The rapid pace of digitalisation poses new national security risks for countries like India, a country with over 700 million internet users. The multilayered digital ecosystem comprising of infrastructure, devices and applications is complex, and security threats evolve at a breakneck pace. This makes it difficult for states to develop an effective response to individual or organisational security threats. India therefore has often had to resort to broad trade and market restrictions, rather than nuanced regulation, as the latter requires considerable institutional capacity for oversight and enforcement. This brief outlines a graded approach which can help identify a hierarchy of priorities to efficiently employ limited state capacity towards the most critical challenges in digital security.
Attribution:
Utsav Mittal, “A New Framework for a Secure Digital India,” ORF Issue Brief No. 422, November 2020, Observer Research Foundation.
Introduction
Across the globe, governments are putting national security considerations at the centerstage of their regulatory interventions. These regulations cover domains that in recent years have included non-traditional security concerns. In the area of investments, for example, many countries have modified their rules, two and a half decades since the establishment of the global trade order under the aegis of the World Trade Organization.[1] Globally, foreign investments worth more than US$ 150 billion have either been blocked or withdrawn for national security reasons in the period from 2016 to September 2019.[2] For instance, the president of the United States (US) prohibited the proposed takeover of chipmaker Qualcomm by Singapore-based Broadcom for national security reasons.[3]
More recently, such national-security compulsions have guided rule-making in the area of digitalisation. The Indian government, for example, has banned more than 150 China-origin applications due to security concerns.[4] In the US, the president issued in August this year, two executive orders to restrict transactions by US users and entities with ByteDance and Tencent, both China-owned corporations, which own the popular social media platforms, TikTok[5] and WeChat.[6] Other notable instances of such actions include Russia’s barring of the use of LinkedIn in 2016[7] and the US’ ban on Russian security company, Kaspersky.[8]
Rules governing the behaviour of digital players are evolving as nations experiment with different approaches and consider diverse policy priorities and objectives. Governments are increasingly concerned about protecting personal information, and arresting the incidence of cybertheft that has affected consumers and businesses. On 16 June 2020, India’s Computer Emergency Response Team (CERT-In) issued an advisory that large-scale phishing attacks may be launched against Indian businesses.[9]
The imperative is to find a balance between trade priorities and national security. Indeed, digitalisation has made economies vulnerable to security threats. This is because of the nature of the internet being a bidirectional medium that offers an enhanced level of access to information about individuals, thereby potentially compromising their privacy and security. Social-media platforms, for example, make users susceptible to manipulation. There have been cases in different parts of the world of threat actors using social media to influence electoral outcomes and threaten social stability.[10]
According to the Organisation for Economic Cooperation and Development (OECD)’s Digital Trade Service Restrictiveness Index, only four countries out of 46 surveyed by the OECD have lowered their trade barriers during the period 2014 to 2019.[11] The majority either heightened their digital services trade restrictiveness or maintained the same level. In India, restrictiveness index increased from 0.21684 to 0.34339 during the same period.
Figure 1.Digital Services Trade Restrictiveness Index (2019)
This brief outlines a plausible strategy that will help India address its national security concerns whilst ensuring an open trade environment.
National Security Considerations
Sovereign nations are equipped with wide powers to deal with what they themselves define as challenges to their national security. This allows governments to respond to different threats that may evolve or emerge over time. A strategy aimed at addressing these concerns must be underpinned by a concrete understanding of what comprises “national security”, to begin with.
Security risks can be categorised into two broad classes: internal (homeland) security, and external security. These threats are further classified as externally-aided internal, and internally-aided external risks. Internal homeland security deals with issues related to public order within the country. In India, the Ministry of Home Affairs lists the following key issues in the country’s internal security: a) terrorism in the hinterlands; b) Left-Wing Extremism in specific areas; c) the security situation in Jammu and Kashmir; and c) insurgency in the northeastern states. External security, as the name suggests, is concerned about the security risks emanating from outside India’s borders.
