Cybersecurity in India: Regulations, governance, institutional capacity and market

mechanisms

By: Nir Kshetri

Kshetri, Nir (2017). “Cybersecurity in India: Regulations, governance, institutional capacity and

market mechanisms”, Asian Research Policy, 8(1), 64-76.

Made available courtesy of Asian Research Policy and Nir Kshetri:

Abstract:

The meteoric rise in cybercrime has been an issue of pressing concern to businesses and

consumers in India. Among the Indian organizations, which responded to KPMG’s (2014)

Cybercrime Survey report 2014, 89% considered cybercrime as a “major threat” (p, 3). One

estimate suggested that 42 million Indians were victimized online in 2011 (indolink.com, 2012).

Keywords: cybersecurity | cybercrime | India | public-private partnership

Article:

estimate suggested that 42 million Indians were victimized online in 2011 (indolink.com, 2012).

As early as in 2009, it was reported in some Indian cities such as Mumbai in India, there had

been more cybercrime cases were registered with the police than conventional crimes (Hindustan

Times, 2009). According to a 2016 report of the National Crime Records Bureau (NCRB) 11,592

cases of cybercrime cases were registered in India in 2015 (Das, 2017). This is more than 300%

increase of the 2009 level when there were 2,866 reported cybercrime incidents (Economictimes,

2012).

India also generates cybercrimes that affect Internet users worldwide. For instance, according to

term, high-interest loans that are typically applied online. Agents in India with massive amount

of personal data allegedly called potential victims and threatened dire consequences if the

fictitious loans of up to US$2,000 were not repaid. U.S. consumers had lost over US$5 million to

the scam, which had been in operation for two years (Shaftel and Narayan, 2012). Likewise,

India was the top origin country for spam in 2011 and 2012. Similarly, a phishing survey

released by the Anti-Phishing Working Group (APWG) in April 2012 found that India had the

highest phishing top-level domain (TLD) by domain score (calculated as phish per 10,000

domains) in the second half (H2) of 2011 (Kshetri, 2015b).

a poor cybersecurity orientation and weak defense measures among consumers, businesses and

government agencies (Kshetri, 2013). According to a study of the Security and Defense Agenda,

a Brussels-based think-tank, India is among countries most vulnerable to cyberattacks due to a

lack of systems and procedures to defend among the public and private sector (Blitz, 2011).

Due partly to the above trends, many initiatives and efforts of the government and private sector

actors have emerged to strengthen cybersecurity in the country. Table 1 presents some of the key

initiatives on the cybersecurity front. As a major recent regulatory initiative, in July 2013, the

government of India (GOI) released the National Cyber Security Policy (NCSP), which had 14

objectives that included enhancing the protection of critical infrastructure and developing

500,000 skilled cybersecurity professionals in the next five years. The NCSP was formulated in

response to domestic and international pressure to enhance cybersecurity measures.

2011

of separate information security groups within banks and maintenance of adequate

October 2012

example, the Data Security Council of India—a self-regulatory member organization set up by

NASSCOM—imposes a fine of up to US$1 million for member companies that fail to secure

data (Kshetri, 2016b).

Public–private partnerships (PPPs) are probably the most notable feature of the Indian

cybersecurity-related institutions. For instance, a key component of NCSP is the development of

PPP efforts to enhance the cybersecurity landscape. Note that PPPs are especially well-suited for

areas that require diverse types of expertise and knowledge to address complex problems,

including cybersecurity (Yu and Qu, 2012).

In light of the above observations, our goal in this paper is aimed at providing an overview of

mechanisms, functions of relevant actors as well as challenges and opportunities facing India on

the cybersecurity front.

The paper is structured as follows. We proceed by first examining the regulatory environment

related to cybersecurity in India. Next, we discuss private sector initiatives and market

mechanisms in India in this evolving phenomenon. Then, we look at the public–private

partnership in cybersecurity. It is followed by a section on discussion and implications. The final

section provides concluding comments.

