Law Enforcement Initiatives Towards Tackling Cyber Crime in India

By Shuchita Thapar

Cyber crime has been rising across India. This post reviews advancements in policing technologically advanced crimes and considers potential next steps. 

With rising instances of cybercrime being noted across the country, the need for vigilance in the cyber sphere has been highlighted by a number of commentators. These crimes have gained attention subsequent to the notification of demonetization, with rising online banking transactions and a governmental push towards a digital economy.

Several new issues stemming from the distrust in digital payment systems have been reported. For example, the cybercrime cell of the Mumbai Police has received several reports of a scam characterized by persons receiving fraudulent calls allegedly from banks, discussing a new RBI policy. These calls informed consumers that credit and debit cards were soon to be deactivated, but if they released their card details, they would be permitted to continue usage. Once released, these details were misused. While issues such as these do not require extensive cyber expertise to resolve, their incidence is on the rise. Countering them requires banks as well as law enforcement agencies to increase their efforts towards educating new adopters.

More concern may be caused by technology-intensive hacking attacks, both from within the country and outside. Recent instances include the hostilities faced by several Telangana-area software companies by alleged Pakistani attackers, as well as attacks by the group known as Legion. Their actions allegedly include the hacking of the twitter and email accounts of Rahul Gandhi, Vijay Mallya and Barkha Dutt, among others. There has also been an upswing in ransomware attacks recently, with over 11,000 attacks being reported in just three months. Reports of India’s first online Ponzi scheme are also now coming to light. This is despite the fact that that 80% of cybercrimes remain unreported according to recent news reports. This post will review some initiatives taken towards the more efficient investigation of cybercrime by law enforcement across the country.

Cyber Policing in India

Crime and Criminal Tracking Network and Systems (CCTNS)

Approved by the Cabinet Committee on Economic Affairs in 2009, with an allocation of INR 2 billion, the CCTNS is a project under the National e-Governance Plan. It aims at creating a nationwide networking infrastructure for an IT-enabled criminal tracking and crime detection system. The integration of about 15,000 police stations, district and state police headquarters and automated services was originally scheduled to be completed by 2012. However, this still remains incomplete.

Apart from the slow pace of implementation and budgetary problems, on-the-ground hurdles to fully operationalizing CCTNS include unreliable Internet connectivity and under-trained personnel at police stations. Other issues include unavailability of facilities for cyber forensic analysis in most locations, and lack of awareness regarding online citizens’ services such as verification of tenants and employees and clearance for processions and events.

Online Complaints

The Central Government, in response to queries by the Supreme Court regarding measures taken to tackle cybercrime, recently announced that they would be setting up a ‘Centre Citizen Portal’. This portal will allow citizens to file complaints online with respect to cybercrimes, including cyber stalking, online financial fraud and others, suffered or observed by them.

The governmental response also details the proposed process, stating that any such complaint on the portal will trigger an alert at the relevant police station and allow the police department to track and update its status, while the complainant too would be able to view updates and escalate the complaint to higher officials.

Cyber Police Stations

Cyber police stations generally include trained personnel as well as the appropriate equipment to analyse and track digital crimes. Maharashtra, where cybercrime has risen over 140% in recent times, and which had the dismal distinction of only recording a single conviction related to cybercrime last year, is converting its existing cybercrime labs into cyber police stations. This will mean there is a cyber police station in each district of the state. The initiative in Maharashtra is useful especially because of the rise in online transactions in Tier II and Tier III cities and the rising cybercrime related thereto. However, despite the rise in cybercrime, complaints remain of low reportage and low success rates in solving crime. Police officers point to problems processing evidence, with complex procedures being required to retrieve data on servers stored abroad.

Further, there have been complaints in Bengaluru of the limited jurisdiction of cyber police stations. Pursuant to a standing order of the DG & IGP of Bengaluru City Police issued in June 2016, only cases with damages of over INR 5 lakh can be registered at cyber police stations in case of bank card fraud. In cases of online cheating, only those instances where damages exceed INR 50 lakh are amenable to the jurisdiction of cyber police stations. All other cases are to be registered with the local police station which, unlike cyber police stations, do not generally include trained personnel or the appropriate equipment to analyse and track digital crimes.

While the order is undoubtedly creating problems for cybercrime victims, it was made taking into account the woefully under-resourced cybercrime police station in Bengaluru which, at the time, consisted of a 15-member staff with two vehicles at its disposal.

Predictive Policing

Predictive policing involves the usage of data mining, statistical modeling and machine learning on datasets relating to crimes to make predictions about likely locations for police intervention. Examples of predictive policing include hot-spot mapping to identify temporal and spatial hotspots of criminal activity and regression models based on correlations between earlier, relatively minor, crimes and later, violent offences.

In 2013, the Jharkhand Police, in collaboration with the National Informatics Centre, began developing a data mining software for scanning online records to study crime trends. The Jharkhand Police has also been exploring business analytics skills and resources at IIM-Ranchi, in order to tackle crime in Jharkhand.

The Delhi Police has tapped into the expertise at the Indian Space Research Organisation in order to develop a predictive policing tool called CMAPS – Crime Mapping, Analytics and Predictive System. The system identifies crime hotspots by combining Delhi Police’s Dial 100 helpline calls data with ISRO’s satellite imagery and visualizing it as cluster maps. Using CMAPS, Delhi Police has slashed its analysis time from the 15 days it took with its erstwhile mechanical crime mapping to the three minutes it takes for the system to refresh its database.

The Hyderabad City Police is in the process of building a database, called the ‘Integrated People Information Hub’ which, according to the City Police Commissioner, would offer the police a “360-degree view” of citizens, including names, aliases, family details, addresses and information on various documents including passports, Aadhaar cards and driving licenses.

The data is combed from a wide-ranging variety of sources, including information on arrested persons, offenders’ list, FIRs, phone and electricity connections, tax returns, RTA registrations and e-challans. It is further indexed with unique identifiers, and is used to establish the true identity of a person, and present results to relevant authorities within minutes. While the system is aimed at curbing criminal activity and detecting fraud, a lack of clearly identified cyber security and privacy protocols is a worrying sign.

Conclusion

We recently reviewed the National Crime Records Bureau’s statistics relating to cybercrime, as set out in their Crime in India Report 2015. Some concerns that stemmed from the figures set out in the report were the low conviction rates and high pendency of cases. Experts have linked these issues, amongst other things, with the limited mechanisms available for cyber policing and the effectively-defunct status of the cyber tribunals. A recent report by the Bureau for Police Research and Development also highlighted resource constraints affecting police stations, with several stations lacking basic necessities such as a vehicle or a phone connection. Over five lakh posts sanctioned posts also remain vacant.

