The Architecture of Cybersecurity Institutions in India

This is an edited excerpt of Part IV and Annexure ‘B’ of CCG’s Comments to the National Security Council Secretariat on the National Cyber Security Strategy 2020 (NCSS 2020). The full text of the Comments can be accessed here.

This consolidated organogram is a depiction of cyber security institutions in India as an inter-ministerial and inter-departmental ecosystem. Different ministries and departments are in charge of different aspects of national security in general and cyber security in particular.

The National Security Advisor (NSA) holds a rank equivalent to a Cabinet Minister in charge of the National Security Council Secretariat (NSCS) and is the apex officer relating to national security. The NSA is also in charge of the National Technical Research Organization (NTRO) which is a technical intelligence agency under the Prime Minister’s Office (PMO). The National Critical Information Infrastructure Protection Centre (NCIIPC) was established under Section 70A of the Information Technology Act, 2000 and functions as a unit of the NTRO. 

The National Cyber Security Coordinator (NCSC) is the nodal officer for issues related to cybersecurity, functioning under the PMO along side the NSCS to coordinate with different agencies like CERT-In at the national level.

Our research reveals that the Ministry of Communications, Ministry of Electronics and Information Technology (MeitY), Ministry of Home Affairs (MHA), Ministry of Defence (MoD) and the Ministry of External Affairs (MEA) are most relevant to the establishment, operation and maintenance of technical and administrative ecosystem that enables cybersecurity. The departmental structure of each of these Ministries is outlined below.

Ministry of Communications

The Ministry of Communications consists of two Departments – (i) Department of Telecommunications (DoT) and the (ii) Department of Posts.

The DoT deals with  (a) issues of policy, licensing and coordination matters relating to telegraphs, telephones, wireless, data, facsimile and telematic services and other like forms of communications, (b) standardization, research and development in telecommunications, (c) procurement of stores and equipment required by the Department of Telecommunications and (d) administration of laws including the Indian Telegraph Act, 1885 (13 of 1885), the Indian Wireless Telegraphy Act, 1933 (17 of 1933), the Telecom Regulatory Authority of India Act, 1997 (24 of 1997), among others. Within its ambit is also the Digital Communications Commission, which is responsible for implementing the Government’s telecom policy in all matters relating to telecommunication.

Ministry of Electronics and Information Technology

The Ministry for Electronics and Information Technology (MeitY) deals with all policy matters relating to information technology, electronics and the internet (barring issues relating to licensing of Internet Service Providers, which fall within the mandate of the DoT). Its major functions include (a) the administration of matters relating to cyber laws including the Information and Technology Act, 2000, (b) Promotion of standardization, testing and quality in IT and standardization of procedure for IT application and Tasks and (c) digital initiatives including Digital India, among others.

Significantly, the Indian Computer Emergency Response Team (CERT-In) as well as the Unique Identification Authority of India (UIDAI) are both within its ambit. The Cyber Swacchta Kendra (Botnet Cleaning and Malware Analysis Center) functions under CERT-In.

Ministry of Home Affairs

The Ministry of Home Affairs (MHA) discharges multifarious responsibilities, the important among them being – internal security, border management, Centre-State relations, administration of Union Territories, management of Central Armed Police Forces, disaster management, etc. The MHA continuously monitors the internal security situation, issues appropriate advisories, shares intelligence inputs, extends manpower and financial support, guidance and expertise to the State Governments for maintenance of security, peace and harmony.

Among others, the MHA’s Cyber and Information Security Division (consisting of the Cyber Crime Wing, Cyber Security Wing and Monitoring Unit) as well as some wings of the Department of Internal Security including the Modernization Division of the Police and the Counter Terrorism and Counter Radicalization Division have particular relevance to cyber security.

The Indian Cyber Crime Coordination Centre (I4C) was established as a scheme in 2018 to combat cyber crime in a coordinated and effective manner.

Ministry of Defence

The MoD is comprised of four Departments – Department of Defence (DOD), Department of Defence Production (DDP), Defence Research & Development Organisation (DRDO) and Department of Ex-Servicemen Welfare and also Finance Division.

