks Act, 1999)
| Offense | First Offense | Repeat Offense |
|---|---|---|
| Falsifying trademarks | 6 months–3 years + Rs. 50,000–Rs. 2 lakh fine | 1–7 years + Rs. 1 lakh–Rs. 2 lakh fine |
| Falsely applying trademarks to goods | 6 months–3 years + Rs. 50,000–Rs. 2 lakh fine | 1–7 years + Rs. 1 lakh–Rs. 2 lakh fine |
Administrative Remedies
- Customs Seizure: File a trademark notice with Customs to seize infringing goods at import
- Platform Takedowns: Request removal of infringing listings from e-commerce sites
Key Points for Examination:
- Injunction is the most immediate remedy — stops infringing activity before trial concludes
- Criminal penalties can reach up to 7 years imprisonment for repeat trademark offenders
- Domain name disputes in India handled by INDRP; international disputes by UDRP
- Trademark registration provides the strongest legal foundation for enforcement
5.9 Privacy Threats in Cyberspace
Privacy in Cyberspace
The right of individuals to control the collection, storage, processing, and sharing of their personal information in digital environments. India recognizes privacy as a Fundamental Right under Article 21 (K.S. Puttaswamy vs Union of India, 2017).
Types of Privacy Threats
| Threat | Description | Example |
|---|---|---|
| Data Harvesting | Collecting personal data by apps and websites without meaningful consent | Facebook–Cambridge Analytica; apps tracking location 24/7 |
| Data Breaches | Unauthorized exposure of personal records held by organizations | LinkedIn breach (700M+ records); Aadhaar data concerns |
| Surveillance | Government or corporate monitoring of communications and activities | Pegasus spyware targeting activists and journalists |
| Spyware / Stalkerware | Software that covertly monitors device activity — calls, messages, location | mSpy, FlexiSPY, Pegasus spyware |
| Cookie and Browser Tracking | Persistent tracking of browsing behavior across websites for profiling | Third-party advertising networks tracking across sites |
| Social Media Oversharing | Unintentional exposure of personal details (location, routine, finances) | Posting travel plans enabling burglary; location tagging |
| Deepfakes | AI-generated realistic fake video/audio misusing someone's likeness | Non-consensual intimate images (NCII), fake political videos |
| IoT Surveillance | Smart home devices continuously collecting behavioral data | Smart speakers recording home conversations; smart TVs tracking |
Challenges in Protecting Privacy
- Lack of awareness: Most users do not read privacy policies or understand what data is collected
- Consent fatigue: Users routinely click "Accept" on cookie and privacy notices without reading them
- Jurisdictional complexity: Data stored in multiple countries under differing laws (India DPDP vs EU GDPR vs US regulations)
- Technological pace: Legislation lags behind AI, IoT, and big data capabilities
- Business model conflict: For many platforms, personal data collection IS the revenue model
- Security vs. privacy: Government surveillance justified as national security necessity, limiting individual privacy
- Anonymous data re-identification: "Anonymized" datasets can often be re-identified using cross-referencing
Legal Framework for Privacy Protection in India
| Legal Provision | Protection Offered |
|---|---|
| Article 21, Constitution of India | Privacy as a Fundamental Right (K.S. Puttaswamy judgment, 2017) |
| Section 66E, IT Act, 2000 | Punishment for capturing/publishing private images — up to 3 years imprisonment |
| Section 72, IT Act, 2000 | Breach of confidentiality by intermediaries — up to 2 years imprisonment |
| DPDP Act, 2023 | Comprehensive data protection; penalties up to Rs. 250 crore for security failures |
| Section 354D, IPC | Cyber stalking (covert online monitoring) — 3 years first offense; 5 years repeat |
Key Points for Examination:
- Privacy is a Fundamental Right — Article 21 (K.S. Puttaswamy 2017 judgment)
- DPDP Act, 2023 is India's primary response to digital privacy threats — max penalty Rs. 250 crore
- Deepfakes represent a new and serious AI-enabled privacy violation category
- Consent under DPDP must be "free, specific, informed, unconditional, and unambiguous"
- Data breaches must be reported to the Data Protection Board under DPDP Act
5.10 Section 69 and Section 70 of IT Act
Section 69: Powers to Issue Directions for Interception, Monitoring, or Decryption
Overview:
Section 69 empowers the Central Government or State Government to issue directions for the interception, monitoring, or decryption of any information generated, transmitted, received, or stored in any computer resource.