Given resource limitations, both in fiscal terms and relating to trained personnel, it is heartening to see the steps that have been taken towards efficient cyber-policing. While this post highlights some steps that have been taken in major jurisdictions, there are several initiatives even in non-metro cities towards tackling cybercrime. A National Cybersecurity Co-ordination Centre is also due to be launched around June this year. In a recent response to the Supreme Court, additional solicitor general Maninder Singh also informed the Court of substantial investments being made by the Central Government towards police and judicial training and towards the creation of cybercrime prevention cells. It is hoped that these measures will help to stem the growing tide of cybercrime in India.

Shuchita Thapar is a Project Manager at the Centre for Communication Governance at National Law University Delhi

 

Cybersecurity in the Financial Sector: An Overview

By Sowmya Karun 

In the Union Budget for 2017-18, Finance Minister Mr. Arun Jaitley announced the setting up of a dedicated Computer Emergency Response Team for the Financial Sector (Cert-Fin). The proposed emergency response team is slated to work in co-ordination with financial sector regulators and other stakeholders.

This announcement comes on the heels of the Government’s demonetisation initiative. Demonetisation led to a substantial rise in the volume of digital payments and the use of instruments such as mobile wallets. The cumulative growth of electronic transactions has been reported to range between 95 per cent and 4,025 per cent from November 8 till December 27, 2016. This transition towards digital payments in the financial sector is slated to continue, with one report predicting that by 2020, the digital payments industry will grow to over $500 billion and contribute 15% to the national GDP.

In a previous post, we had examined the legal and policy regime relating to digital payments in the country. In this post, we examine technological vulnerabilities in the financial sector, as well as measures taken towards strengthening cybersecurity.

Cyber Security Vulnerabilities in the Financial Sector

The exponential growth in digital payments in India and the push towards a cashless economy has renewed focus on the need to strengthen financial cybersecurity. Banks and financial institutions are extremely vulnerable to various forms of cyberattacks and online frauds. India has steadily moved up the ranking for countries with the highest number of financial Trojan infections over the past three years. At least forty percent of Banking, Financial Services and Insurance (‘BSFI’) businesses have been attacked at least once. A six-fold increase in credit and debit card fraud cases has been reported over the past three years. In addition to core banking, additional services like e-banking, ATM and retail banking are also increasingly vulnerable to cybercrime. Mobile frauds are also expected to grow to 60-65% in 2017, which is especially alarming because 40-45 % of financial transactions are being conducted on mobile devices today.

The Indian banking landscape has seen several large-scale cyberattacks over the past year. Since June 2016, the SWIFT systems of four Indian banks have been targeted.  In October 2016, in what was the largest data breach in the country ever, 32 lakh debit cards of various banks were subject to a cyber malware attack.  Earlier this year, it was reported that hackers had infiltrated the systems of three government-owned banks to generate false trade documents. The increased focus on cybersecurity in banks follows not only domestic incidents but global developments as well. In its bulletin on security measures, for instance, the Reserve Bank of India makes reference to the Carbanak Gang which targeted bank’s internal systems across Russia and Ukraine to conduct a robbery of around $ 1 billion. Closer home, in February 2016, there was an attempted heist of around $951 million from the Bangladesh Bank.

Cyber Security Framework for Banks

In October 2016, the Reserve Bank of India directed banks to implement a security policy containing detailing their strategy to for dealing with cyber threats and including tangible “cyber-hygiene” measures. This was following a renewed emphasis on the early implementation of the RBI’s Cyber Security Framework in banks. The RBI had first notified the Cyber Security Framework (‘Framework’) in Banks in June 2016. The Framework was a successor to broad guidelines on information security and cyber frauds which had been issued in line with the recommendations of the Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds in 2011.

The Framework is geared towards minimising data breaches and implementing immediate containment measures in the event of such breaches. It emphasises the urgent need to put in place a robust cyber security and resilience framework and to ensure continuous cybersecurity preparedness among banks. The Framework also mandates the adoption by banks of a distinct cybersecurity policy to combat threats in accordance with “complexity of business and acceptable levels of risk” within a set deadline. Further, the Framework requires the earliest setting up of Security Operations Centres within banks for continuous surveillance; disallowing unauthorised access to networks and databases; protection of customer information; and the evolution of a cyber crisis management plan.

Other Measures by the RBI and the Government

The RBI has also identified the need to evolve a framework for co-ordination and information sharing between financial institutions and public authorities in the event of cyber attacks. To this end, the RBI recently appointed its first information security officer and has formalised a sectoral sharing interface called the Indian Banks- Centre for Analysis of Risks and Threats (IB-CART). Further, the RBI also issued an ultimatum to banks, requiring them to report any breach of security immediately. Banks have been given until March 31, 2017 to put in place appropriate mechanisms.

Previously, there was limited reporting by banks as they were reluctant to report cyberattacks fearing devaluation of brand equity. Even in the event of large-scale cyberattacks, such as the above-mentioned malware infection which affected 32 lakh cards, it took six weeks to detect the fraudulent transactions. To counter this, and to enhance cyber resilience, the Institute for Development and Research in Banking Technology (‘IDBRT’) has been attacking vulnerabilities in banks’ security networks. This will enable them to share feedback with banks to improve their resilience.  Further, the Chief Information Security Officers of banks have also set up a forum to discuss cyberattacks and to share information, manage and plan for issues related to information security. The Ministry for Electronics and Information Technology has also formally urged banks to co-operate with the CERT-In for carrying out audits and other measures to strengthen their cybersecurity systems.

Conclusion

While these proactive steps being taken by the RBI and the Government are timely and much-needed, the resilience of our banking infrastructure against cyber attacks will depend on co-ordinated action from all stakeholders. The Cyber Security Framework must be strictly implemented in a timely manner, with regular audits to ensure comprehensive compliance. Cybersecurity at banks and financial institutions needs to be prioritised as part of the design architecture and must not remain restricted to reactive fire fighting during crises. Cyber security solutions must be deliberately designed to enable stemming of cyber attacks in real time.  Experts also suggest that the most effective ways to move forward with digitisation in order to ensure banks remain completely secure include the embracing of crypto-currencies and blockchain technology. Further, the Information Technology Act, 2000 is also ripe for a complete overhaul to counter the increased security risks in a cashless economy. These measures, of course, must also be accompanied by attempts to ensure widespread consumer education and awareness.

