deepmentorCAPF
Exam infoSearchStart studying
Deep Notes

Cyber Security and National Security

CERT-In, the NCIIPC, the National Cyber Security Policy 2013, the Information Technology Act, the digital threats to the forces, and the human-rights and privacy balance

CAPF wiki8 min read15 sections
At a glance
ImportanceHigh
Deep NotesCyber SecurityCert InNciipcNational Cyber Security PolicyIt ActCritical InfrastructureInternal Security

Why this matters for CAPF

Cyber security is the newest dimension of national security, and the examination has moved to test it, both as the institutions and policy and as the security-and-rights theme. The forces themselves are targets: their communications, databases and critical-infrastructure dependencies are vulnerable, and a CAPF officer must understand the threat and the machinery that counters it. This note assembles the institutions (CERT-In, the NCIIPC), the policy (the National Cyber Security Policy 2013), the legal base (the Information Technology Act), the threat landscape, and the privacy balance. The wider architecture is in internal security architecture of india; the counter-terror link is in terrorism and counter terrorism.

The static spine is anchored to the Information Technology Act, 2000 (amended 2008), the National Cyber Security Policy, 2013, and the institutional mandates of CERT-In and the NCIIPC. The threat landscape evolves rapidly; treat examples as illustrative and verify the latest position.

Why cyber is a national-security domain

Cyberspace is now a domain of conflict alongside land, sea, air and space. The reasons it matters for national security:

  • Critical infrastructure (power grids, banking and finance, telecom, transport, water, nuclear and defence systems) runs on networked computers; an attack can paralyse a country without a shot fired.
  • Attribution is hard: a cyber attack can be launched anonymously, through proxies, across borders, which makes deterrence and response difficult.
  • The threat is hybrid: State actors, terrorist groups, criminal networks and "hacktivists" all operate in the same space, and the same techniques (malware, ransomware, phishing, denial-of-service) serve espionage, sabotage, crime and propaganda.
  • The forces are targets: the communications, personnel databases and logistics of the security forces, and the critical infrastructure they protect, are all in the attack surface.

The Information Technology Act, 2000 (substantially amended in 2008) is the foundational cyber law. The 2008 amendment added the offences most relevant to security:

  • Section 66F, which defines and punishes cyber terrorism (acts intended to threaten the unity, integrity, security or sovereignty of India, or to strike terror, through a computer resource).
  • Provisions on hacking, data theft, identity theft and the publication of obscene material.
  • Section 69, the power to intercept, monitor and decrypt information, and Section 70, which allows the Government to declare a system a "protected system" (critical infrastructure).

The institutions

Body Year / status Mandate
CERT-In (the Indian Computer Emergency Response Team) Operational since 2004; statutory under the IT (Amendment) Act, 2008 The national nodal agency for responding to cyber-security incidents; issues alerts and advisories, coordinates incident response, and is the first responder to cyber incidents
NCIIPC (the National Critical Information Infrastructure Protection Centre) Created 2014, under the National Technical Research Organisation (NTRO) The nodal agency for the protection of Critical Information Infrastructure (CII), the systems whose incapacitation would have a debilitating impact on national security, the economy, public health or safety
NTRO (the National Technical Research Organisation) 2004 The technical-intelligence agency; the parent of the NCIIPC
I4C (the Indian Cyber Crime Coordination Centre) Under the MHA Coordinates the response to cybercrime, with the national cybercrime reporting portal and helpline
Defence Cyber Agency Tri-service agency Handles cyber threats in the military domain

The division of labour to remember: CERT-In is the general national incident-response agency (IT Ministry), while the NCIIPC protects the critical information infrastructure (under the NTRO), and I4C coordinates cybercrime (MHA).

The National Cyber Security Policy, 2013

The National Cyber Security Policy, 2013 was India's first comprehensive cyber-security policy. Its stated objectives included:

  • Building a secure cyber ecosystem and a framework of trust.
  • Creating a 24 × 7 mechanism for threat information and response (the role CERT-In plays).
  • Protecting critical information infrastructure (the role the NCIIPC plays).
  • Developing a workforce of cyber-security professionals (a stated target of half a million skilled professionals).
  • Promoting research, indigenous capability and public-private partnership.

A successor national cyber-security strategy has been under preparation to update the 2013 policy for the current threat landscape; verify the latest position rather than asserting that it has been finalised.

The threat landscape

Threat What it is
Cyber espionage The theft of State, defence or commercial secrets through intrusion
Cyber sabotage / attacks on infrastructure Disabling or damaging critical systems (power, banking, transport)
Ransomware and malware Malicious software that encrypts or damages data for extortion or disruption
Phishing and social engineering Tricking users into revealing credentials, a common entry point
Denial-of-service (DoS / DDoS) Flooding a system to make it unavailable
Disinformation and influence operations The use of social media and fake content to manipulate opinion and sow discord
Threats to the forces Attacks on the forces' networks, databases and the critical infrastructure they guard

The line for the exam: the threat is no longer only crime; it is espionage, sabotage of critical infrastructure, and information warfare, which is why cyber is a national-security domain.

The international and strategic frame

  • Cyber norms are debated at the UN (the Group of Governmental Experts and the Open-Ended Working Group on responsible State behaviour in cyberspace), without a binding treaty.
  • The Budapest Convention on cybercrime is the main international cybercrime instrument; India has not acceded to it, preferring a UN-led framework.
  • Data localisation and data protection (the Digital Personal Data Protection Act, 2023) connect cyber security to the governance of personal data.

