India is under threat and is totally unprepared to meet the cyber security challenges in the era of rapid digitisation, with a company or an organisation or an individual being attacked every 11 seconds. While there is no bill that takes care of cyber issues, the current legislations are inadequate to deal with cyber security, data protection, data privacy and cyber crimes. Supreme Court advocate and an eminent expert on cyber law Pavan Duggal in discussion with Amit Mukherjee throws light on various aspects of cyber security.
Excerpts:
As India is moving towards large-scale digitisation, what are the challenges ahead?
Thanks to the initiatives taken by the government to make life easy in terms of payments and other services moving ahead, there are immense amounts of challenges and the biggest of them is cyber security. Today, Indian systems are being targeted and hacked like nobody’s business. The recent ransomware attack on AIIMS is a classical example of this. Similarly, the all-India ransomware attack in March 2022 was an alarm to show us where we stand. Post-covid-19, the world has entered a new cyber age. In fact, the golden age of cybercrime has also begun with covid-19 and India has suddenly seen the proliferation of the Jamtara model of cyber crimes that has mushroomed into a cottage industry. Unfortunately, there is no legal framework to counter this proliferation.
How effective are the existing Indian laws to curb cyber threats and fraud?
The Indian Information Act 2000, the only act in place today, is not effective at all. The Act was enforced two decades back and it was aimed at enabling e-commerce in the IT sector. It granted legality to electronic format and was not enough to drive the digital India Initiative into the future. Even though the amendments were made in 2008, it was a mistake to make all cybercrimes bailable offences. As a result, while the crimes kept increasing, there was a famine of convictions because offenders on bail manage to manipulate and destroy evidence.
The IT law today is crying for amendments. In fact, India today lacks the legal framework to foment a healthy digital nation ecosystem. There is no law to deal with issues pertaining to social media, Artificial Intelligence, blockchain and many other internet-related things. But with appropriate amendments, the law can be made potent!
Are we armed to tackle the emerging threats of the cyber age?
India is not at all secure and unprepared to meet the digitisation-based cyber security challenges. We must acknowledge that every 11 seconds, a company, an organisation or an individual is becoming a victim of a ransomware attack, In fact, the AIIMS attack is one of the biggest cyber assaults on India targeted at the Indian health ecosystem. We will see a steep rise in such attacks and unfortunately, we don’t have a legal framework yet to deal with ransomware assaults. The IT act is silent on it and India does not have a dedicated law on cybersecurity. There is an immediate requirement for appropriate readiness models and mechanisms to deal with such attacks.
Under the current scenario, how do you see threats taking shape?
Cyber security is the biggest challenge that India is currently facing. All networks — from Mumbai grid, Kudankulam Nuclear Power Station, government websites or corporates and even individuals — are under attack. But we do not have legal frameworks to deal with such vulnerabilities. India lacks a dedicated cyber security law. Countries like China, Vietnam, Singapore, and Australia have dedicated laws which are helping them to deal with cyber security challenges.
Will the Digital Personal Data Protection Bill 2022 take care of the situation?
Well, though the draft is coming up for comments and discussion, it’s a laid-back process. Primarily, it is not dealing with the complex issue of data protection in a holistic manner. The said legislation has been drafted in a siloed approach. No Data Protection is complete or possible without appropriately addressing cyber security. The bill is silent on data security.
Besides, it’s one step forward, three steps backward as it’s coming up with challenges and is in conflict with the mother bill — the Indian IT Act 2000, The bill entirely negates the concept of data localisation. If this bill is passed in its current form, it will have a huge detrimental impact not just the cyber sovereignty but also on the security and integrity of India.