2. The Regulatory Environment

India is strengthening cybersecurity-related regulatory and enforcement capacity (Kshetri,

2016a). India is among the first developing countries to criminalize cybercrimes by enacting the

cyberstalking, and cyber-harassment (Hindustan Times, 2006). To address these drawbacks, the

IT (Amendment) Act 2008, added specific provisions to deal with and punish cyber-offenses

such as publication of sexually explicit material, cyber-terrorism, Wi-Fi hacking, child

Supreme Court issued an interim order, which ruled that people cannot be required to have the

Aadhaar identification in order to collect state subsidies (Ribeiro, 2014). Note that the

government of India (GoI) led by the Bharatiya Janata Party (BJP) indicated that it would require

residents to have biometric IDs in order to collect government benefits. The project had set a

target of 1 billion enrolments by 2015 (cio.de, 2014). The biometric ID assigns a person a 12-

digit number, which is called the Aadhaar number. It requires the collection of 10 fingerprints,

iris scans and other information such as the name, date of birth and address and will be hosted in

the eGovernance cloud platform.

The country’s regulatory bodies overseeing various markets have also issued guidelines, best

the knowledge about breach in a bank would help other banks to look for the signatures of the

same type of breach. Likewise, in April 2017, the Insurance Regulatory and Development

Authority of India (IRDAI) has issued guideline, which require all insurance companies in the

country to appoint a Chief Information Security Officer (CISO) (DNA, 2017).

Despite some enforcement activities, however, there is an enormous gap between laws on the

books and the government’s capability to enforce laws. India’s most daunting challenge lies in

overcoming the severe shortage of cybersecurity manpower. For instance, in 2004, of the 4,400

police officers in India’s Mumbai city, only five worked in the cybercrime division (Duggal,

2012). In 2012, the Delhi High Court noted the Delhi police website’s lack of functionality,

calling it “completely useless” and “obsolete” (Nolen, 2012).

In the same vein, consider India’s only Cyber Appellate Tribunal (CAT), which started

functioning since 2006 (catindia.gov.in, 2014). It was reported in June 2014 that the tribunal had

not adjudicated a single case during the previous three years due to the non-availability of the

chairperson and judicial members (Singh, 2014).

Cybercrime awareness level is very low among the law-enforcement community.

For instance, it was reported that when a police officer was asked to seize the hacker’s computer

in an investigation of a cybercrime in India, he brought the hacker’s monitor. In another

cybercrime case, the police seized the CD-ROM drive from a hacker’s computer instead of the

Overall, India is facing a severe shortage of cybersecurity professionals which hampers the

country's ability to fight rapidly rising cybercrime (Kshetri, 2016c). For instance, a large number

and applications, it is important to note that most Indian government agencies’ websites are

hosted by the National Informatics Centre (NIC), which was established by the GoI to promote

IT culture among government organizations. It is argued that NIC-hosted websites are vulnerable

to cyberattacks due to a shortage of manpower, especially IT security auditors. NIC outsources

security audit works due to the lack of manpower. Likewise, in 2011, India’s central bank,

Reserve Bank of India (RBI) introduced a set of recommendations, which include the formation

of separate information security groups within banks and maintenance of adequate cybersecurity

resources based on their size and scope of operation. The country is finding it difficult to enforce

practices (Bradbury 2013).

and integrity of the police in handling cybercrime cases. About 50% of the respondents not

reporting thought that the cases are not dealt with professionally and 30% noted that they had

“no faith” in Gurgaon police (indiatimes.com, 2011).

In one way, there is a vicious circle: a) law enforcement agencies’ unwillingness to put efforts

for investigating cybercrimes and their technological illiteracy indicate that they lack the skills

and capability to address cybercrime related offenses; b) the survey conducted among Gurgaon-

based BPOs indicates that there are low cybercrime reporting rates because of the victims’ lack

of confidence in law enforcement agencies; and c) cybercriminals may become more confident,

As of 2006, no one charged for data fraud in India was convicted (Ribeiro, 2006). As of August

2009, only four people were convicted for cybercrime (Aggarwal, 2009). Until 2010, there was

not a single cybercrime related conviction in Bengaluru, the biggest offshoring hub. The total

number of convicted cases by 2010 was estimated at less than 10 (Narayan, 2010).

One reason behind the low rate of registration of cybercrime cases concerns the barriers, hurdles

and hassles that confront the victims. In some cases, the police show unwillingness to take the

extra work needed for the investigations (Narayan, 2010). There are reports that the police do not

support the victim when they want to report a cybercrime case. Cybercrime victims have also

complained that the police follow a long and inefficient process to build a criminal case (Anand,

2011).