The human-rights and privacy balance

Cyber security sits in sharp tension with privacy and free expression, the security-and-rights theme in its newest form.

  • The right to privacy was held a Fundamental Right under Art 21 in K S Puttaswamy v Union of India (2017), so State surveillance, interception (Section 69) and data collection must satisfy the tests of legality, necessity and proportionality laid down in that judgment.
  • Surveillance powers are needed against terrorism and cybercrime, but they must be bounded by law and oversight to avoid the chilling of dissent and the misuse of data.
  • Free expression under Art 19(1)(a) limits how far the State may regulate online content; restrictions must fall within the reasonable restrictions of Art 19(2).

The balanced position a CAPF candidate should articulate: strong cyber security and the protection of critical infrastructure are essential to national security, but the surveillance and data powers they require must remain within the Puttaswamy tests of legality, necessity and proportionality. Security and privacy, again, are conditions of each other, not opposites. See human rights and internal security.

Last-mile recall

  • The Information Technology Act, 2000 (amended 2008) is the foundational cyber law; Section 66F covers cyber terrorism; Section 69 covers interception; Section 70 covers protected systems.
  • CERT-In (operational 2004, statutory under the 2008 amendment) is the national cyber-incident-response agency under the IT Ministry.
  • The NCIIPC (2014, under the NTRO) protects Critical Information Infrastructure; the I4C (MHA) coordinates cybercrime.
  • The National Cyber Security Policy, 2013 was the first comprehensive policy; a successor strategy has been under preparation.
  • The threats run from espionage and infrastructure sabotage to ransomware, phishing, DDoS and disinformation; the forces are themselves targets.
  • The right to privacy is a Fundamental Right under Art 21 (Puttaswamy, 2017), with the tests of legality, necessity and proportionality on State surveillance.

Common confusion

Often mixed up The correct position
CERT-In vs NCIIPC CERT-In is the general national incident-response agency; the NCIIPC protects critical information infrastructure
NCIIPC's parent The NTRO (not the MHA); CERT-In is under the IT Ministry
The cyber-terrorism section Section 66F of the IT Act
The policy year The National Cyber Security Policy is of 2013
Privacy status The right to privacy is a Fundamental Right under Art 21 (Puttaswamy, 2017)

Memory hook

  • "CERT-In responds, NCIIPC protects the critical infrastructure, I4C fights cybercrime."
  • "66F is cyber terrorism, 69 is interception, 70 is protected systems."
  • "Policy of 2013; privacy a right since Puttaswamy 2017."
  • The balance: "secure the network, within legality, necessity and proportionality."

Night before

  • Why cyber is a national-security domain (critical infrastructure, attribution, hybrid threats, the forces as targets).
  • The IT Act, 2000 (amended 2008) and Sections 66F, 69 and 70.
  • CERT-In (incident response), the NCIIPC (critical infrastructure, under the NTRO), and the I4C (cybercrime, MHA).
  • The National Cyber Security Policy, 2013 and its objectives.
  • The threat landscape (espionage, sabotage, ransomware, phishing, DDoS, disinformation).
  • The privacy balance under Puttaswamy (2017) and the legality-necessity-proportionality tests.

Authored practice (not verbatim PYQs)

Q1The national nodal agency for responding to cyber-security incidents in India is.
  1. Athe NCIIPC
  2. BCERT-In
  3. Cthe NTRO
  4. Dthe I4C. Answer
  5. B. CERT-In has been operational since 2004 and is statutory under the 2008 IT amendment.
Q2The protection of Critical Information Infrastructure is the mandate of the.
  1. ACERT-In
  2. BNCIIPC
  3. CNIA
  4. DFIU-IND. Answer
  5. B. The NCIIPC (2014) is under the NTRO.
Q3Cyber terrorism is defined and punished under which section of the IT Act.
  1. ASection 66A
  2. BSection 66F
  3. CSection 69
  4. DSection 70. Answer
  5. B.
Q4India's first comprehensive cyber-security policy was issued in.
  1. A2000
  2. B2008
  3. C2013
  4. D2017. Answer
  5. C. The National Cyber Security Policy is of 2013.
Q5The right to privacy, relevant to State surveillance powers, was held a Fundamental Right under Art 21 in.
  1. AManeka Gandhi (1978)
  2. BK S Puttaswamy v Union of India (2017)
  3. CD K Basu (1997)
  4. DShreya Singhal (2015). Answer
  5. B.

Glossary

  • IT Act: the Information Technology Act, 2000 (amended 2008), the foundational cyber law.
  • CERT-In: the Indian Computer Emergency Response Team, the national incident-response agency.
  • NCIIPC: the National Critical Information Infrastructure Protection Centre, under the NTRO.
  • CII: Critical Information Infrastructure, systems vital to national security and the economy.
  • I4C: the Indian Cyber Crime Coordination Centre, under the MHA.
  • Section 66F: the IT Act provision on cyber terrorism.
  • National Cyber Security Policy: the 2013 policy framework.
  • Puttaswamy: the 2017 judgment holding privacy a Fundamental Right.
Now reinforce it
Drill this with a practice set.
Go to practice
← BackAll of Deep Notes