Where there are threats, there is a need for security. With the increasing amount of cyber attacks and threats, cybersecurity has become integral, for IT and non-IT firms. In fact, cybersecurity is a critical aspect of national security. Its scope includes all facets of military domains, governance, economy and welfare.
What is cybersecurity, and why do we need it?
Cybersecurity is a broad field that includes techniques to safeguard confidential data, computer systems, network and applications against cyber threats.
On the whole, cybersecurity is based on three core principles – the CIA triad. This stands for confidentiality, integrity and availability.
Confidentiality points out the rules that govern the access to information. It is concerned with the measures required to avoid exposure of classified information to attackers and hackers. Two-factor authentication, data encryption, data classification, biometric screening are some ways to preserve confidentiality.
The integrity of data is concerned with ensuring the consistency, accuracy and trustworthiness of the data over time. It also means that data should not be altered or deleted illegally. Imposing file access restrictions and user access control go a long way in preventing a data breach. There are also other tools and technologies to identify a potential data breach. Data backup is also essential in case of unintended data deletion or cyber-attacks. The most reliable option is to back up the data in the cloud.
Availability deals with how all the components of hardware, software, network, security, inter alia, should be up-to-date. This is to make sure that data can be accessed and processed without any restrictions. There should also be uninterrupted communication between the different components to provide sufficient bandwidth. There is also a need to have additional security equipment to cope up with any crisis or inefficiencies. In this respect, utilities like firewalls, proxy servers, backup solutions, etc. come handy to respond to Denial-of-Service (DoS) attack.
Cybersecurity in India
In India, the government has made significant attempts to introduce initiatives and policies to push efficient cybersecurity measures. However, it is also important to note that India is among the top five countries that are vulnerable to cybercrimes, as reported by The National Institution for Transforming India (NITI).
Cyber attacks come with a drastic economic hit, diverting India from its growth trajectory. As India is on the way to achieve a trillion-dollar economy in the next few years, experts believe that the growth is also paving the way for online frauds and financial crimes. Cyber attacks have also resulted in the loss of jobs in the past.
To address these issues, the Ministry of Communications and Information Technology of India is striving to build a safe cyber space in the country.
The Vidhi Centre for Legal Policy is Assisting the Government to Formulate Cyber Space Policies
Until now, there is no regulatory framework that wholly safeguards the informational privacy of Indians. To address this, Vidhi has assisted Justice Srikrishna and a committee of experts to propose a law on data protection. The 213-page report seeks to enforce awareness amongst individuals and firms to protect confidential data.
Albeit, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 was an essential step in data protection, it is applicable only to selective entities. To counter this, the new proposed data protection law is a massive step towards enforcing a framework adhering to India’s economic and socio-political conditions.
The proposed law focuses on the protection of the personal data of individuals. It states that this data can be accessed or processed by other entities only if the individual provides their consent to do so. Additionally, the consent can always be withdrawn. The proposed law also ensures that confidential personal details such as financial records, health records, sex life and sexual orientation, caste, identifiers such as Aadhaar, religious and political stances, among others will be protected more strictly. Personal data may be accessed under specific circumstances such as emergency health situations, or when there is a judicial order, among other instances.
The draft law focuses on the private and public entities. The proposed law also covers the government, regulators and other bodies. In addition, data fiduciaries that perform large scale data processing will be liable to handle sensitive data with enhanced protective measures such as regular audits, privacy reviews, data protection impact assessment, etc.
The proposed law includes provision for collection of data in selected circumstances such as law compliance, the security of state and journalistic activities. The national security exemption will be entertained only if the following requirements are fulfilled: it is legally binding, it promotes a genuine interest in national security, it is absolutely necessary and proportionate. The proposed law does not allow state surveillance agencies to access classified data without legal authorization.
However, the recommendations of the committee have raised critical questions pertaining to the acceptability of the provisions by the industry. For instance, restrictions on the processing of personal data, scrutinized measures on data fiduciaries, etc. has prompted a discourse on compliance pressures on data fiduciaries. It is expected that citizens and stakeholders will further deliberate on the suggestions for strengthening the law and providing an adequate data protection mechanism in this vast country.