| Aspect | Details |
|---|---|
| Authorized By | Central Government or State Government (or authorized officer) |
| Grounds for Direction |
|
| Penalty for Non-Compliance | Imprisonment up to 7 years and fine |
| Safe Harbour | Intermediaries who comply with directions are protected from liability |
Section 69A: Power to Block Public Access
Central Government can direct any agency or intermediary to block public access to any information for the same grounds as Section 69. This has been used to block websites, apps, and social media content.
Section 69B: Power to Monitor and Collect Traffic Data
Central Government can authorize collection and monitoring of traffic data (not content) for enhancing cyber security and identifying/preventing cyber incidents.
Section 70: Protected System
Overview:
Section 70 allows the appropriate Government to declare any computer resource, directly or indirectly affecting critical information infrastructure, as a "protected system".
| Aspect | Details |
|---|---|
| Definition | Computer systems whose incapacitation would have debilitating impact on national security, economy, public health, or safety |
| Examples | Power grid systems, banking infrastructure, defense networks, air traffic control, government databases |
| Unauthorized Access Penalty | Imprisonment up to 10 years and fine |
| Related Body | NCIIPC (National Critical Information Infrastructure Protection Centre) designated under Section 70A |
Section 70B: CERT-In Authority
Section 70B designates the Indian Computer Emergency Response Team (CERT-In) as the national nodal agency for incident response.
Key Points for Examination:
- Section 69 allows government to direct interception/monitoring for national security
- Non-compliance with Section 69 directions: up to 7 years imprisonment
- Section 70 protects critical information infrastructure systems
- Unauthorized access to protected systems: up to 10 years imprisonment
- NCIIPC protects critical infrastructure under Section 70A
5.11 CERT-In (Indian Computer Emergency Response Team)
Definition:
CERT-In (Indian Computer Emergency Response Team) is the national nodal agency for responding to computer security incidents in India. Established in 2004, it operates under the Ministry of Electronics and Information Technology (MeitY) and is designated as such under Section 70B of the IT Act.
Functions of CERT-In
- Collection, analysis, and dissemination of information on cyber incidents
- Forecasting and alerts for cyber security incidents
- Emergency measures for handling cyber security incidents
- Coordination of cyber security incident response activities
- Issue guidelines, advisories, vulnerability notes, and whitepapers
- Conduct cyber security training and awareness programs
- Collaborate with international CERTs and security agencies
- Assist organizations in implementing best practices
CERT-In Directives 2022 (April 2022)
Important:
In April 2022, CERT-In issued significant new directives that impose mandatory cybersecurity requirements on organizations. These came into effect on June 27, 2022.
| Requirement | Details |
|---|---|
| Incident Reporting | Mandatory reporting of cyber incidents to CERT-In within 6 hours of discovery (previously 24 hours suggested) |
| Log Retention | Organizations must maintain ICT system logs for a rolling period of 180 days within Indian jurisdiction |
| Time Synchronization | All ICT systems must be synchronized with NIC or NPL time servers |
| VPN Provider Requirements | VPN service providers must maintain validated customer data (KYC) for 5 years after service cancellation |
| Cryptocurrency Exchanges | Must maintain KYC and transaction records for 5 years |
| Data Centers | Must register and maintain customer information |
Reportable Cyber Incidents
- Targeted scanning/probing of critical networks/systems
- Compromise of critical systems/information
- Unauthorized access to IT systems/data
- Defacement of website or intrusion
- Malicious code attacks (virus, worm, Trojan, botnet)
- Attacks on servers, critical infrastructure, and IoT devices
- Identity theft, spoofing, and phishing attacks
- Denial of Service (DoS) and Distributed DoS attacks
- Data breach/leak
- Fake mobile apps
- Unauthorized access to social media accounts
Key Points for Examination:
- CERT-In is national nodal agency for cyber incidents (Section 70B)
- Established in 2004 under MeitY
- 2022 Directives: 6-hour mandatory incident reporting
- Log retention: 180 days within India
- VPN providers must maintain 5-year KYC records
5.12 National Cyber Security Policy, 2013
Overview:
The National Cyber Security Policy 2013 was released by the Government of India to protect the public and private infrastructure from cyber attacks. It provides a framework for creating a secure and resilient cyberspace for citizens, businesses, and the government.
