tl;dr
The last few months have seen several data breaches including CoWIN, AIIMS, Zivame, and RentoMojo clearly highlighting the need for an updated National Cyber Security Strategy (NCSS). While the call for public consultations was released in 2020 and the strategy has reportedly been in the works since then, a public draft of the NCSS is yet to be released. In the absence of a new NCSS, we are still reliant on the National Cyber Security Policy (NCSP) of 2013 which has left our digital infrastructure vulnerable in the face of contemporary technological advancements. We wrote to the newly appointed National Cyber Security Coordinator urging them to release a public draft of the updated NCSS.
Why should you care
Over 50% Indians are now active internet users, and with the increased emphasis on digitalisation this number is only bound to grow. The rise in internet users has coincided with a significant surge in data breaches. In the preceding 12 months alone, we have seen data breaches targeting prominent platforms such as the CoWIN portal, AIIMS, Zivame, and RentMojo. The rise in cyber attacks have clearly highlighted the need for an updated cyber security policy. Taking cognizance of this, the National Security Council Secretariat started the consultation process for the updated NCSS back in 2020, however we are yet to see a public draft of it.
Rising digitalisation, rising threats
India is projected to have 120 crore internet users by 2026, however our cyber security awareness and capabilities have not matched this rapid growth. This exponential rise in users has been accompanied by a 117% increase in cybercrimes. CERT-In has also seen an almost 28 times increase in the number of cybersecurity related incidents in 2021 compared to 2017. The COVID-19 pandemic saw a 500% increase in cyber attacks and Former Chief of Defense Late General Bipin Rawat also emphasised on the need for a national framework to thwart online attacks.
India has seen a steady growth in small and medium business which account for 30% of the GDP as per the Confederation of Indian Industry. As per reports, such small and medium businesses are the target of 43% of cyberattacks worldwide and thus an actionable National Cyber Security Strategy is also in India’s economic interests.
Recent Cyber Attacks
The recent CoWIN portal associated data breach resulted in the leak of personal data of vaccinated Indian citizens including several high-profile politicians and Members of Parliament. The leaked details include PAN card number, Aadhaar number, Passport number, phone number etc.
AIIMS Hospital, New Delhi has seen two major cyber attack attempts just in the last 8 months. These cyber attacks on the healthcare sector are clear warning signs highlighting the need for a renewed cyber security strategy. Recently, the former National Cybersecurity Coordinator, Lt. Gen. Rajesh Pant said that the AIIMS ransomware attack prompted the government to formulate a National Cybersecurity Response Framework (NCRF), which would be put in the public domain for the critical infrastructure, such as those in the power and health sectors to implement. During the interaction, Lt. Gen. Pant also focused on the need for inter-ministerial cooperation and setting up of a nodal ministry to address continuously evolving cybersecurity threats.
Cyber attacks have not been limited to government digital infrastructure but also greatly affect the private sector especially with the rise in online businesses. In April 2023, Rentomojo, a furniture and electronics rental startup confirmed a data breach for consumer data including phone numbers, emails, and names etc. Zivame, an e-commerce retailer known for offering a range of products in women's apparel too has fallen prey to a significant data breach which included the personal information of over one million Zivame customers. Back then too, IFF had written to the Director General, CERT-In, Ministry of Electronics and Information Technology urging for an investigation into the Zivame consumer data breach.The regular and large scale data breaches clearly highlight the need to relook our digital infrastructure and cyber security strategy.
IFF’s latest initiative: PlugTheBreach
Data breaches are on the rise around the world, even more dramatically during the COVID-19 pandemic. A data breach exposes confidential, sensitive and protected information to unauthorised actors. As a result of these breaches, data of Indian users is available to any third party over the internet for nefarious use.
The key problem here, and indeed, something that is part of the raison d'etre of the PlugTheBreach initiative is the lack of transparency, which results in a near complete lack of information. In most cases, companies fail to even acknowledge these breaches or inform the affected users about it.
To address this, IFF launched a small-scale initiative, PlugTheBreach which aims to track publicly reported data breaches by providing a database of breaches affecting Indians to increase transparency and public awareness.
Our letter, our asks
In our letter to the newly appointed National Cyber Security Coordinator, Lt. Gen. M.U. Nair we inquire about the status of the NCSS and urge for a timeline for the public release of the draft NCSS.
Previously, the former National Cyber Security Coordinator, Lt. Gen Rajesh Pant (Retd.) had stated that the first version of the National Cyber Security Strategy will be released soon without providing any specific release date. Recently, on June 30, 2023, CERT-In issued “Guidelines on Information Security Practices for Government Entities”. While these guidelines address cyber security concerns for government held data and public cyber security infrastructure, there is still a pressing need to address similar concerns for the private sector, the direction for which may be set through an updated and robust NCSS.
Important Links:
- Our letter to the National Cyber Security Coordinator requesting an updated NCSS (link)
- “Guidelines on Information Security Practices” for Government Entities for Safe & Trusted Internet released by CERT-In & MeitY (link)
This post has been authored by Policy Intern Saharsh Panjwani and reviewed by the IFF Policy Team.