A new Department of Military Affairs has been created recently, and is headed by the Chief of Defence Staff, General Bipin Rawat. Departments that have particular relevance to cybersecurity, including the newly established Defence Cyber Agency are highlighted.

Ministry of External Affairs

The Ministry of External Affairs (MEA) is responsible for all matters relating to India’s external affairs including consular functions. Departments / activities that have relevance to cybersecurity are highlighted in purple, including international security, counter terrorism and others. The New Emerging and Strategic Technologies (NEST) Division was recently set up as the nodal point for all matters connected to new and emerging technologies including exchange of views with foreign governments and coordination with domestic ministries and departments.  News reports indicate that a major restructuring of the MEA is in the offing.

CCG’s Comments to the National Security Council Secretariat on the National Cyber Security Strategy 2020

The Centre for Communication Governance at the National Law University Delhi (CCG) is grateful to the National Security Council Secretariat for this opportunity to make meaningful contributions to its mandate of formulating a futuristic National Cyber Security Strategy 2020 (NCSS). In response to the Call for Comments CCG apart from the comments below, CCG has separately submitted detailed comments to the Office of the National Cyber Security Coordinator.

Our comments are a result of original and thorough legal and policy research which draws upon multiple primary sources of information, including applicable domestic and international law and precedents, and a comparative study of the cyber security strategy and policy documents of 16 other countries. Secondary sources such as news reports, statistics on cybercrime and malicious cyber activity compiled and released by various Government departments and agencies and data on budgetary allocations released by the Union Government have also been relied on.

This submission is presented in six parts, supplemented by three annexures that provide insight into our sources, analysis and research methodology.

Part I introduces the background in which this strategy is being formulated, and presents a principled approach to the formulation of cybersecurity policy, that is driven by a coherent strategic framework constructed under the NCSS to guide it.

Part II presents an analysis of the landscape of existing and emergent threats that pose a risk to the cybersecurity of the entire nation. We do so with the objective of identifying areas that need to be accorded a higher priority in the formulation of the NCSS.

Parts III, IV and V correspond to the three pillars of strategy identified in the Call for Comments. Part III deals with the horizontal dimension of strategy and unpacks the contents of the first pillar, i.e., “Secure”, wherein we present for the consideration of the Secretariat, an original three-tiered model of the ‘national cyberspace’ as a roadmap to cyber sovereignty. We submit for consideration for the Secretariat, the adoption of the principle of peaceful uses of cyberspace to align with the nation’s goals of sustainable economic development, while being mindful of the gradual militarization of cyberspace by both state and non-state actors.

Part IV deals with the “Strengthen” pillar in which CCG examines the existing architecture for cybersecurity to analyse the vertical dimensions of strategy. Herein, we propose measures to strengthen institutions, process and capabilities relevant for cyber security.

Part V deals with the third pillar, namely, “Synergise”, which explains how the horizontal and vertical dimensions of the strategy can be integrated in order to optimize levels of inherent friction that could hinder the achievement of strategic and policy goals. We propose that synergies need to be identified and/or created at three levels. First, at the inter-ministerial level, among the government departments and agencies. Second, at the national level, for enhanced cooperation and strategic partnerships between the public and private sectors. Third, at the international level for enhanced cooperation and strategic partnerships with like-minded nations, geared towards building stronger national defences in cyberspace. In this part, we take the Government’s inclination to treat data a “public good” or “societal commons” to its logical conclusion and accordingly, propose a principled, common-but-differentiated-responsibility model between multiple stakeholders in the cybersecurity ecosystem for grounding public private partnerships and pooling of financial resources.

Part VI concludes this submission and presents the major findings, suggestions and recommendations of this submission.

The full text of the comments is available here.

Free Speech & Violent Extremism: Special Rapporteur on Terrorism Weighs in

Written by Nakul Nayak

Yesterday, the Human Rights Council came out with an advance unedited version of a report (A/HRC/31/65) of the Special Rapporteur on protection of human rights while countering terrorism. This report in particular deals with protecting human rights while preventing and countering violent extremism. The Special Rapporteur, Ben Emmerson, has made some interesting remarks on extremist speech and its position in the hierarchy of protected and unprotected speech.