Sowmya Karun is a Project Manager at the Centre for Communication Governance at National Law University Delhi

 

Gaps in the Protection of Critical Information Infrastructures in India

By Sowmya Karun

In a previous post, we critically examined the legislative and institutional framework for the protection of critical information infrastructures (“CIIs”) in India. The National Critical Information Infrastructure Protection Centre (“NCIIPC”) has since revamped its website. This is a heartening move towards transparency and increased public engagement. According to “data shared by a broad range of NCIIPC constituencies”, a total of around 7.5 million incidents, threat feeds and vulnerabilities were reported from CIIs in 2016. This was reported in the first NCIIPC newsletter. The newsletter further indicated the number of incidents on a monthly basis, the most impacted cities in terms of the volume of cyber attack incidents, the major forms of attacks and the country-wise share of the origins of cyber attacks on CIIs.

Sector-specific guidelines for CII

As recommended in our post, the NCIIPC has been increasing its efforts towards the protection of sectoral critical information infrastructures. There has been particular emphasis on designing sector-specific cyber security practices. For instance, the Ministry of Power has taken steps to sensitize critical organisations in the power sector, following instructions received from the NCIIPC.  This includes the auditing of underlying information infrastructures by CERT-In accredited agencies and the setting up of a dedicated computer emergency response team for the transmission sector. This is especially significant as the deployment of smart grid technologies on a large scale poses unique cybersecurity risks.  Similarly, it has been reported that the NCIIPC has conducted workshops on cyber security and critical information infrastructure protection for the oil and gas industry. Further, the NCIIPC has engaged with the Chief Information Security Officers in strategic and public enterprises (which includes heavy industry and public sector units) for the identification, protection and notification of their CII.

However, the NCIIPC’s attempts to address the claim that there is “an urgent need to evolve sector specific guidelines for handling cyber crises” remain piecemeal and reactive. The transportation sector, for instance, is particularly vulnerable to cyber threats on account of growing dependencies on network based systems for navigation, tracking and positioning, amongst others. There have been reports of Pakistani hackers who have been tapping into air traffic control systems in Jammu as well as gaining access to the GPS data of police vehicles in Madhya Pradesh. These instances represent only the tip of the iceberg when it comes to the capacity of malicious actors to disrupt CIIs in the transportation sector. However, despite these incidents, there have been no reports about the development of sector specific cybersecurity guidelines for the transportation sector. The Long Range Identification and Tracking (LRIT) system under the Ministry of Shipping remains the only transportation to be declared as a “protected system” under the Information Technology Act, 2000.

Information Sharing and Analysis

While the development of sector specific guidelines for cyber-security should continue, it is also necessary to focus on mechanisms for information sharing and analysis across sectors. Information sharing about vulnerabilities, threats and attacks is essential as security solutions cannot be built without shared threat intelligence or co-ordinated responses. In recognition of this, the National Cybersecurity Policy of 2013 (“the Policy”) noted the necessity of establishing a mechanism for sharing information on cyber-security incidents (Paragraph IV(A)(7)). The creation of such a mechanism, according to the Policy, will generate the necessary understanding of  existing and potential threats to enable timely information sharing (Paragraph IV(E)(1)). Prior to the policy, the creation of Information Sharing & Analysis Centres (ISACs) had also been recommended by the Joint Working Group on Engagement with Private Sector on Cyber Security (“JWG”). The JWG conceived of ISACs within various industry verticals with the private sector to co-ordinate with sectoral CERTs as well as CERT-IN.

However, currently, institutional mechanisms for streamlined and prompt sharing of information are not in place for most sectors. An ISAC has been set up at the Institute for Development and Research in Banking Technology (IDRBT), but it remains restricted to financial services. While the Central Government stated that action was initiated in 2014 for the setting up of similar ISACs in the power and petroleum sector, there is no confirmation of the same in the public domain. There is also no clarity on whether ISACs will be instituted for other sectors. There have also been no reports dealing with steps that are being taken for cross-sectoral information sharing and analysis. In a move forward, the NCIIPC has now made available forms for reporting vulnerabilities as well as cyber attacks on critical information infrastructures on its website. However, this is a poor substitute for a mandatory and systematic mechanism for collating information on threats, vulnerabilities and attacks. To this end, it is essential to urgently initiate the setting up of sectoral ISACs, under the guidance of the NCIIPC. A cross-sectoral ISAC, modelled along the along the lines of the National Council of ISACs in the US, could grow to function as an effective platform. It may also prove to be useful to pursue collaborations with existing global information sharing networks (such as the Financial Services Information Sharing and Analysis Centre (FS-ISAC). Similarly, the merging of sectoral platforms to create a collaborative intelligence sharing platform under the National Cybersecurity Co-ordination Centre is recommended.

Conclusion

To conclude, it is heartening to observe the progressive changes the NCIIPC has made as well as the creation of sector specific guidelines in certain sectors. However, this must progress across various critical sectors in addition to being placed within broader information sharing mechanisms. It is hoped that the NCIIPC will continue on the path of transparency and information sharing in this regard.

Sowmya Karun is a Project Manager at the Centre for Communication Governance at National Law University Delhi

Digital Wallet Security: Is there a framework?

By Sidharth Deb*

Since the announcement of India’s demonetisation policy, there has been a rapid surge in the number of online wallet transactions. The reasons for this are twofold:

• Cash scarcity; and
• The convenience afforded to consumers through e-wallet/online wallet services

In furtherance of the policy of demonetisation, the Indian government has also incentivised online transactions by offering discounts for digital payments.

Interestingly, India was recently ranked as one of the five most vulnerable nations to cyber security threats. This was highlighted by the recent debit and credit card hack which adversely compromised over 3 million accounts. The presence of a trust deficit seems justified when one looks at concerns expressed by both the National Crime Records Bureau (‘NCRB’) in its 2015 Report and the Reserve Bank of India (‘RBI’) . Both institutions have stressed numerous instances where people have been vulnerable to data theft. Further, it has been suggested that mobile wallets are not developed with hardware level security. Such industry practices leave sensitive information more susceptible to cyber threats. There is also a limited legal framework for the use of online payments.

The need for a stronger legal framework which adequately protects people’s financial/ sensitive data is clear. The use of private platforms such as PayTM, MobiKwik and FreeCharge and the launch of the Bharat Interface for Money (‘BHIM’) means digital transactions will only become more ubiquitous. This means that users are exposed to concomitant risks. This post seeks to understand the current legal matrix regulating digital payment security and highlight its inadequacies.

