Critiquing the Definition of Cyber Security under India’s Information Technology Act

Archit Lohani

“Security Measures” by Afsal CMK is licensed under CC BY 4.0

Introduction

As boundary-less cyberspace becomes increasingly pervasive, cyber threats continue to pose serious challenges to all nations’ economic security and digital development. For example, sophisticated attacks such as the WannaCry ransomware attack in 2017 rendered more than two million computers useless with estimated damages of up to four billion dollars. As cyber security threats continue to proliferate and evolve at an unprecedented rate, incidents of doxing, distributed denial of service (DDoS), and phishing attacks are on the rise and are being offered as services for hire. The task at hand is intensified due to the sheer number of cyber incidents in India. A closer look suggests that the challenge is exacerbated due to an outdated framework and lack of basic safeguards.

This post will examine one such framework, namely the definition of cybersecurity under the Information Technology Act, 2000 (IT Act).

Under Section 2(1)(nb) of the IT Act:

“cyber security” means protecting information, equipment, devices computer, computer resource, communication device and information stored therein from unauthorised access, use, disclosure, disruption, modification or destruction;

This post contends that the Indian definitional approach adopts a predominantly technical view of cyber security and restricts effective measures to ensure cyber-resilience between governmental authorities, industry, non-governmental organisations, and academia. This piece also juxtaposes the definition against key elements from global standards under foreign legislations and industry practices.

What is Cyber security under the IT Act?

The current definition of cyber security was adopted under the Information Technology (Amendment) Act, 2009. This amendment act was hurriedly adopted in the aftermath of the Mumbai 26/11 terrorist attacks of 2008.  The definition was codified to facilitate protective functions under Sections 69B and 70B of the IT Act. Section 69B enables monitoring and collection of traffic data to enhance cyber security, prevent intrusion and spread of contaminants. Section 70B institutionalised Computer Emergency Response Team (CERT-In), to identify, forecast, issue alerts and guidelines, coordinate cyber incident response, etc. and further the state’s cyber security imperatives. Subsequently, the evolution of various institutions that perform key functions to detect, deter, protect and adapt cybersecurity measures has accelerated. However, this post argues that the current definition fails to incorporate elements necessary to contemporise and ensure effective implementation of cyber security policy.

Critique of the IT Act definition

It is clear that deterrence has failed as the volume of incidents does not appear to abate, making cyber-resilience a realistic objective that nations should strive for. The definition under the IT Act is an old articulation of protecting the referent objects of security- “information, equipment, devices computer, computer resource, communication device and information” against specific events that aim to cause harm these objects through “unauthorised access, use, disclosure, disruption, modification or destruction”.

There are a few issues with this dated articulation of cybersecurity. First, it suffers from the problem of restrictive listing as to what is being protected (aforementioned referent objects). Second, by limiting the referent objects and events within the definition it becomes prescriptive. Third, the definition does not capture the multiple, interwoven dimensions and inherent complexity of cybersecurity which includes interactions between humans and systems. Fourth, due to limited enlisting of events, similar protection is not afforded from accidental events and natural hazards to cyberspace-enabled systems (including cyber-physical systems and industrial control systems). Fifth, the definition is missing key elements – (1) It does not include technological solutions aspect of cyber security such as in the International Telecommunication Union (2009) definition that acknowledges “technologies that can be used to protect the cyber environment” and; (2) fails to incorporate the strategies, processes, and methods that will be undertaken. With key elements missing from the definition, it falls behind contemporary standards, which are addressed in the following section.

To put things in perspective, global conceptualisations of cybersecurity are undergoing a major overhaul to accommodate the increased complexity, pace, scale and interdependencies across the cyberspace and information and communication technologies (ICT) environments. In comparison, the definition under the IT Act has remained unchanged.

Although wider conceptualisations have been reflected through international and national engagements such as the National Cyber Security Policy (NCSP). For example, within the mission statement the policy document recognises technological solution elements; and interactions between humans and ICTs in cyberspace as one key rationale behind the cyber security policy.

However, differing conceptualisations across policy and legislative instruments can lead to confusion and introduce implementational challenges within cybersecurity regulation. For example, the 2013 CERT-In Rules rely on the IT Act’s definition of cyber security and define cyber security incidents and cyber security breaches. Further emphasising the narrow and technically dominant discourse which relate to the confidentiality, integrity, and availability triad.

The following section examines a few other definitions to illustrate the shortcomings highlighted above.

Key elements of Cyber security

Despite a plethora of definitions, there is no universal agreement on the conceptualisation of cybersecurity globally. This has manifested into the long-drawn deliberations at various international fora.

Cybersecurity aims to counter and tackle a constantly evolving threat landscape. Although it is difficult to build consensus on a singular definition, a few key features can be agreed upon. For example, the definition must address interdisciplinarity inherent to cyber security, its dynamic nature and the multi-level complex ecosystem cyber security exists in. A multidisciplinary definition can aid authorities and organizations in having visibility and insight as to how new technologies can affect their risk exposure. It will further ensure that such risks are suitably mitigated. To effectuate cyber-resilience, stakeholders have to navigate governance, policy, operational, technical and legal challenges.