In an increasingly globalised and connected world, the line between internal and external threats can get increasingly blurred. The emergence of data-driven businesses has caused fundamental shifts in the Indian and global economy alike, leading to new modes of communication and information-sharing, business models, and sources of job growth. India is also fast approaching around 700 million broadband users and will see millions more over the next few years.[13]
Cyber security as national security
Cyber security finds its roots in traditional military principles: many of its basic covenants have been adopted from traditional military security principles such as “need-to-know” and “least-privilege”.[a] To begin with, the internet as the world knows it today, has evolved from military technology— i.e., the Advanced Research Projects Agency Network (ARPANET).[14] Over the years, it has had a transformational impact across the globe.
In India, this has three interrelated elements: the unprecedented adoption of smartphone use in the country; the presence of a young and technology-savvy population, and affordable access to internet services and devices. Furthermore, the push for digitalisation by the government, through flagship initiatives under the overarching ‘Digital India’ banner, is also a key driver of the ongoing digital transformation.[15]
Indeed, the government’s digitalisation efforts have been buoyed by the restrictions on movement that were put in place to respond to the COVID-19 pandemic. Consumers are using digital applications to buy consumer durables and necessities, for telemedicine, and for connecting with their friends and family. According to the Reserve Bank of India (RBI), India is recording around 100 million digital transactions every day, with a volume of INR 5 trillion ($67 billion).[16] This represents approximately a five-fold increase from the 2016 levels. The RBI expects digital transactions to continue on a growth trajectory; estimates suggest an increase to 1.5 billion transactions a day worth INR 15 trillion by 2025.[17]These figures show that even as the Indian economy has suffered a slowdown because of the pandemic, the country’s digital retail market has earned.
At the same time, cyberattacks have surged. India saw a 37-percent increase in cyberattacks in the first quarter (Q1) of 2020, as compared to the fourth quarter (Q4) of the previous year, according to the Kaspersky Security Network.[18] As India’s workforce shift to remote infrastructure, instances of identity theft, and malicious payload delivery has witnessed a spike.[19] Breaches by information-stealing malwares like AZORult have been observed in India—they are used to steal users’ browsing history, cookies, IDs and passwords, cryptocurrency, and are also able to download additional malware onto devices.[20]
The threats to national security can be far more insidious. In the United States (US), for instance, the data consulting firm Cambridge Analytica was exposed to having used Facebook to access the personal data of almost 50 million profiles and influence the outcome of the US elections. The data were catalogued into psychological profiles, allowing Analytica to build an algorithm that skewed news results in those users’ Facebook news feeds.[21] Scholars have argued that such incidents are continuously testing the conventional understanding of the nature of risks to national security.[22]
Following the revelation in March 2018, India’s Expert Committee on Data Protection, headed by Justice (retd.) B.N. Srikrishna, noted:
“the incident (Facebook-Cambridge Analytica), unfortunately is neither singular, nor exceptional. Data gathering practices are usually opaque, mired in complex privacy forms that are unintelligible, thus leading to practices that users have little control over.”[23]
India’s Approach: An Evaluation
Governments regard strategic industries and critical infrastructure as key to countering internal and external threats to national security. “Strategic industries” include those that are crucial for the economic development of a country; “critical infrastructure” are sectors that are vital not only for the economy, but on other pillars of society as well (e.g. power, transportation, and finance).
India’s Information Technology (IT) Act defines Critical Information Infrastructure (CII) as computer resources whose incapacitation or destruction will have debilitating effects on India’s security, economy, public health, or safety.[24] The National Cyber Security Policy (NCSP) 2013 delineates CII protection as a national priority that requires the sharing of responsibility between the public and private sector. The policy outlines the importance of establishing a National Critical Information Infrastructure Protection Centre (NCIIPC).
The Indian government has thus established a nodal NCIIPC under the National Technical Research Organisation (NTRO), the intelligence agency under the Prime Minister’s Office.[25] The NCIIPC’s key functions include: identifying all elements of CII for government approval; issuing threat-related advisories; and offering requisite leadership and coordination to effectively respond to threats against identified CIIs. It is also assigned the responsibility to coordinate and share strategic information with the CERT-In.[26]
At present, CIIs under each critical sector are identified based on parameters such as “functionality; criticality; scale; degree of complementarities; political, economic, social and strategic values; degree of dependence; and sensitivity.[27]There are six critical sectors, according to the government’s definitions: banking, financial services, and insurance; transport; telecommunications; power and energy; government; and strategic and public enterprises. Operational technology (OT)—which helps in monitoring, managing, and controlling physical devices and related functions—is a vital cog within the CII sectors.[28] These systems are collectively known as cyber physical systems. Cyberattacks on cyberphysical systems can therefore risk disruption of services in the critical sectors such as hydropower plants and dams, satellites, power plants, and electricity grids. Reliance on OT due to increased digitalisation, has in turn heightened the vulnerabilities of CIIs.