Policy Framework

There is presently no central data protection/ security legislation. Given this background, what India has instituted is a National Cybersecurity Policy, which was released in 2013, by the Ministry for Electronics and Information Technology (‘MEITY’). The document seeks to establish an umbrella framework which “…creates(s) a secure cyber ecosystem in the country, generate adequate trust & confidence in IT systems and transactions in cyberspace and thereby enhance adoption of IT in all sectors of the economy.” It emphasises the need to introduce sector specific policies to ensure data security.  However, there has been no statutory follow-up to this policy.

Keeping this in mind, we examine two legislations which are presently applicable to the digital wallet security landscape. The first is the Information Technology Act, 2000 (which was last amended in 2008) and the other is the Payments and Settlements Act, 2007 under which RBI circulars and guidelines relevant to online security are released.

IT Act, 2000

The two relevant portions of this statute are Section 43A and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. Section 43A states that “body corporates” handling sensitive personal data or information must provide reasonable security measures. These measures must be “….designed to protect such information from unauthorised access, damage, use modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law…” Failure to do the same would result in liability to pay the affected party damages. The text informs us that digital wallet companies can contract out, via their terms of service agreements, the data security obligations imposed by this section. It should be noted that services which are provided by entities which are not corporate bodies (such as BHIM, offered by the National Payments Corporation of India) can be exempted from the obligations under this section.

Under this provision, the aforementioned 2011 rules were notified. Rule 3 characterises “sensitive personal data or information” as:

• “…Password;
• Financial information such as Bank account or credit card or debit card or other payment instrument details;
• Physical, physiological and mental health condition;
• Sexual orientation;
• Medical records and history;
• Biometric information;
• Any detail relating to the above clauses as provided to body corporate for providing service; and
• Any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise…”

The most glaring issue with this rule is its exhaustive nature. It restricts “sensitive data or information” to entries which only fit into one of the eight aforementioned categories. Such restrictiveness, has the capacity to exclude information or data which is stored, handled and processed by modern day online platforms. This indicates the rule’s incomplete applicability in today’s internet landscape.

Rule 8(1) describes reasonable security practices and procedures as companies having “…implemented such security practices and standards and have a comprehensive documented information security programme and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business…”.

However, experts have stated  that most FinTech companies flout the above-discussed requirements.

Payment and Settlements Act, 2007

Section 18 of this statute gives RBI the power to determine appropriate policy for the regulation of electronic payment systems which affect domestic transactions. Section 10(2) gives the RBI the power to determine standards for the management of specific payment systems. Deriving authority from this, the RBI has been releasing annual circulars detailing the issuance and operation  procedures for prepaid instruments. The latest one was released in July 2016.

This circular categorised digital wallets such as PayTM, as semi-closed payment instruments. While addressing “Fraud protection and security standards”, it orders such companies to “…put in place adequate information and data security infrastructure and systems for prevention and detection of frauds.” No specific guidance is provided to determine what “adequate information and data security infrastructure” entails. Moreover, it has no reference to any penal measures should a company fail to adhere to these requirements.

The RBI released, in June 2016, a comprehensive cybersecurity framework to regulate banks. They have the authority to contemplate a similar course of action for prepaid instruments. In that vein the RBI in December 2016 released a new notification (under Section 10 (2) read with Section 18 of the Act) addressing “Security and Risk Mitigation Measure(s)…” for prepaid instrument issuers.

In this notification, the RBI acknowledges that without adequate cyber security their push for widespread adoption of digital payments will suffer huge setbacks. To enable a robust and secure digital ecosystem, this notification  orders prepaid instrument issuers to undergo annual system audit reports from qualified auditors. The scope of these system audits includes “hardware structure, operating systems and critical applications, security and controls in place, including access controls on key applications, disaster recovery plans, training of personnel managing the systems and applications, documentation, etc.”

Moreover, it  advises all prepaid instrument issuers to carry out a special audit by empanelled auditors of India’s Computer Emergency Response Team (‘CERT-IN’) and to take subsequent appropriate steps as per the findings of the audit. They have also been advised by the RBI’s notification to take “appropriate measures” to mitigate phishing attacks and to disseminate best security practices to their customers periodically. Prepaid instrument issuers have also been asked to take dynamic security measures as per emerging threats and general threat perception.

Conclusion

The Union Minister for electronics and information technology has acknowledged the need for stronger cybersecurity laws. This has been echoed by a subsequent declaration that MEITY plans to review and accordingly update the architecture of the Information Technology Act, 2000. It was further stated that a digital payments division has been set up, which is tasked with reporting unusual activities to CERT-IN. Similarly, in January, 2017, the CMs Committee on digital payments led by Andhra Pradesh Chief Minister Chandra Babu Naidu submitted an interim report to the Prime Minister. This report recommended the adoption of measures which strengthen cybersecurity.

It has also been revealed that the central government is working on a legal framework aiming to shield privacy and financial details of users when they transact online. It hopes to be a comprehensive security regulatory framework which establishes obligations and liabilities to be imposed upon payment companies. It shall cover “e-wallets, payment gateways, prepaid cards and other payment platforms”.

Different legislative routes have been suggested to assure digital security for online transactions. Members of Parliament, such as Mr Rajeev Chandrasekhar, have recommended a central online digital security legislation. One drawback to such a general measure as evidenced is that it would lack specificity. This causes a problem, as generic laws have the scope to overlook problems which are exclusive to specific industries.

To that end, other cyber law experts have recommended  sector specific laws which pertain to digital payments and their security.  For an effective security regime, for the e-Wallet industry, stakeholders must be consulted whilst developing minimum standards of protection afforded to vulnerable information.

The Watal Committee for Digital Payments submitted a report in December, 2016, recommending a new statutory board for regulation and supervision of payments and settlements which is independent of RBI supervision. It further went on to state that the Payment and Settlements Act, 2007 requires updating with explicit mandates for data protection and security keeping in mind consumer interests. Lessons can also be learnt from Indonesia whose central bank, in November 2016 released a comprehensive regulatory system for e-wallet services. It includes compliance requirements with informational security standards.

*Sidharth is currently an intern at CCG. He graduated from WB NUJS in 2016.

Tracking Cybercrime through the National Crime Records Bureau’s “Crime in India” Report, 2015

By Shuchita Thapar

The National Crime Records Bureau released their annual “Crime in India” report for the year 2015 earlier this year. This post analyses the trends in cybercrime traced through the report.  