An inclusive definition can ensure a better collective response and bring multiple stakeholders to the table. To institutionalise greater emphasis on resilience an inclusive definition can foster cooperation between various stakeholders rather than a punitive approach that focuses on liability and criminality. An inclusive definition can enable a bottom-up approach in countering cyber security threats and systemic incidents across sectors. It can also further CERT-In’s information-sharing objectives through collaboration between stakeholders under section 70B of the IT Act.

When it comes to the regulation of technologies that embody socio-political values, contrary to popular belief that technical deliberations are objective and value-neutral, such discourse (in this case, the definition) suffers from the dominance of technical perspectives. For example, the definition of cybersecurity under the National Institute of Standards and Technology (NIST) framework is, “the ability to protect or defend the use of cyberspace from cyber-attacks” directs the reader to the definitions of cyberspace and cyberattack to extensively cover its various elements. However, the said definitions also has a predominantly technical lens.

Alternatively, definitions of cyber security would benefit from inclusive conceptions that factor in human engagements with systems, acknowledge interrelated dimensions and inherent complexities of cybersecurity, which involves dynamic interactions between all inter-connected stakeholders. An effective cybersecurity strategy entails a judicious mix of people, policies and technology, as well as a robust public-private partnership.

Cybersecurity is a broad term and often has highly variable subjective definitions. This hinders the formulation of appropriately responsive policy and legislative actions. As a benchmark, we borrow the Dan Purse et al. definition of cybersecurity– “the organisation and collection of resources, processes, and structures used to protect cyberspace and cyberspace-enabled systems from occurrences that misalign de jure from de facto property rights.” The benefit of this articulation is that it necessitates a deeper understanding of the harms and consequences of cyber security threats and their impact. However, this definition cannot be adopted within the Indian legal framework as (a) property rights are not recognised as fundamental rights and (b) this narrows its application to a harms and consequences standard.

Most importantly, the authors identify five common elements to form a holistic and effective approach towards defining cybersecurity. The following elements are from a literature review of 9 cybersecurity definitions are:

• technological solutions
• events
• strategies, processes, and methods
• human engagement; and
• referent objects.

These elements highlight the complexity of the process and involve interaction between humans and systems for protecting the digital assets and themselves from various known and unknown risks. Simply put, any unauthorized access, use, disclosure, disruption, modification or destruction results in at least, a loss of functional control over the affected computer device or resource to the detriment of the person and/or legal entity in whom lawful ownership of the computer device or resource is vested. The definition codified under the IT Act only partly captures the complexity of ‘cyber security’ and its implications.

Conclusion

Economic interest is a core objective that necessitates cyber-resilience. Recognising the economic consequences of such attacks rather than protecting limited resources such as computer systems acknowledges the complex approaches to cybersecurity. Currently, the definition of cybersecurity is dominated by technical perspectives, and disregards other disciplines that should be ideally acting in concert to address complex challenges. Cyber-resilience can be operationalised through a renewed definition; divergent approaches within India to tackle cybersecurity challenges will act as a strategic barrier to economic growth, data flow, investments, and most importantly effective security. It will also divert resources away from more effective strategies and capacity investments. Finally, the Indian approach should evolve and stem from the threat perception, the socio-technical character of the term, and aim to bring cybersecurity stakeholders together.

Supreme Court adjourns IT Act cases for final hearing

Author: Nikhil Kanekal

The Supreme Court of India has decided to bunch together all petitions related to the regulation of free speech online and adjourned them to the first week of January 2014 for a final hearing “on merits”.

A bench comprising justices H. L. Gokhale and Jasti Chelameshwar heard a clutch of petitions on Friday connected with the Information Technology Act, 2000 and IT (Intermediary Guidelines) Rules, 2011. The extent of free speech online, the liability of intermediaries (or platforms which host third party content), the criminal law procedure to be invoked in case of an IT Act-related offence – these are some of the questions of law that will likely be addressed by the court when it deals with these petitions.

One of the main arguments by petitioners is that the restrictions on free speech specified under the IT Act exceed those specified in Article 19(2) of the Indian Constitution.

While the bench seemed to be largely in agreement with the petitioners that section 66A of the IT Act, along with other provisions, need to subjected to judicial review, the judges also cautioned that they need to balance questions of law to ensure that “the state will also have to have some power”.

Referring to recent instances of violence and panic-infused migration, the judges observed, “See what happened in Bangalore and the North East. We will have to look into (the IT Act), but very unfortunate things have been happening in some parts of the country.”

The role of digital media and online communication has been under scrutiny after reports of circulation of controversial material appeared to have sparked rioting and violence, most recently in Uttar Pradesh.

“But this has to be heard and we have to also see whether the advisory given by the central government is adequate,” said the court, in reference to an advisory issued by the government to law enforcement agencies in connection with IT Act offences, earlier this year.