Vision
To build a secure and resilient cyberspace for citizens, businesses, and Government.
Mission
- Protect information and information infrastructure in cyberspace
- Build capabilities to prevent and respond to cyber threats
- Reduce vulnerabilities and minimize damage from cyber incidents
- Protect critical information infrastructure
Key Objectives
| Objective | Description |
|---|---|
| Secure Computing Environment | Create a secure computing environment for citizens, businesses, and government |
| Regulatory Framework | Strengthen the regulatory framework for ensuring secure cyberspace |
| Security Technologies | Develop 24x7 mechanisms for obtaining strategic information on threats |
| Critical Infrastructure Protection | Enhance protection of critical information infrastructure |
| Indigenous Capabilities | Develop indigenous security technologies and solutions |
| Workforce Development | Create 500,000 cybersecurity professionals through training programs |
Key Strategies
- Creating a secure cyber ecosystem
- Creating assurance framework for design of security policies
- Encouraging open standards
- Strengthening regulatory framework
- Creating mechanisms for security threat early warning, vulnerability management
- Securing e-Governance services
- Protection and resilience of critical information infrastructure
- Promoting R&D in cyber security
- Reducing supply chain risks
- Human resource development
- Creating cyber security awareness
- Developing effective public-private partnerships
- Information sharing and cooperation
- Prioritizing cyber security in all ICT development plans
Key Bodies Established
- NCIIPC: National Critical Information Infrastructure Protection Centre
- NCCC: National Cyber Coordination Centre (for real-time situational awareness)
- CERT-In: Strengthened as national nodal agency
Key Points for Examination:
- Released in 2013 to create secure and resilient cyberspace
- Vision: Secure and resilient cyberspace for citizens, businesses, Government
- Goal: Create 500,000 cybersecurity professionals
- Established NCIIPC for critical infrastructure protection
- Emphasizes public-private partnerships and indigenous capabilities
5.13 International Cyber Law Frameworks
Budapest Convention on Cybercrime (2001)
Overview:
The Budapest Convention (Council of Europe Convention on Cybercrime) is the first international treaty seeking to address Internet and computer crimes. It was opened for signature in 2001 and has been ratified by 68 countries as of 2024.
| Aspect | Details |
|---|---|
| Purpose | Harmonize national laws on cybercrime; improve international cooperation; establish common investigative techniques |
| Key Provisions |
|
| India's Status | Non-signatory. India has not signed the convention, citing concerns over Article 32 which allows transborder access to data without mutual legal assistance |
| Significance | Sets global benchmark; facilitates cross-border cooperation; influences national cyber laws worldwide |
General Data Protection Regulation (GDPR) - EU
The GDPR is the European Union's comprehensive data protection law that came into effect in May 2018. It has influenced data protection laws worldwide, including India's DPDP Act 2023.
GDPR vs. DPDP Act 2023 Comparison
| Aspect | GDPR (EU) | DPDP Act 2023 (India) |
|---|---|---|
| Scope | Organizations processing EU residents' data | Processing of digital personal data in India |
| Consent Mechanism | Granular, specific consent for each purpose | Simplified consent mechanism |
| Data Protection Officer | Mandatory for certain organizations | Required for Significant Data Fiduciaries |
| Maximum Penalty | Up to €20 million or 4% of annual global turnover | Up to Rs. 250 crore (approx. €27 million) |
| Cross-Border Transfer | Strict rules, Standard Contractual Clauses | Government can restrict transfers to certain countries |
| State Exemptions | Limited exemptions for public sector | Broad exemptions for state and security interests |
| Right to be Forgotten | Explicit right under Article 17 | Right to erasure under DPDP Act |
Other International Frameworks
- UN Group of Governmental Experts (GGE): Works on responsible state behavior in cyberspace
- INTERPOL Cybercrime Programme: International police cooperation on cybercrime
- African Union Convention on Cyber Security (2014): Regional African framework
- Commonwealth Cyber Declaration (2018): Commitments by Commonwealth nations
Key Points for Examination:
- Budapest Convention is first international treaty on cybercrime (2001)
- India has NOT signed Budapest Convention
- GDPR is EU's comprehensive data protection law (2018)
- DPDP Act 2023 was influenced by GDPR but has simplified provisions
- UN GGE works on responsible state behavior in cyberspace
5.14 Cyber Warfare
Definition:
Cyber Warfare refers to the use of computer technology by nation-states or organizations to attack and attempt to damage another nation's computers, networks, or critical infrastructure. Unlike cyber espionage (covert intelligence gathering), cyber warfare involves deliberate attacks intended to cause damage, disruption, or destruction.