The National Crime Records Bureau (“NCRB”) released their annual “Crime in India” report (“NCRB Report, or “Report”) for the year 2015 earlier this year. The report tracks statistics for various types of crimes across India, and provides useful insight into socio-legal trends, as well as problems being faced by law enforcement agencies in the country. This post seeks to review the findings of the report in relation to cybercrime in the context of issues facing crime deterrence and law enforcement in the country.

The NCRB has been tracking statistics relating to cybercrime since their 2014 report. Based on other trackers, between 2011 and 2015, the country witnessed a surge of nearly 350% in cybercrime cases reported. However, despite an increasing number of cases being reported, conviction rates remain very low. For example, Maharashtra saw only a single conviction in 2015 despite over 2000 cases being registered. While it is true that convictions are not generally related to the cases filed in the same year, low conviction rates are generally indicative of high pendency of cases, as well as an underdeveloped architecture of investigation and deterrence.

The NCRB Crime in India Report 2015

The NCRB Report tracks, in their cybercrime chapter, cases filed which are linked with the use of the internet and IT enabled services. Under this broad categorisation, the report seeks to trace (amongst other things) patterns of cases reported, cases pending, arrest rates, conviction rates, and offender demographics. A total of 11,592 cybercrime cases were registered in 2015, representing an increase of approximately 20.5% over the previous year. These include offences registered under the Information Technology Act (“IT Act”), as well as related sections of the Indian Penal Code and other special or local laws. Uttar Pradesh had the highest rate of reportage of such crimes, followed by Maharashtra and Karnataka.

The majority of the cases (6567) were registered under “Computer Related Offences”, which involve cases registered under Sections 66 to 66E of the IT Act. These include offences such as ‘sending offensive messages through a communication service’ (Section 66A), ‘dishonestly receiving stolen computer resource or communication device’ (Section 66B), ‘identity theft’ (Section 66C) and others. It is interesting to note that despite Section 66A being struck down last year by the Supreme Court in the Shreya Singhal case, convictions under the section have risen, and in some instances new cases have also been filed. Under the IPC, the majority of cases filed were relating to cheating, involving over 65% of the total cases filed.

A total of 8121 persons were arrested during 2015 in relation to cybercrime offences, representing a 41.2% increase over 2014. The maximum number of persons arrested were in Uttar Pradesh. However, tracking the persons arrested may not be the most useful metric, because it does not represent the number of cases that were brought to successful completion. In fact, only 250 persons were finally convicted under the IT Act and 20 were convicted under the IPC.

Over 14,000 cases registered under the IT Act were investigated in 2015, including over 6000 pending cases. At the end of the year, over 8000 cases remained pending for investigation. 2396 cases were charge-sheeted in 2015, and 4191 cases were pending for trial. Trials were completed in 486 cases, with 193 ending in conviction. 5,094 cases under the IPC were investigated in 2015, with over 1600 being pending cases from the previous year. 710 cases were charge-sheeted in 2015, and trials were completed for only 53 cases. In cases registered under the IPC, over 3600 cases remained pending for investigation at the end of 2015 – the majority of these cases related to forgery and data theft. It is clear that the pendency of cases is not only high, but increasing, although the NCRB report does not offer any potential reasons.

In terms of offender demographics, the majority of persons arrested fell within the 18-30 age bracket – over 65% of the arrestees under the IT Act, and 55% of the arrestees under the IPC are within this category. However, the NCRB report does not track other demographic statistics, including gender and socio-economic status.

The largest section of arrestees were characterized as ‘business competitors’, followed by ‘neighbours/friends/relatives’. The vast majority of persons arrested were Indian nationals, with only 4 foreign nationals being captured. Given the rising number of cyber incidents stemming from abroad, it is clear that the existing cyber law framework may be insufficient to tackle transnational cyber crime.

Conclusions

The NCRB report highlights the fact that problems that have plagued most areas of the Indian criminal justice system continue to be issues in relation to cybercrime. These include high pendency of cases, low conviction rates and low reporting. These problems are exacerbated by rising usage of information technology resources with limited knowledge of good cybersecurity principles.  Experts have also suggested that the Indian ecosystem around cyber policing is simply not equipped to secure convictions, because of an inadequately trained police force, limited technical resources, low co-ordination between the public and private sector, and an unequipped judicial system.

The Supreme Court of India has taken suo moto cognizance of the issue after a letter written by Hyderabad-based NGO Prajwala pointed out that 9 videos of sexual assault were being circulated on WhatsApp. After a CBI probe was ordered into these instances, the Centre also set up an expert group to formulate appropriate means to tackle growing cybercrime in India. Following this, the government agreed to take various steps, including the establishment of a National Cyber Crime Coordination Centre (“NCCC”) in order to focus on cybercrimes and national security issues and ensure appropriate communication between agencies. Reports have suggested that Phase I of the NCCC will be live by March 2017. It has also been agreed that cybercrime complaints can be filed online without the necessity of visiting a police station.

There have also been other steps taken, including the establishment of cyber labs promising additional technical, and increased emphasis on international co-operation. It is to be hoped that these measures will go a long way towards assuaging the policing problems currently facing cybercrime in India.

Shuchita Thapar is a Project Manager at the Centre for Communication Governance at National Law University Delhi

 

Google Faces Legal Hurdles Under Brazilian Internet Law

By Raissa Campagnaro[1]

The Brazilian Federal Prosecution Ministry has brought civil proceedings against Google for flouting its data protection law. The suit challenges Google’s access to the content of emails exchanged by Gmail users on multiple grounds, including Google’s failure to obtain express consent.

In October, 2016, Brazil’s Federal Prosecutor filed a public civil suit against Google, claiming that the search engine had failed to comply with the country’s internet law, the Internet Bill of Rights. The suit argues that during a previous prosecution investigation, through a civil inquiry, Google had made it public that it scans the content of emails exchanged by Gmail users. According to the Federal Prosecutor, this violates Brazilian data protection standards.

The Internet Bill of Rights establishes data protection principles similar to those set up under the EU Data Protection Directive 95/46/EC. Under this law, any processing of data must be pursuant to express consent. The law specifically requires that the clause seeking consent be prominently displayed and easy to identify amongst other terms of the contract. The law also recognises a right to not have one’s data transferred to third parties without consent and a right to be informed about the specific purposes of the personal data collection, usage, storage, treatment and protection.

