India has been following cyber security and cyber law issues for long. The Information Technology Act, 2000 (IT Act 2000) is the cyber law of India that deals with cyber law and cyber security issues in India. It has been amended from time to time and many rules and regulations have been formulated under the IT Act 2000 from time to time. These rules pertain to data protection, data security, cyber security, Internet intermediary liability, etc. However,. this approach of making crucial laws by rules is not a good sign and it only proves that India is not capable of formulating full fledged techno legal laws in the fields like cyber law, cyber security, cyber forensics, e-discovery, Internet of things (IoT), smart cities, etc.
For instance, we need a dedicated, comprehensive and holistic techno legal cyber law for India. The old one must be repealed
and a new one must be enacted as soon as possible. Similarly, dedicated laws for cyber security, cyber forensics, etc must be formulated and the half hearted approach of Indian government must be abandoned as soon as possible. If Indian government is serious in making digital India, digital payments, make in India, etc successful, then it cannot take a shortcut of rules making exercise that is many cases is also violative of provisions of Indian Constitution.
As there is no compelling legal requirements, cyber security and cyber law due diligence
(pdf) are largely ignored in India by various stakeholders. There is no compulsion to report cyber breaches
in India and cyber attacks are comfortable ignored by banks, companies and even by public sector undertakings (PSUs) in India. And if this was not enough, the Supreme Court of India
has killed cyber law due diligence requirement in India to a great extent.
We are living in dangerous cyber times that require robust, resilient and techno legal cyber security infrastructure of India
. We cannot remain contended by addressing websites defacement issues alone. If you analyse the media coverage of cyber issues, you would see that most of them are covering websites defacement as a cyber warfare
event between India and Pakistan. Websites defacement is not even low hanging fruits within the cracker's community and even script kiddies do not indulge in such activities. Clearly our understanding of cyber attacks, cyber security and cyber warfare
(pdf) is totally wrong and we are simply clueless in this regard.
Crucial, sensitive and confidential data and information is the real asset in present times especially if it pertains to sensitive government functions. Surprisingly, we do not have any cyber espionage policy of India
(pdf) even in 2017. Even otherwise, policy or law is the first step and its actual implementation is a totally different story. For instance, consider the cyber security policy of India
that is not only defective but has also remain non operational since 2013. What is the use of having a cyber security policy that is neither effective nor implementable?
All this is happening because we do not have skilled cyber security workforce in India. Perry4Law's Techno Legal Base (PTLB)
has been suggesting for cyber security skills development in India
since 2011. We also suggested in 2015 that a new cyber security policy of India
must be formulated but no concrete step has been taken by Indian government in this regard so far. All cyber security related issues are managed at snail pace in India by successive governments from time to time.
Take the example of cyber security of banks in India
that is not in good shape. Reserve Bank of India (RBI) prescribed a September 30, 2016 deadline
for the banks to make the cyber security of their banking infrastructure robust and strong. However, till January 2017, no bank has complied with this direction. Even worst, if a bank customer is defrauded of her hard earned money, there is no mechanism to get back the same in a timely and hassle free manner. So Indian banks are telling loud and clear that they would neither ensure robust cyber security for bank customers and if somebody looses money, she has to bear with the loss as well. It is next to impossible for such customer to prove that the money is gone without her mistake or negligence.