3. Private Sector Initiatives and Market Mechanisms

Due to escalating cyber-threats, cybersecurity has become an area of increasing priority among

enterprises in India. Cybersecurity is reported to account for 30-40% of most overall IT budgets

goes to consulting, implementation, support and managed services (TechTarget, 2014). As a

point of comparison, China’s cybersecurity spending is much higher, which is estimated to

amount US$4.9 billion by 2015 (Kshetri, 2016b).

3.1. Hollow Internet Diffusion and Weak Cybersecurity Measures

The concept of “hollow diffusion” of the Internet among firms may help understand weak

defense mechanisms (Otis and Evans 2003, p. 49). The basic idea behind “hollow diffusion” is

simple: Many organizations digitizing their activities lack organizational, technological and

human resources, and other fundamental ingredients needed to secure their system, which is the

had a CISO or Chief Security Officer (Damouni 2014). CEOs and board often consult CISOs to

understand cyber risk, implement appropriate security controls and promote a culture of defense.

One study suggested that 90% of CISOs are connected directly to their organizations’ top

leadership team, and half of them were on the leadership team (Sweeney 2016). For instance, in

India, except for few firms in banking, financial services and insurance, telecom, and business

process outsourcing (BPO) it is rare to have a CISO in organizations (Pandya 2009).

On the human resources front, demand of cybersecurity professionals greatly exceeds supply.

According to international data corporation (IDC), only 22,000 security professionals were

An adviser to the Information Systems Audit and Control Association noted that India needs

300,000 cybersecurity professionals but there are about 30,000 such professionals (Gent, 2016).

Citing a study by the Indian CERT, an indiatimes.com article reported that Indian organizations

faced a shortage of about 400,000 trained cybersecurity professionals in 2013 (PTI, 2014).

On the technological front, unlike some developing countries, India lacks major anti-virus

companies. For instance, Moscow-based Kaspersky Labs is among the world’s biggest

cybersecurity companies. Some other former second world economies also have top

cybersecurity companies such as the Czech Republic’s AVG Technologies, Romania’s

BitDefender and the Slovak Republic’s ESET (Kshetri, 2011). Likewise, the Belarusian firm

VirusBlokAda was the first company to identify the Stuxnet code in June 2010 (Borland, 2010).

India’s lack of high profile cybersecurity firms is related to the broader problems of the country’s

low R&D profile. Due to India’s poor R&D and innovation performance, some liken economic

“India makes drugs, but copies almost all of the compounds; it writes software, but rarely owns

the result. … [it has] flourished, but mostly on the back of other countries’ technology”

(Economist, 2007).

data, according to a report presented by Science and Technology Minister Kapil Sibal to the

Rajya Sabha, the Upper House of the Indian Parliament, India had 156 researchers in R&D per

million people in 2008. As a point of comparison, according to the World Bank, the

corresponding numbers for other BRIC economies for 2008 were Brazil, 696; China, 1,199; and

Russia, 3,152. Sibal suggested that universities in India were characterized by inferior R&D

quality and capabilities (rediff.com, 2008). A related point is that much of the R&D in India is

geared towards smaller projects that complement other innovation centres in Silicon Valley and

other parts of the world (Economictimes, 2005). Moscow-based Kaspersky Lab’s CEO and

Chairman Eugene Kaspersky put the issue this way: “ [Engineers in] China or India…are good if

challenge has been limited access to funding for such startups. NASSCOM suggested that only

40% of cybersecurity companies had received funding from investors (Srivastava, 2016).

3.2. Underdeveloped Market for Cyber Insurance.

Market forces and mechanisms are evolving that may enhance firms’ cybersecurity

performances. For instance, the cyber liability insurance (data breach insurance) industry and

market are are growing fast in industrialized economies (Kshetri, 2016b). A company is required

to strengthen cybersecurity in order to buy coverage at a lower rate. A system that requires

companies improve their cybersecurity S systems and put efforts to help secure policies

(Business Insurance, 2014). Cyber liability insurance provides coverage for the theft or loss of

first-party and third-party data. For the loss or theft of first-party data, an insurer may cover

expenses related to notifying clients regarding the data breach, purchasing credit monitoring

services for affected customers and launching a public relations campaign to restore the

company’s reputation. Third-party coverage includes claims related to unlawful disclosure of a

third-party's information and infringement of intellectual property rights (IPR) (McGrayer,

McGinnis, Leslie, and Kirkland, 2014).