When asked about its compliance with the legislation, Google submitted that it analyses the email messages so it can improve consumers’ user experience by filtering the messages for unwanted content, spam, or other kind of malware. It also submitted that the scanning of messages is used to offer products and advertisement for the user and to classify emails into various categories such as ‘social’ ‘promotions’ etc. Finally, Google has contended that the scanning of emails is  consented to by the user at the time of signing up, by agreeing to the privacy policy within Gmail’s terms of service.

However, the Federal Prosecution Ministry considers these practices to be ‘profiling’ – a consequence of personal data aggregation that allows the creation of users’ profiles based on their behaviour, online habits and preferences. These can be used to predict their future actions and decisions. Profiling is frequently used for behavioural advertisements in which aggregated personal data is transferred to other ISPs, who use it to direct ads, products and services determined by the person’s past online activity. According to the Federal Prosecutor, this not only violates people’s right to privacy, especially their informational self-determination right, but also interferes with a consumer’s freedom of choice.

Several scholars and researchers have also opposed profiling and behavioural advertising, arguing that it has severe negative consequences. These include (i) denial of credit or loan concessions; (ii) offering different health insurance deals based on a person’s medical history or the nature of activities they engage in; and (iii) offers with adaptive pricing, based on a variety of criteria that involve some level of discrimination. This is problematic because online profiles are limited. A person’s life is based on several aspects apart from the online information which is collected and aggregated. As a result, personal data aggregation, processing and analysis can lead to an incomplete or incorrect picture of an individual, leading to wrongful interventions in their life. Even if the profile is a complete reflection of a person’s life, the choice to have one’s data collected and used for determined purposes must always be the users’.

The suit alleges that Google’s practices are not in consonance with the legal requirement of seeking express consent, including through prominent display within a policy. It suggests that Google be required to take specific consent in order to access the content of emails.

The case also  challenges the fact that Google’s privacy policy does not allow consumers to withdraw consent. This violates consumers’ control over their data. Further, it is also argued that consent should be sought afresh every time Google changes its privacy policy. The lack of clear and precise information around how data is processed is another issue that has been pointed out in the case, violating the right of Gmail users to information regarding the usage of their data.

To substantiate its case, the Federal Prosecutor is relying on an Italian case in which Google’s data processing activities had been challenged. The ruling was based on Italy’s Data Privacy Code, which establishes data protection guarantees such as i) fair and lawful processing of data; ii) specific, explicit and legitimate purposes and use of data; iii) processing to not be excessive in relation to the purposes for which it is collected or subsequently processed; and iv) that the data must only be kept for the amount of time truly necessary. In addition, the law stipulates that a data subject must receive notice about how their data will be processed, allowing them to make an informed decision. Furthermore, the Italian code also requires consent to be express and documented in writing.

In 2014, Garante’s (i.e. the Italian Data Privacy Authority, furthermore “the Authority”) decision held that Google had failed to comply with some requirements under the Italian legislation. Firstly, the information given by Google around how data processing was carried out was considered insufficient, as it was too general. Secondly, the consent format given through the privacy policy agreement was also held to be too broad. The Authority held that consent should be prior and specific to the data treatment. Although the decision condemned the company’s practices, it did not establish any guidelines for Google to adopt in this regard.

Through the present suit, the Brazilian Federal Prosecutor seeks (i) suspension of Google’s email content analysis, that is, scanning of emails of Gmail users where express consent has not been received ; (ii) an obligation to obtain express and consent from users before scanning or analysing the content of emails and (iii) ensuring the possibility of consent withdrawal. The suit seeks an order directing Google to change its privacy policy to ensure consent is informed and particular to content analysis.

This case demonstrates a new aspect of data protection concern. Apart from the most common cases over data breach situations, where the damage is usually too late or too massive to repair, the Brazilian and the Italian cases are great examples of proactive measures taken to minimise  future risks. Further, the importance of a legal framework that utilises data protection principles to guarantee consumers’ right to privacy is well recognised. Now, it appears that these rules are starting to be more effectively enforced and, in consequence, the right to privacy can be observed in practice.

[1] Raissa is a law student from Brazil with an interest in internet law and policy. Raissa has been interning with the civil liberties team at CCG for the past month.

Evaluating the Risks of the Internet of Things

By Dhruv Somayajula[1]

Introduction

On 21^st October 2016, multiple cyber-attacks on the Internet infrastructure company Dyn shut down web browsing across America and Europe for hours. Over 100,000 devices were reportedly connected via a malware botnet named Mirai for this attack. The attack was a Distributed Denial of Service attack (DDoS), which is carried out by flooding the bandwidth of a web server with artificial traffic from multiple devices. This causes it to crash and renders it inaccessible. This attack specifically was carried out by using a medley of devices  connected over the internet, including security and street view cameras used for industrial security.

The Dyn attack was another reminder to the global community about the potential dangers of unregulated devices connected over the internet, otherwise known as the ‘Internet of Things’ (IOT). This post, the first of a two-part series, will examine the IOT framework, its practical applications and the risks associated with it. The second part will discuss the challenges to law that IOT may possibly create, the existing legal framework to deal with them, and the areas where change is required to accommodate the IOT.

What is the Internet of Things?

First coined by Kevin Ashton, the phrase ‘Internet of Things’ describes the network of devices connected via the internet promoting a smarter way of life. Any device with a function that connects it to the internet is a part of the IOT. These devices include smart home devices, cameras, wi-fi routers, television sets and smart cars.

 A comprehensive definition of the ‘Internet of Things’ is offered by the International Telecommunications Union (ITU) which defines it as “a global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies.” The Indian Government, in a draft policy released last year, defined the ‘Internet of Things’ as “a seamless connected network of embedded objects/ devices, with identifiers, in which M2M communication without any human intervention is possible using standard and interoperable communication protocols.” This definition only covers a small subset of the IOT since it makes exclusive reference to machine-to-machine communication (M2M communication). This includes only isolated device-to-device communication through embedded hardware and cellular or wired networks. In general, however, the IOT is a broader collective of devices, which also includes communication of data through wireless and cloud-based networks.

Uses and Applications of the Internet of Things

The IOT operates as a network of devices that can share data among themselves to help create convenience for people, by creating patterns of daily activity and executing them. This convenience is in relation to both ease of living, as well as adding value to necessary infrastructure.

There are many practical applications for consumers using IOT devices, including through the usage of wearable devices, sensors for quantification of personal data, and home automation. The use of smartwatches and trackable bands for fitness is an example of devices sharing data over the IOT. Quantified self apps, which claim to track one’s heart rate, calories consumed sleep cycles through sensors for keeping track of one’s habits are examples of sensor-based devices on IOT networks. Another growing category of devices for personal consumption is home automation, where light bulbs, thermostats and alarm clocks are connected to each other in a smart home.

