#What’sTheStatus: We inquire about the pending National Cyber Security Strategy

Rising instances of data breaches have highlighted the need for n updated National Cyber Security Strategy (NCSS). We wrote to the newly appointed National Cyber Security Coordinator urging them to release a public draft of the updated NCSS.

08 July, 2023
4 min read


The last few months have seen several data breaches including CoWIN, AIIMS, Zivame, and RentoMojo clearly highlighting the need for an updated National Cyber Security Strategy (NCSS). While the call for public consultations was released in 2020 and the strategy has reportedly been in the works since then, a public draft of the NCSS is yet to be released. In the absence of a new NCSS, we are still reliant on the National Cyber Security Policy (NCSP) of 2013 which has left our digital infrastructure vulnerable in the face of contemporary technological advancements. We wrote to the newly appointed National Cyber Security Coordinator urging them to release a public draft of the updated NCSS.

Why should you care

Over 50% Indians are now active internet users, and with the increased emphasis on digitalisation this number is only bound to grow. The rise in internet users has coincided with a significant surge in data breaches. In the preceding 12 months alone, we have seen data breaches targeting prominent platforms such as the CoWIN portal, AIIMS, Zivame, and RentMojo. The rise in cyber attacks have clearly highlighted the need for an updated cyber security policy. Taking cognizance of this, the National Security Council Secretariat started the consultation process for the updated NCSS back in 2020, however we are yet to see a public draft of it.

Rising digitalisation, rising threats

India is projected to have 120 crore internet users by 2026, however our cyber security awareness and  capabilities have not matched this rapid growth. This exponential rise in users has been accompanied by a 117% increase in cybercrimes. CERT-In has also seen an almost 28 times increase in the number of cybersecurity related incidents in 2021 compared to 2017. The COVID-19 pandemic saw a 500% increase in cyber attacks and Former Chief of Defense Late General Bipin Rawat also emphasised on the need for a national framework to thwart online attacks.

India has seen a steady growth in small and medium business which account for 30% of the GDP as per the Confederation of Indian Industry. As per reports, such small and medium businesses are the target of 43% of cyberattacks worldwide and thus an actionable National Cyber Security Strategy is also in India’s economic interests.

Recent Cyber Attacks

The recent CoWIN portal associated data breach resulted in the leak of personal data of vaccinated Indian citizens including several high-profile politicians and Members of Parliament. The leaked details include PAN card number, Aadhaar number, Passport number, phone number etc.

AIIMS Hospital, New Delhi has seen two major cyber attack attempts just in the last 8 months. These cyber attacks on the healthcare sector are clear warning signs highlighting the need for a renewed cyber security strategy. Recently, the former National Cybersecurity Coordinator, Lt. Gen. Rajesh Pant said that the AIIMS ransomware attack prompted the government to formulate a National Cybersecurity Response Framework (NCRF), which would be put in the public domain for the critical infrastructure, such as those in the power and health sectors to implement. During the interaction, Lt. Gen. Pant also focused on the need for inter-ministerial cooperation and setting up of a nodal ministry to address continuously evolving cybersecurity threats.

Cyber attacks have not been limited to government digital infrastructure but also greatly affect the private sector especially with the rise in online businesses. In April 2023, Rentomojo, a furniture and electronics rental startup confirmed a data breach for consumer data including phone numbers, emails, and names etc. Zivame, an e-commerce retailer known for offering a range of products in women's apparel too has fallen prey to a significant data breach which included the personal information of over one million Zivame customers. Back then too, IFF had written to the Director General, CERT-In, Ministry of Electronics and Information Technology urging for an investigation into the Zivame consumer data breach.The regular and large scale data breaches clearly highlight the need to relook our digital infrastructure and cyber security strategy.

IFF’s latest initiative: PlugTheBreach

Data breaches are on the rise around the world, even more dramatically during the COVID-19 pandemic. A data breach exposes confidential, sensitive and protected information to unauthorised actors. As a result of these breaches, data of Indian users is available to any third party over the internet for nefarious use.

The key problem here, and indeed, something that is part of the raison d'etre of the PlugTheBreach initiative is the lack of transparency, which results in a near complete lack of information. In most cases, companies fail to even acknowledge these breaches or inform the affected users about it.

To address this, IFF launched a small-scale initiative, PlugTheBreach which aims to track publicly reported data breaches by providing a database of breaches affecting Indians to increase transparency and public awareness.

Our letter, our asks

In our letter to the newly appointed National Cyber Security Coordinator, Lt. Gen. M.U. Nair we inquire about the status of the NCSS and urge for a timeline for the public release of the draft NCSS.

Previously, the former National Cyber Security Coordinator, Lt. Gen Rajesh Pant (Retd.) had stated that the first version of the National Cyber Security Strategy will be released soon without providing any specific release date. Recently, on June 30, 2023, CERT-In issued “Guidelines on Information Security Practices for Government Entities”. While these guidelines address cyber security concerns for government held data and public cyber security infrastructure, there is still a pressing need to address similar concerns for the private sector, the direction for which may be set through an updated and robust NCSS.

  1. Our letter to the National Cyber Security Coordinator requesting an updated NCSS (link)
  2. “Guidelines on Information Security Practices” for Government Entities for Safe & Trusted Internet released by CERT-In & MeitY (link)

    This post has been authored by Policy Intern Saharsh Panjwani and reviewed by the IFF Policy Team.

Subscribe to our newsletter, and don't miss out on our latest updates.

Similar Posts

#FreeAndFair: Launching IFF’s Election Website

As the country gears up for the 2024 Lok Sabha elections, we watch every technological development that may affect electoral integrity. Visit the IFF election website freeandfair.in to read about IFF’s actions and efforts. 

5 min read

Your personal data, their political campaign? Beneficiary politics and the lack of law

As the 2024 elections inch closer, we look into how political parties can access personal data of welfare scheme beneficiaries and other potential voters through indirect and often illicit means, to create voter profiles for targeted campaigning, and what the law has to say about it.

6 min read

Press Release: Civil society organisations express urgent concerns over the integrity of the 2024 general elections to the Lok Sabha

11 civil society organisations wrote to the ECI, highlighting the role of technology in affecting electoral outcomes. The letter includes an urgent appeal to the ECI to uphold the integrity of the upcoming elections and hold political actors and digital platforms accountable to the voters. 

2 min read

Donate to IFF

Help IFF scale up by making a donation for digital rights. Really, when it comes to free speech online, digital privacy, net neutrality and innovation — we got your back!