India is regarded as an underdeveloped market for cyber liability insurance. Until as late as 2008,

there was no insurance company in India that offered an anti-cybercrime policy for a company

(Syed and D’monte, 2008). In the early 2017, insurers such as New India, National, ICICI

Lombard, Tata AIG, HDFC Ergo and Bajaj Allianz offered cyber liability insurance (PTI, 2017).

million (PTI, 2016). The cyber-Insurance market is thus relatively small and immature.

3.3. The Information Technology-Business Process Management (IT&BPM) Sector

an enclave economy in India. Call centers in India have already spread from big cities to

intermediate towns, and even to small towns in rural areas. In this sense, this sector deserves

special attention and should be a prominent subject of discussions in the context of

cybersecurity.

Before proceeding further, it is important to stress that most high-profile and widely publicized

cybercrimes in India are concentrated in the offshoring sector (Kshetri, 2010). The British

Tabloid, Sun, reported that an Indian call center employee sold confidential information of 1,000

bank accounts to its reporter working as an undercover (tribuneindia.com, 2005; Hindustan

Times, 2006). In another case, call center workers at Pune, India, subsidiary of Mphasis, a

2012, two “consultants”, who claimed to be workers in Indian offshoring firms, met undercover

reporters of The Sunday Times. They came with a laptop full of data and bragged that they had

45 different sets of personal information on about 500,000 UK consumers. The information

included credit card holders’ names, addresses, phone numbers, start and expiry dates and

security verification codes. Data for sale also included information about mortgages, loans,

insurance, phone contracts and television subscriptions (Gardner, 2012).

Unsurprisingly firms in the Indian IT&BPM sector are taking strong cybersecurity measures to

prevent attacks on computers by current and former employees (Kshetri, 2013). This is due

criminals. For instance, call centre employees are required to undergo security checks which are

considered to be “undignified” according to the Indian culture (The Economist, 2005). Firms

have established biometric authentication controls for workers and banned cell phones, pens,

paper and Internet/email access for employees for a long time (Fest, 2005). Computer terminals

of firms in the IT&BPM sector (e.g., Mphasis) lack hard drives, email, CD-ROM drives, or other

ways to store, copy or forward data (Engardio et al., 2004). Indian outsourcing firms also

extensively monitor and analyze employee logs (Fest, 2005).

regulation. A highly visible private-sector actor on this front is the National Association of

Software and Services Companies (NASSCOM). NASSCOM was established in 1988 as an

industry-funded not-for-profit organization to contribute to the software industry’s development.

NASSCOM aims to help the IT&BPM sector to be a “trustworthy, respected, innovative and

professional services” (NASSCOM, 2017).

Owing to the rapid rise in data incidents, addressing cybersecurity issues has become

In 2008, realizing the importance of an organization with an exclusive focus on data protection,

NASSCOM established the Data Security Council of India (DSCI). The DSCI is a self-

regulatory member organization. DSCI’s mission is to create trust in Indian companies as global

outsourcing service providers. Its focus on cybersecurity is to “[h]arness data protection as a

lever for economic development of India through global integration of practices and standards

conforming to various legal regimes” (https://www.dsci.in/taxonomypage/1). DSCI took over

most of NASSCOM’s data protection–related activities.

DSCI monitors member companies to ensure they adhere to cybersecurity standards. For

NASSCOM and DSCI also help create awareness of the latest trends in cybercrime and

annual summit since then. In the DSCI Best Practices meeting held in June 2011, issues related

to data protection in cloud computing and compliance were discussed (Haran, 2011). In 2011,

the DSCI announced a plan to set up a cloud security advisory group that would develop a policy

framework. The group would also advise the government on security and privacy issues in a

cloud environment (Das, 2011).

DSCI. Although any company operating in India’s IT&BPM sector might have incentive to join

NASSCOM, DSCI membership is especially important for companies for which cybersecurity is

a key priority. NASSCOM membership fees vary from approximately US$450 to $100,000,

depending on organization size. Many of NASSCOM’s members are also global firms from the

U.S., Europe, Japan, China, South Korea and other countries. NASSCOM thus has a fairly high

level of expertise and the financial resources to take various cybersecurity measures.

A trade association’s enforcement strategy becomes efficient and powerful if a large number of

firms join the association. NASSCOM ex-president Kiran Karnik addressed the importance of

DSCI membership: “While it would be voluntary for the members to be part of the body, it

would ensure at the same time that market forces make it mandatory for companies to register

themselves.” (thehindubusinessline.com 2007).

have taken various initiatives on this arena. During 2015-2016, the DSCI incubated 80

cybersecurity startups (Goswami, 2017).