However, in addition to consumer-oriented uses, smart cities like Barcelona, Amsterdam and Singapore are using IOT  to improve road safety management, traffic diversion into alternate routes, waste accumulation triggers and water management portals by use of data accumulated from sensors. For example, the project Autonomous Intersection Management was designed to demonstrate how smart cars can avoid traffic congestion at intersections through the Internet of Things. The UN Commission for Broadband Commission for Sustainable Development also identifies specific IOT devices as useful for developing industries, including devices that can collect medical data to check for epidemics, measure water quality, enable remote access to irrigation pumps in farms and monitor wildlife.

Risks posed by increasing use of the IOT

The collection of data through the IOT creates databases for accurately predicting actions. This accumulation of sensitive data (including mapping of personal habits, geo-tracking, video recording on CCTVs and home electricity patterns) needs to be safeguarded against cyber-attacks or theft. Information concerning the activity patterns of consumers can be mapped through the data collected to accurately predict the activities of a person, and this power can be susceptible to misuse in the wrong hands.

This is where the fundamental risks of the IOT lie – in the twin issues of security and privacy. The DDoS attack on Dyn last month was caused by an estimated 100,000 unsecured devices, using malware to flood the server with requests, causing it to crash. Moreover, recent security breaches by online hacker groups using the IOT create a legitimate concern for the safety of the devices used on the IOT and a need for evaluation of India’s level of preparedness for a possible attack. Breaches of IOT devices in the past have led to disastrous consequences, such as a smart car being switched off remotely in a busy intersection, or baby cams activated to spy on over 700 people. A huge number of devices, especially pre-2000s devices, have extremely low protection due to outdated standards and are vulnerable to cyber-attacks. The onus is on the industry to reduce the gap between the vulnerabilities of older devices and the global standards for cyber security adopted by IOT devices.

Attacks such as that on Dyn also raise questions about the safety of the data which the device seeks to utilize for its application, and whether a person’s privacy can be breached by way of these cyber-attacks. A smart city monitoring roadways and controlling traffic, or an automated smart lock used for home security, can also potentially be breached by hackers, or misused for surveillance purposes. These concerns will only grow with the increasing adoption of IOT devices. A secure IOT framework would need to include include robust laws on security standards, data protection and privacy. The next post in this series will examine the legal framework for data protection with particular reference to the IOT in India and across the world, and evaluate how Indian laws can best accommodate the challenges thrown up by the rising use of online devices.

[1] Dhruv is a third year student at NALSAR University of Law, Hyderabad. Dhruv is currently interning at CCG.

Reviewing Telangana’s Cybersecurity Framework: Part II of II

By Shuchita Thapar

The Telangana IT industry has been facing hostilities recently, with news reports suggesting that over fifty technology companies have been faced with cyberattacks over the past month. This has been subsequent to the surgical strikes carried out near the Pakistan border by the Indian Army. The Society for Cyberabad Security Council, (“SCSC”) a collaborative venture between the Cyberabad Police Commissionerate and the IT industry has reported a spate of ransomware attacks through various international servers, with the source of the attacks being traced to Pakistani hackers. The SCSC also noted that while there had been few direct reports of security breaches, information was received from private cybersecurity firms approached by the companies.

These incidents, coming as they do in the wake of increased cyberattacks throughout India, (including the recent hacking of the National Green Tribunal’s website) highlight the need for both a comprehensive cybersecurity legislation as well as practical measures to safeguard India’s internet communication technology (“ICT”) resources. Telangana, India’s newest state, recently released a cybersecurity policy to this end, making it India’s only state with such a policy.

Part I of this two-part series focused on the features of Telangana’s Cyber Security policy (“the policy” or the “CS policy”), released on the 15^th of September 2016. This policy was released as part of a suite of ICT policies and other initiatives targeting the growth of the IT sector in the state. This post seeks to critically analyse the CS policy, as well as to understand necessary forthcoming developments in the regulatory framework for cybersecurity around India.

Background

The Telangana government introduced the CS policy citing increased cybersecurity needs in the context of global cyber warfare. As seen from the recent attacks on Telangana’s IT companies, this is a pressing concern.This issue is especially important given the clear skepticism around approaching governmental bodies with cybersecurity issues – as revealed by the fact that in the attacks referenced above, the affected entities chose to approach private cybersecurity companies rather than government bodies. The reluctance to engage with official mechanisms on cybersecurity is a problem that also has major repercussions for IT users. This is because, given the lack of data breach notifications in India, communications may be compromised without news of any problems ever reaching the public domain or the government. A strong and reliable governmental monitoring agency which can offer assistance in case of such attacks is an imperative need, along with protections for users whose data has been compromised.

Cyber law and related legislation

The CS policy seeks to create strengthened grievance redressal mechanisms for crimes against women. While this is admirable, the suggestion that the aim of the State is to create an internet free of pornography (where not child pornography) is an impingement on the freedoms of adult users. This debate has already been conducted at the Central level, where large-scale blocks of pornographic websites were rolled back following public uproar.

Capacity Building

The policy addresses school-level training in cybersecurity issues and general cybercrime awareness, as well as individual certification programmes and research centres for specific areas of cybersecurity. However, it does not address the issue of actually creating cybersecurity experts through broad-based training in specific courses at the tertiary education level. The failure to create cybersecurity as an arena of professional specialization at the bachelor’s degree level, and relying instead on short-term certifications/narrowly focused research may create shallow knowledge pools in this area. This is problematic given the state’s focus on developing cybersecurity expertise, and the forecasted countrywide requirement for over a million cybersecurity experts by 2025.

Integration with other policies

The CS policy has been released alongside a host of other ICT policies, many of which refer to issues that will have direct bearing on the cybersecurity – notably, smart cities and the internet of things. However, the CS policy does not explicitly discuss the linkages between itself and the other frameworks sought to be put in place, and there appears to be no overarching body which would co-ordinate between the various policies. There is also relatively little engagement with the central regulatory framework on cybersecurity, including the IT Act and the National Cyber Security Policy 2013.

Policy framing and realization

The draft CS policy was not opened out to public comments (although news reports suggest that expert opinions were sought) and there is no indication that general public participation will be solicited in the operationalization of the policy. Further, no timeline for policy implementation has been provided. Given the number of cybersecurity initiatives being undertaken in the state, a lacking regulatory framework and non-existent coordinating nodal agency (i.e. the proposed T-CERT) may prove detrimental to the structured development of the cybersecurity industry.

