At a glance
PaperPaper IIImportanceHigh
EditorialsCyber SecurityIt Act 2000Cert InNciipcCritical InfrastructureData ProtectionInternal Security
Cyberspace has become the fifth domain of conflict, after land, sea, air and space. India's economy, governance and critical infrastructure (power grids, banking, telecom, defence networks) increasingly run on networks that can be attacked from anywhere on earth, by states, criminals or proxies. How should a country secure this domain without throttling the openness and rights that make it valuable?
- The foundational law is the Information Technology Act, 2000 (amended 2008), which created offences for hacking, identity theft and cyber-terrorism (Section 66F) and the legal basis for interception and blocking.
- CERT-In (the Indian Computer Emergency Response Team), under the Ministry of Electronics and IT, is the national nodal agency for cyber-incident response, advisories and coordination.
- The National Critical Information Infrastructure Protection Centre (NCIIPC), under the National Technical Research Organisation, protects designated Critical Information Infrastructure (sectors whose incapacitation would harm national security, the economy or public health, such as power, banking, telecom, transport).
- The National Cyber Security Policy, 2013 set the framework; a successor national cyber security strategy has been under preparation, so verify the latest status. The Indian Cyber Crime Coordination Centre (I4C) and the National Cyber Crime Reporting Portal address cyber-crime at the citizen level.
- The data-and-rights dimension: the Digital Personal Data Protection Act, 2023 governs personal data; the Puttaswamy (2017) judgment established privacy as a fundamental right under Art 21, against which surveillance and data-collection powers must be tested.
- The threat picture: ransomware on hospitals and utilities, attacks on financial systems, disinformation and influence operations, supply-chain compromises, and state-sponsored intrusions; verify current incident figures from CERT-In rather than asserting a stale number.
The hard-security view
- Critical infrastructure is a legitimate target of hostile states and proxies; an attack on a power grid or banking system can do the damage of a physical strike, so the state must have strong defensive, monitoring and response capability and the legal power to act fast.
- Cyber-crime, fraud and online radicalisation harm ordinary citizens at scale, justifying robust investigation, tracing and intermediary-cooperation powers.
The openness-and-rights view
- Broad interception, traceability and blocking powers, if unchecked, chill free expression and privacy; the same tools that fight crime can surveil dissent, so they must be bounded by Puttaswamy's proportionality test and independent oversight.
- Over-regulation and data-localisation mandates can fragment the internet and burden small firms without proportionate security gain; security should be designed in, not bolted on by blanket controls.
- A purely defensive, agency-led posture neglects the human and skills layer: most breaches exploit weak passwords, unpatched systems and untrained users, not exotic attacks.
India needs a layered cyber-security strategy: harden Critical Information Infrastructure through the NCIIPC with mandatory standards and audits; resource CERT-In and I4C for faster detection and response; build indigenous capability and a skilled cyber workforce; mandate breach reporting and basic cyber-hygiene across government and key sectors; and pursue international cooperation and norms for responsible state behaviour in cyberspace. Crucially, anchor every surveillance and data power in Puttaswamy proportionality with independent oversight, so that security and the digital rights of citizens reinforce rather than undermine each other. Security and openness are not opposites in this domain; a trusted, well-governed network is itself a security asset.
The wars of the coming century may be fought without a shot crossing a border, in the silent contest for control of the networks on which a nation's life now runs. India's challenge is to defend that fifth domain with the same seriousness it brings to its frontiers, while keeping the openness and the freedom that made the digital revolution worth defending.
Thesis to adapt: Cyber security is national security; the goal is a resilient, well-governed digital domain whose defensive powers are bounded by the right to privacy and the value of an open internet.