A graded approach
Categorising certain sectors as “critical” allows the government to focus its enforcement activities on the most vulnerable and high-impact sectors. This is especially required for a country like India where capacity constraints hamper the government’s management of each and every threat that exists. Indeed, such graded and risk-based approach is increasingly being adopted by many other countries across the globe.
To begin with, “risk” is understood as the combination of the likelihood of an adverse event (hazard, harm) occurring, and of the potential magnitude of the damage caused (itself combining the number of people affected, and severity of the damage for each).[29] In contrast to a one-size-fits-all approach, a risk-based approach is tailored, providing benefits to consumers and businesses alike.
The US’ National Institute of Standards and Technology (NIST) maintains that risk-based approaches help ensure network security, as more effective investment decisions are made with better measurements of risks, costs, and benefits of cybersecurity strategies.[30] Similarly, Germany has designed rules specific to social-media intermediaries. Germany’s Netzwerkdurchsetzungsgesetz (NetzDG), also referred to as the Network Enforcement Act, applies to social network platforms with more than two million users.[b],[31] These threshold limits are an acknowledgment of the network effects[c] that play out on large social-media platforms.
These graded approaches are not new to India. The Personal Data Protection Bill, 2019 proposes to designate certain data fiduciaries i.e. entities collecting and processing personal data as “significant data fiduciaries”. Section 26 of the Bill provides that the Indian government designate a social media company whose actions have, or are likely to have a significant impact on electoral democracy, the security of the State, public order, or the sovereignty and integrity of India as a significant data fiduciary, in consultation with the proposed Data Protection Authority.[32] The rationale behind this is to distinguish and place additional obligations on entities that are capable of causing significantly greater harm to Indian users as a consequence of their data processing activities. Similarly, RBI has differential Master Directions for IT and cybersecurity, for NBFCs having asset size above and below INR five billion.[33]
Tackling the Threats
After the identification of relevant entities from a security standpoint, India can follow a three-pronged approach to developing the country’s cyber-resilience.
Standards and Testing
Standardisation is a crucial component in developing cyber-resilience. Often seen as an obligation that drains resources, standardising information-security protocols helps by improving the effectiveness and efficiency of cyber-defense processes; facilitating interoperability and systems integration; simplifying complex cyber environments; and deploying new technologies and business solutions.[34]
India’s Information Technology Act, 2000, lays down regulations for data security. Specifically, Section 43A of the Act[35] and the Rules on sensitive personal data (SPD Rules)[36] provide for the maintenance of reasonable security practices. Rule 8 defines “reasonable security practices” as the implementation of security practices and standards, a comprehensively documented information security program, and information security policies that contain managerial, technical, operational, and physical security control measures commensurate with the information assets being protected and the nature of the business. The ISO/IEC 27001 international standard is a recognised standard under the SPD Rules. [d]However, there is little evidence of strict enforcement.
India can consider adopting ISO 27701, which is considered as a privacy extension of the 27001 standard.[37] The ISO 27701 standard helps an organisation in establishing a framework for the protection of privacy, provides guidance on how institutions should handle sensitive personal data, and helps in demonstrating compliance with different privacy regulations across the world. It also specifies a Privacy Information Management System (PIMS) and provides a framework for managing Personally Identifiable Information (PII).