4. Public–Private Partnership in Cybersecurity

regulatory structure. There is no template for policy development, assessment, and analysis.

Developing templates, monitoring the behaviors of individuals and organizations, and enforcing

regulations require extensive resources and expertise in such areas. However, most governments

in developing countries are characterized by weak public administration, inadequate technical

competence, and lack of political will in the implementation of economic and social policies

(Pughm, 1999).

But there is another point that is perhaps even more important. The way the Indian government is

positioned does not allow it to spend state resources to support a new area at the cost of

competing sectors. If policymakers allocate disproportionately more resources to develop

Pandya, D. (2009). CISO reporting to board of directors: Myth or for real?

<http://www.computerweekly.com/news/1375176/CISO-reporting-to-board-of-directors-Myth-

or-for-real>

PTI (2014). Shortage of over a million cyber security experts globally, The Economic

Times.<http://economictimes.indiatimes.com/tech/internet/shortage-of-over-a-million-cyber-

security-experts-globally/articleshow/29110114.cms?intenttarget=no>

PTI (2016). Cyber insurance premium rates increase after debit cards hack, BGR.

PTI (2017). Banks rush to buy cyber security cover as digital payments rise, The Times of India.

<http://timesofindia. indiatimes.com/business/india-business/banks-rush-to-buy-cyber-security-

cover-as-digital-payments-rise/articleshow/57109647.cms>

Pughm, C. (1999) Getting Good Government: Capacity Building in the Public Sectors of

Developing Countries,” Urban Studies, 36, 2, pp. 400–402.

rediff.com (2008). Researchers? Only 156 per Million in India.

<http://www.rediff.com/money/2008/mar/12rnd.htm>

Ribeiro, J. (2006). India’s Nasscom calls for special cybercrimes court. Network World.

<http://www.networkworld.com/news/2006/090706-indias-nasscom-calls-forspecial.html>

Ribeiro, V. J. (2014). India's biometric ID project is back on track. CIO.

<http://www.cio.de/index.cfm?pid=156&pk=2970283&p=1>

states/Protect-Yourself-from-Cyber-Crime-139126239.html>

Saravade, P., & Saravade, N. (2007). A public-private partnership in India: Broken windows in

cyberspace. The Police Chief, 74(3), 16.

Shaftel, D. and Narayan, K. (2012). Call Centre Fraud Opens New Frontier in Cybercrime.

<http://www.livemint.com/2012/02/26225530/Call-centre-fraud-opens-new-fr.html>

Singh, S.R. (2014). India’s only cyber appellate tribunal defunct since 2011, Retrieve from

<http://www.hindustantimes.com/india-news/india-s-only-cyber-appellate-tribunal-defunct-

Sweeney, B. (2016). Cybersecurity Is Every Executive’s Job. Harvard Business Review.

September 13. <https://hbr.org/2016/09/cybersecurity-is-every-executives-job>

Syed, F., & D’monte, L. (2008). India lags in cybercrime insurance.

<http://www.rediff.com/money/2008/apr/07cyber.htm>

Schwartz, K. D. (2005). The background-check challenge. InformationWeek, 59–61.

<http://www.computerweekly.com/news/2240225781/Indian-businesses-wake-up-to-IT-security-

The Economist. (2005). Business: Busy Signals; Indian Call Centres, The Economist, 376(8443):

66.

thehindubusinessline.com. (2007). Regulator Soon for Monitoring Data Security Standards. 24

Apr. 2007. <www.thehindubusinessline.com/todays-paper/regulator-soon-for-monitoring-data-

security-standards/article1656182.ece>

Thomas, T.K. (2012). Govt will help fund buys of foreign firms with high-end cyber security

tech, <http://www.thehindubusinessline.com/industry-and-economy/info-

tech/article3273658.ece?homepage=true&ref=wl_home>

tribuneindia.com. (2005). Outsourcing crime Call centre expose can wreak havoc.

<http://www.tribuneindia.com/2005/20050625/edit.htm>

Yu, J.X. and Z.Y. Qu. (2012) PPPs: Inter-Actor Relationships Two Cases of Home-Based Care

Services in China,” Public Administration Quarterly., vol. 36, no. 2, pp. 238–264.