How Firms Can Fare Better On Cybersecurity
Developing a common framework for standards could reduce the cost of adopting protection against cyber threats.
The loss from a cybersecurity incident has to be borne by the firm alone. There is a case for some state intervention when it comes to the restoration of disruptions in public services and governance of liability. But the Indian framework's low capacity and adoption of coercion have led to higher costs of legal compliance. Firms could, by sharing information and developing a common framework for standards, reduce the cost of adopting protection against cyber threats.
Recent Important Cybersecurity Failures
The frequency and intensity of cybersecurity incidents at Indian organisations, in both public and private sectors, have increased over the years. These incidents have disrupted critical services (e.g. Tata Power) and caused the loss of highly sensitive personal data (e.g. All India Institute of Medical Sciences). Firms are spending more on cybersecurity protection.
Role Of The State In Safeguarding Cyberspace
In a cyber attack, a firm loses data or access to it, leading to financial and reputational loss. Similar to theft—the law enforces punishment against thieves, but owners usually bear the losses—losses from a cybersecurity incident are assumed by the firm itself. The firm should evaluate the potential loss it faces, based on the risks to its information while choosing the optimal level of security. Insurance products and some sector-specific sets of standards reduce the cost of adopting protection.
There are two situations where this approach to cybersecurity may not work. The first is when the impact of the attack has disrupted public services like electricity, water or the internet. The state can play a role in coordinating the restoration of services. The second is when the firm is found to have not followed risk-appropriate cybersecurity practices. Customers would lose their personal data because the firm under-invested in security. The state can make rules to frame consequences for under-investment through a system of adjudication that determines liability.
Issues With Governance Of Cybersecurity In India
India has two agencies that are tasked with incident reporting and response—CERT-in and NCIIPC. CERT-in is a constituent agency of the Ministry of Electronics and IT, or MEITY, and it handles cybersecurity incident reporting and response. The NCIIPC reports to the National Security Advisor and it coordinates the security of "protected systems" operating "critical information infrastructure". The MEITY frames cybersecurity rules, including designating which systems are "protected".
At this point, we should note that the Indian state has low capacity. It is difficult for the Indian state, in general, to enforce the law. As a consequence, the Indian state uses coercion to solve what it sees as the problem. However, coercion may fail to solve the root cause of the market failure leading to undesirable consequences.
The Information Technology Act, 2000 ("IT Act") requires all persons affected by certain types of cybersecurity incidents to report them to CERT-in. Not doing so invites imprisonment of up to one year, in addition to a fine (the Jan Vishwas Bill seeks to do away with the former). The IT Act grants CERT-in broad powers to issue Directions, which require firms to report incidents within six hours of detection and maintain system logs for six months. Some firms are required to collect and submit KYC information on their customers.
One of the reasons why CERT-in may have passed such directions with onerous requirements is because it is tasked with responding to a large set of cybersecurity incidents faced by Indian individuals and firms. It is also tasked with functions like threat monitoring, appointing cybersecurity auditors and coordinating security in government organisations. It is expected to perform these functions with a sanctioned strength of 125 technical staff.
There are also coordination issues between different Indian security agencies because their fields of jurisdiction are unclear. NCIIPC is tasked with coordinating responses for incidents affecting "critical information infrastructure" but its statutory responsibility remains limited to firms with "protected systems". Only five organisations i.e. UIDAI, Ministry of Shipping, NPCI, ICICI Bank and HDFC Bank have "protected systems". This explains why no cyber attacks have been reported to NCIIPC.
But perhaps, the biggest issue is that India does not have a well-functioning system for adjudication of data breaches. The current system is fragmented and virtually non-existent in some states and there are few guidelines on how compensation should be quantified. The proposed Data Protection Board of India is a step forward, but it does not have the power to make its own rules or carry out preventive actions. This could hinder its effectiveness.
The Way Forward
The state is interested in cybersecurity because it has negative spillovers on users and public services. But the means it uses to address these issues have led to onerous compliance requirements and legal uncertainty for firms. When a cyber attack happens, the firm's loss remains the firm's to bear, and it also has to comply with these legal requirements.
Private firms could take two approaches. Firstly, it would be useful to foster an ecosystem that encourages voluntary and confidential sharing of information relating to threats which is made available to everyone. This could be shared with (but not run and de-anonymised by) the state which gets access to information without coercion. For example, Automated Indicator Sharing in the United States allows for real-time, anonymous and voluntary sharing of threats and response methods by any person.
Secondly, firms in specific sectors could come together and voluntarily adopt codes of conduct, security standards, and best practices unique to that sector. This establishes bona fides, improves consumer and institutional trust, and reduces the cost for firms to adopt protection. It helps the adjudication system, which would be run by the state, to determine liability and foster legal certainty. It could also provide the clarity needed for the broader adoption of cybersecurity insurance.
Karthik Suresh is a research associate at XKDR Forum. His research interests lie in the fields of technology and innovation policy, government contracting, and judicial processes.
The views expressed here are those of the author, and do not necessarily represent the views of BQ Prime or its editorial team.