Characteristics of Cyber Warfare
| Characteristic | Description |
|---|---|
| State-Sponsored | Typically conducted by or on behalf of nation-states |
| Strategic Purpose | Aimed at achieving military, political, or economic objectives |
| Destructive Intent | Designed to damage, disable, or destroy systems (unlike espionage) |
| Attribution Difficulty | Challenging to definitively attribute attacks to specific actors |
| Asymmetric | Smaller actors can cause significant damage to larger adversaries |
Types of Cyber Warfare Operations
- Critical Infrastructure Attacks: Targeting power grids, water systems, transportation, financial systems
- Military System Attacks: Disrupting command and control, weapons systems, communications
- Economic Warfare: Attacking financial systems, stock exchanges, banking infrastructure
- Information Warfare: Propaganda, disinformation campaigns, election interference
- Denial of Service: Large-scale DDoS attacks against government and military systems
Notable Cyber Warfare Examples
- Stuxnet (2010): Alleged US-Israel operation that destroyed Iranian nuclear centrifuges; first known cyber weapon causing physical damage
- Estonia (2007): Massive DDoS attacks on Estonian government and banking systems attributed to Russia
- Ukraine Power Grid (2015, 2016): Russian attacks caused widespread power outages
- NotPetya (2017): Russian attack on Ukraine that spread globally causing $10+ billion in damages
- SolarWinds (2020): Russian supply chain attack compromised US government agencies
Difference from Cyber Terrorism (Section 66F)
| Cyber Warfare | Cyber Terrorism (Section 66F) |
|---|---|
| Conducted by nation-states | Conducted by non-state actors (terrorist groups) |
| Strategic military/political objectives | Intent to threaten unity, integrity, security of nation |
| May be part of conventional conflict | Independent terrorist activity using cyber means |
| International law of armed conflict may apply | Criminal law applies (life imprisonment under IT Act) |
India's Preparedness
- Defence Cyber Agency (DCA): Tri-service agency for military cyber operations
- NCIIPC: Protects critical information infrastructure
- NTRO: National Technical Research Organisation for technical intelligence
- CERT-In: National nodal agency for cyber incidents
Key Points for Examination:
- Cyber warfare involves state-sponsored attacks to damage enemy systems
- Different from cyber terrorism (state vs. non-state actors)
- Targets critical infrastructure: power, finance, military systems
- Notable examples: Stuxnet, Estonia attacks, Ukraine power grid
- India has Defence Cyber Agency, NCIIPC for cyber defense
Unit V Summary
- Security policies define organizational rules for protecting information assets, ensuring consistency, compliance, and accountability.
- IT Act, 2000 (amended 2008) is India's primary cyber law, providing legal recognition for electronic transactions and defining cybercrimes.
- Key IT Act sections: Section 43 (unauthorized access), Section 66 (computer offenses), Section 66C (identity theft), Section 66F (cyber terrorism with life imprisonment).
- DPDP Act, 2023 governs personal data protection with key terms: Data Principal (individual), Data Fiduciary (processing entity), and consent requirements.
- Data Principal rights include right to information, correction, erasure, grievance redressal, and nomination.
- DPDP penalties are substantial: up to Rs. 250 crore for security failures, Rs. 200 crore for breach notification failures.
- Intellectual property types include copyright (lifetime + 60 years), patents (20 years), trademarks (10 years renewable), and trade secrets (indefinite).
- IP challenges in cyberspace include software piracy, domain disputes, online counterfeiting, and content scraping.
- Cybercrime reporting is available through cybercrime.gov.in, CERT-In, and local cyber crime cells.