The use of the Common Criteria Certification Scheme, which has been adopted by jurisdictions such as the US, Singapore, and the European Union, also offers a useful alternative. For reference, the Common Criteria for Technology Security Evaluation is an international standard (ISO/IEC 15408), that provides an infrastructure within which participating organisations can specify functional and assurance requirements, businesses can develop and claim specific product qualities, and testing facilities can examine products to determine whether they meet those claims. Evaluation Assurance Level (EAL) is assigned to a computer system after the evaluation, which indicates the level at which a system was tested. Domestic regulators such as the Securities and Exchange Board of India (SEBI) have also embraced the Common Criteria Scheme.[38]
A critical advantage of mandating Common Criteria Certification to a specific entity is the relative ease in rolling out such obligations. India is already a member of the Common Criteria Mutual Recognition Arrangement (CCMRA). This arrangement enables the recognition of evaluation done by one member country in another. More than 30 countries have signed the arrangement so far, including the US, Singapore, Japan, Canada, and Australia.[39]
In India, the Standardisation Testing and Quality Certification (STQC) Directorate, which is attached to the Ministry of Electronics and Information Technology (MeitY) acts as the Certification Body. The Directorate has established testing centers in West Bengal, Maharashtra, Karnataka, and Delhi.
Enacting a Data Protection Framework
A comprehensive data protection framework is vital to lay down the do’s and don’ts for 21st-century businesses. India’s effort to draft its data protection legislation began in 2017 with the establishment of the Committee of Experts under the chairmanship of Justice (retd.) B.N. Srikrishnan. Since 2017, a white paper has been released,[40] as well as a report of the Committee of Experts[41]and two bills (in 2018[42] and 2019[43]). The Joint Parliamentary Committee is in the process of examining the latest draft of the Personal Data Protection Bill.[44]The Parliamentary Committee was supposed to submit its report by the last week of March 2020. However, due to the ongoing pandemic, the deadline has been extended to the second week of the Parliament’s winter session.[45]
The 2019 version of the Bill places restrictions on cross-border transfer of sensitive and critical data. Critical personal data may only be processed in India, as per the Bill. The Bill also calls for mandating data security audit obligations on significant data fiduciaries and providing legal backing to the anonymisation of data sets. The Bill establishes a Data Protection Authority to supervise relationships between data fiduciaries and data principal, i.e. individuals to whom the data relates. These measures are critical in responding to cyber-threats and from an enforcement standpoint as well.
Preparing the Cyber-Workforce
Building a cyber-resilient society is a shared responsibility of the private sector and government. Apart from developing organisational resilience to cyber threats, it is critical to sensitise users about digital risks. The Indian government will have to encourage private parties that meet the threshold detailed earlier in this brief, to spend a specific percentage of their revenue towards cybersecurity awareness initiatives.
This can be done along the lines of the corporate social responsibility framework (CSR). Section 135 of the Indian Companies Act, 2013[46] mandates every company having a net worth of INR 5 billion or more, or turnover of INR 10 billion or more or a net profit of INR 50 million or more during any financial year to spend at least two percent of its average net profits during the three immediately preceding financial years for CSR. In this regard, Schedule VII of the Act[47]provides a list of activities that can be considered as a CSR activity. A similar framework for digital platforms, above a certain threshold, should be explored.
Recommendations
The Indian government should consider adopting a risk-based and graded approach to counter national security risks posed by digitalisation. This brief recommends a holistic assessment based on the following criteria:
Number of Indian users. The simplest way of operationalising this would be to define a user-based threshold that indicates a sustained and significant involvement of a platform. Needless to say, the threshold should be a proportional representation of India’s total population. The threshold is premised on the principle that sustained engagement and active participation of users can make the business vulnerable to external threats, and therefore the need to adopt a more robust security architecture.
Type of Data collected/processed. The second criteria is the type of data collected or processed by a business entity. The categorisation is based on the overall assessment of the following parameters: nature of data processed i.e. sensitive data or not; type of processing activity i.e. collection, use, or disclosure; risk of harm resulting from any processing undertaken; and whether an entity is using any new kind of technology to carry out the processing activity. This criterion is premised on the fact that collection of sensitive data—such as biometrics and genetic information—allows the business to undertake large-scale profiling and can significantly endanger security interest in case of a breach.
The sector in which the entity operates. To identify if the activities have a likely impact on the strategic or critical interest of India.
Box 1. Applying the graded approach to banned applications
On 2 September 2020, the Ministry of Electronics and Information Technology (MeitY) banned 118 applications for reasons of national security. To apply the graded approach, this brief takes a sample of 10 out of the 118 applications. Rangers of Oblivion, Web Browser – Secure Explorer, Baidu, Apus launcher, Apus Flashlight, Gallery Vault, Government WeChat, Carrom Friends, Hide App – Hide Application, and Smart App Lock.