Counsel for the petitioner complained that although all state governments have been made party to this bunch of cases, many of them had not yet responded to notices served through the court’s registry. The court directed all parties to complete the filing of written pleadings before the cases come up for oral argument in January.

During the hearing, it emerged that one of the petitioners, Dilipkumar Tulsidas Shah, who had asked the court to pass guidelines to ensure that police officials have a standard operating procedure to deal with complaints and reports related to Section 66A and other offences listed under the IT Act, was no longer alive. However, given that his petition raises a substantial question, the court observed that any party who wants to pursue the case on his behalf or file a fresh petition, could still do so. “Somebody else wants to come, they can – whoever is interested.”

Parties who have filed petitions include Shreya Singhal, Mouthshut.com, Dilipkumar Tulsidas Shah, Common Cause, and Rajeev Chandrashekar. Read more about the petitions here.

28.622407
77.237392

Cases in which India’s Supreme Court will define contours of free speech online

Author: Nikhil Kanekal

India’s apex court is slated to decide key cases which, one way or another, will have a significant bearing on online free speech and regulation. The cases are in initial stages of hearing and will gain momentum once the court decides to hear them substantially, which, going by its procedure, will likely take some months.

Kamlesh Vaswani v. Union of India

Kamlesh Vaswani’s petition against pornography wants the court to direct the government to declare key sections of the IT Act ultra vires the constitution. He has asked for a national action plan against pornography and a separate law that will exhaustively curb ‘the growing problem of pornography’. He wants the government to insert new sections into the IT Act which will be more stringent and carry heavy penalties for creating, transmitting, storing and viewing pornography. He also asks that these be made non-bailable and cognizable offences.

The crux of the petition concerns the enforcement of an effective bar on access to pornographic content in India. This petition will need to be considered both from the perspective of the jurisprudence on obscenity and free speech, and from the perspective of how far it is possible to completely remove a category of speech/content from the Internet.  There is a range of complications associated with trying to ban content online due to the structure of the Internet. The state and its instruments are not yet sophisticated enough to filter out the narrow range of content that is legitimately banned without including material outside the ambit of illegal content. Although most stakeholders agree that child pornography must be removed from the Internet – it continues to be difficult to enforce universally, owing to the nature of the Internet.

The Rajya Sabha committee has also issued a public call for inputs on this issue.

Shreya Singhal v. Union of India

Shreya Singhal’s case was admittedly shortly after the much publicised arrest of Shaheen Dhada in Mumbai. The Supreme Court has been asked to strike down Section 66A of the Information Technology Act, 2000. This law has been adopted from a similar provision in the United Kingdom’s Communication Act, 2003. However, the Queen’s Bench Division of the High Court has read down this provision in 2012, making the UK more tolerant of free speech online.  Besides asking for Section 66A to be declared ultra vires the constitution, Singhal has requested the court to issue guidelines so that offences concerned with free speech and expression are treated as non-cognizable under criminal law, meaning that police powers are brought under safeguards on areas such as making arrests without a warrant as well as the power to investigate.

Mouthshut.com v. Union of India

The Mouthshut.com petition challenges the Information Technology (Intermediaries Guidelines) Rules, 2011 which effectively creates a notice and take down regime for third party/ user content that intermediaries host. Originally the IT Act was meant to create a safe harbour for intermediaries, to shield them from liability for third party content. This safe harbour is subject to the intermediaries meeting a ‘due diligence’ standard – the rules which were meant to explain what this standard meant, have instead created a whole liability system surrounding contexts in which intermediaries are given notice of objectionable content and do not take it down within the specified time (An academic paper on this aspect, authored by Pritika Rai Advani, is to be published soon). Although intermediaries are permitted in theory to judge content as unobjectionable, the fear of litigation has led to over compliance – this includes taking down legitimate content to avoid expensive and time-consuming law suits. The petition argues that as delegated legislation, the rules are not only unconstitutional but also  go well beyond the scope permitted by the IT Act.

Dilipkumar Tulsidas Shah vs. Union of India

Dilipkumar’s petition asks the court to pass guidelines to ensure that police officials have a standard operating procedure to deal with complaints and reports related to Section 66A and other offences listed under the Information Technology Act. Several police actions under the IT Act thus far have been inconsistent and more abuses of power. A bench comprising justices H. L. Gokhale and Jasti Chelameshwar has decided to hear the Mouthshut.com case along with Shreya Singhal’s petition and Dilipkumar Tulsidas Shah’s petition.

Rajeev Chandrashekar v. Union of India

Chandrashekar wants the court to declare section 66A of the IT Act and sections 3(2), 3(3), 3(4) and 3(7) of the IT (Intermediaries Guidelines) Rules, 2011 ultra vires the constitution. This petition is also attached to Shreya Singhal’s case.

Note: Common Cause and People’s Union for Civil Liberties (PUCL) also plan to file petitions that challenge parts of the IT Act and IT rules, and these petitions are likely to be tagged with Shreya Singhal’s case. We will provide an update about these petitions shortly. Additionally, there are some cases pending before various High Courts concerning provisions of the IT Act and Rules.