Conclusion

The CS policy is ambitious in scope and vision, and has the potential to create a robust cybersecurity culture. However, concerns about the implementation of the policy and its integration with national and other state policies remain. Nevertheless, in terms of industry incentives, the CS policy looks favorable and the state focus on IT makes it likely that the industry will flourish.

Shuchita Thapar is a Project Manager at the Centre for Communication Governance at National Law University Delhi

Reviewing Telangana’s Cybersecurity Framework: Part I of II

By Shuchita Thapar

The Telangana government has over the past year made information technology (“IT”) a major focus area for development. It aims to double IT exports within a period of five years. It has, to this end, created a single-stop online clearance mechanism for companies.  Amongst other activities, it has also signed MoUs and letters of understanding to develop smart cities, data centres and digital platforms with various multinational companies and governmental bodies.

These industry advances are in addition to strong push towards creating a robust regulatory framework for IT in India’s youngest state. The state government released its Cyber Security policy (“the policy” or the “CS policy”) on the 15^th of September 2016, along with policies on data analytics, data centres and open data. These follow the April release of policies and incentives relating to Information and Communication Technology (ICTs), rural technology centres, innovation, electronics and gaming. The Telangana government has also announced that policies regarding the Internet of Things (IOT) and smart technologies, and e-waste will be released within two months.

The release of this policy makes Telangana India’s first state to have its own cybersecurity policy, following the central government’s National Cyber Security Policy of 2013. This post intends to set out the major features of the policy. These will be comprehensively critiqued in the second post of the series.

Background

The CS policy has been introduced in the backdrop of increasing cybersecurity and cyber war threats worldwide. The policy specifically references the 2016 Bangladesh Bank cyber-heist. In the Bangladesh heist instructions to withdraw nearly USD 1 billion were issued by hackers (of which instructions of over USD 100 million went through). It also mentions the 2015 attack on Ukraine’s critical information infrastructure which disabled electricity for over 230,000 people. The IT Minister of Telangana speaks of creating an army of “cyber warriors” to combat such threats. The policy however, remains mainly trade and export focused, as is perhaps appropriate for a state policy. According to the state government the policy is a statement of intent from Telangana government, which is actively seeking interested partners to work on cyber security issues and further deploy tools developed worldwide.

The four main focus areas of the policy are:

1. The legal and regulatory framework
2. Compliance and enforcement framework
3. Compliance building and cybersecure culture framework
4. Business development framework

This post will briefly cover the government’s suggestions under each of these focus areas, as well as incentives promised for the growth of the cybersecurity industry.

Legal and Regulatory Framework

The government has expressed its intent to create more robust legislation in the area of cybersecurity, after seeking assistance from domestic and international legal experts. This includes expanding non-cyber specific legislation to include the possibility of cyber activity in fields such as copyright, defamation, national security/sedition and anonymity. To this end, Telangana has already established the Telangana Intellectual Property Crime Unit (“TIPCU”) to act specifically on concerns relating to IP crime. The government has also indicated its intent to strengthen its current cybercrime cell, as set up under the IT Act, 2000.

The government has expressed its intent to create a cyberspace free of pornography (which may be a cause of concern generally, following last year’s large-scale blocks by the central government under Section 79 of the IT Act). It has conflated this category with child pornography, cyber bullying and sexual harassment.

A digital forensics lab is to be set up to analyse and investigate cybercrime, in addition to a data recovery lab and a digital evidence preservation facility. This will be accompanied by capacity building to create data experts who can work with digital forensics.

Compliance and Enforcement Framework

Recognising that absolute cyber-safety is an impossibility, the government has sought to institutionalise a risk-based approach to critical information infrastructure protection, where response to a threat is based on the risk posed by the threat. The government also intends to formulate a critical information infrastructure protection plan as well as set up a think-tank with the help of private and other stakeholder participation.

The policy sets out the aim of the state to create an apex nodal agency T-CERT (on the lines of CERT-IN) to act as the state’s contact point in relation to cybersecurity, with the ability to respond to major incidents, analyse threats, and exchange information.  T-CERT will be responsible for liasing with stakeholders, and setting up an emergency response division to run around the clock and monitor the cybersecurity situation in the state.

The state will seek to formulate an appropriate business continuity plan as well as issue and procure cyber insurance. An information sharing and analysis centre is to be set up to share actionable information and analyse trends, and promote open standards and procurement of safe ICT products. The government will support (and may, for SMEs, facilitate) implementation of information security and management systems statewide. In addition to this, an ICT Security Assessment Facility will be set up to assist in product certification and compliance assessment of all ICT products linked to critical information infrastructure using the common criteria for information technology security evaluation.

Capacity Building and Cybersecure Acculturation Framework

The government will focus on creating capacity at multiple levels, by training auditors, policy workers, data management experts, cyber experts and forensic experts to provide cybersecurity related services. Various Centres of Excellence are to be set up to boost research, in addition to research projects to address day-to-day issues faced by the government. The cybersecurity curriculum at the master’s level is also to be revamped. As part of the cybersecurity acculturation process, a comprehensive awareness campaign, as well as school-time cybersecurity education will be undertaken.

Business Development Framework

The business development framework includes creating a start-up incubator for cybersecurity startups. The framework also suggests establishing a venture capital structure for the government to invest in such startups. An annual exhibition will be held to promote indigenously developed products, and SMEs will be awarded a certain percentage of cybersecurity products. The government also intends to enter into several strategic partnerships with the private sector, international agencies and various service providers.

Incentives

In addition to various incentives designated for all IT companies, a number of specific cybersecurity incentives have been designated. These include subsidized technology, assistance in procurement, lease subsidies, exhibition subsidies, matching grants to those provided by the government of India, recruitment assistance, R&D grants, internet costs and patent-filing costs.

Conclusions

Although Telangana’s cybersecurity policy is nascent, it is ambitious in vision, with multiple bodies to be established and cities around the state to be utilized for development of the IT industry. It remains to be seen whether these efforts are successful and Telangana succeeds in branding itself the cybersecurity hub of India. The significant incentives given to the industry are likely to invite at least some initial investment. However, whether this first-mover’s advantage can be sustained, and whether the promises of the policy can be fulfilled (especially in light of the political instability that has been an unfortunate feature of the creation of the state) will be revealed over time.

Shuchita Thapar is a Project Manager at the Centre for Communication Governance at National Law University Delhi