Out of these 10, only 3 applications i.e. Carrom Friends, Hide Application, and Smart App Lock have more than five million users each. For ease of reference, five million users have been used as the threshold for the number of users[1]. Smart App Lock and Hide Application required permission like access to location, camera, fingerprint, and network usage history. Consequently, they gain access to the user’s geo-location and biometric-data. While Carrom Friends only requires minimal and necessary permissions like access to the network and preventing the screen from dimming.
Therefore, only two applications (out of 10) would qualify for scrutiny under the graded approach.
Conclusion
The number of internet users in India is expected to reach one billion by 2025.[48]As consumers shift increasingly to digital alternatives, businesses are also innovating constantly to serve changing needs. A distinguishing feature of the 21st century data-driven businesses is their ability to innovate at a brisk pace. This allows them to consistently tweak their business models to cater to dynamic consumer demands. However, as data-driven businesses occupy centerstage in the global economy, the concomitant cyber-threats raise security concerns for governments across the globe.
India will have to carefully curate a strategy to ensure that the country can exploit the economic potential of the digitalisation of the economy, while developing cyber-resilience. Such a strategy should be underpinned by trust and confidence between businesses, government, and consumers. One method of achieving this is to work towards a standards-based framework. The Common Criteria Certification Scheme along with ISO 27001/27701 can be used to mitigate security risks. In this context, a graded approach to scrutinise digital businesses based on thresholds provided in this brief—or any other threshold determined by the government—can allow the effective allocation of finite government resources. In addition, such an approach can ensure that small businesses and startups are not overburdened with compliance costs. To put it differently, businesses that cross thresholds should be mandated to get their IT systems certified against the applicable standards, while the certification remains voluntary for others.
Besides developing a robust technical infrastructure to minimise cyber-risks, other measures such as the enactment of a data protection law, and encouraging businesses to train and educate the workforce should be pursued. These measures can help in tackling the ever-evolving cyber threats and risks, and lay the foundation for a safe and secure future.
About the Author
Utsav Mittal is a Certified Information Systems Security Professional (CISSP), and a graduate of CERIAS, Purdue University, Indiana. He is CEO and Founder at Xiarch, A Pure Play Cyber Security, Risk and Compliance services provider. He is also the President and founder at (ISC)^2 Delhi chapter. He can be reached at [email protected].
Endnotes
[a] These principles are premised on the idea that every entity or every user of the system should operate using the least set of privileges necessary to complete the job. Primarily, it limits the damage that can result from an accident or error. See Fred B. Schneider, ‘Least Privilege and More’
[c] ‘Network effects’ take place when a platform links multiple sides of a market in ways that are increasingly valuable to those on one side, as the number of participants on the other side increases. Therefore, the influence and impact of social media sites multiply with larger numbers of users.
[3] The White House, “Presidential Order Regarding the Proposed Takeover of Qualcomm Incorporated by Broadcom Limited,” March 12, 2018, Executive Order.
[9] Indian Computer Emergency Response Team, “COVID related Phishing Campaign by Malicious Actors”, June 19, 2020, Advisory No. CIAD 2020-0040.
[10] Samantha Bradshaw, and Philip. N. Howard, “Challenging Truth and Trust: A Global Inventory of Organized Social Media Manipulation”, Oxford, UK: Project on Computational Propaganda.
[26] The Information Technology (National Critical Information Infrastructure Protection Centre and manner of performing functions and duties) Rules, 2013, See Rule 4
[27] National Critical Information Infrastructure Protection Centre, ‘Guidelines For The Protection Of National Critical Information Infrastructure’ (National Critical Information Infrastructure Protection Centre 2015)
[37] The International Organization for Standardization, Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines, August, 2019, https://www.iso.org/standard/71670.html
[38] The Securities and Exchange Board of India, Cyber Security & Cyber Resilience framework for Stock Brokers / Depository Participants, December 03, 2018,
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.
Utsav Mittal is a Certified Information Systems Security Professional (CISSP) and a graduate of CERIAS Purdue University Indiana. He is CEO and Founder at Xiarch ...