First, it should be noted that the Report tries to grapple with and distinguish between the commonly substituted terms “extremism” and “terrorism”. Noting that violent extremism lacks a consistent definition across countries and in some instances any definition at all, the Report goes on to liken it to terrorism. He also acknowledges the lack of understanding of the “radicalization process”, whereby innocent individuals become violent extremists. While the report does not suggest an approach to defining either term, it briefly contrasts the definitions laid down in various countries. However, there does seem to be some consensus on the ambit of violent extremism being broader than terrorism and consisting a range of subversive activities.

The important section of the Report, from the perspective of free speech, deals with incitement to violent extremism and efforts to counter it. The Report cites UN Resolution 1624(2005) that calls for the need to adopt legislative measures as effective means of addressing incitement to terrorism. However, the Report insists on the existence of “serious human rights concerns linked to the criminalization of incitement, in particular around freedom of expression and the right to privacy.”[1] The Report then goes on to quote the UN Secretary General and the Special Rapporteur on Free Expression laying down various safeguards to laws criminalizing incitement. In particular, these laws must prosecute incitement that is directly related to terrorism, has the intention and effect of promoting terrorism, and includes judicial recourse, among other things.[2]

This gives us an opporutnity to discuss the standards of free speech restrictions in India. While the Supreme Court has expressly imported the American speech-protective standard of incitement to imminent lawless action in Arup Bhuyan, confusion still persists over the applicable standard in any justifying any restriction to free speech. The Supreme Court’s outdated ‘tendency’ test that does not require an intimate connection between speech and action still finds place in today’s law reports. This is evident from the celebrated case of Shreya Singhal. After a lengthy analysis of the public order jurisprudence in India and advocating for a direct connection between speech and public disorder, Justice Nariman muddies the water by examining section 66A of the IT Act under the ‘tendency’ test. Some coherence in incitement standards is needed.

The next pertinent segment of the Report dealt specifically with the impact of State measures on the restriction of expression, especially online content. Interestingly, the Report suggests that “Governments should counter ideas they disagree with, but should not seek to prevent non-violent ideas and opinions from being discussed.”[3] This brings to mind the recent proposal of the National Security Council Secretariat (NSCS) seeking to set up a National Media Analytics Centre (NMAC) to counter negative online narratives through press releases, briefings, and conferences. While nothing concrete has come out, with the proposal still in the pipelines, safeguards must be implemented to assuage chilling effect and privacy concerns. It may be noted here that the Report’s remarks are limited to countering speech that form an indispensible part of the “radicalization process”. However, the NMAC covers negative content across the online spectrum, with its only marker being the “intensity or standing of the post”.

An important paragraph of the report- perhaps the gist of the free speech perspective in the combat of violent extremism- is the visible unease in determining the position of extremist speech glorifying and advocating terrorism. The Report notes the Human Rights Committee’s stand that terms such as “glorifying” terrorism must be clearly defined to avoid unnecessary incursions on free speech. At the same time, the “Secretary General has deprecated the ‘troubling trend’ of criminalizing glorification of terrorism, considering it to be an inappropriate restriction on expression.”[4]

These propositions are in stark contrast to India’s terror legislation, the Unlawful Activities Prevention Act, 1967. Section 13 punishes anyone who “advocates, … advises … the commission of any unlawful activity …” An unlawful activity has been defined in section 2(o) to include speech acts that

• supports a claim of “secession of a part of the territory of India from the Union” or,
• “which disclaims, questions … the sovereignty and territorial integrity of India” or,
• rather draconically, “which causes … disaffection against India.”

It will also be noted that all three offences are content-based restrictions on free speech i.e. limitations based purely on the subjects that the words deal in. Textually, these laws do not necessarily require an examination of the intent of the speaker, the impact of the words on the audience, or indeed the context in which the words are used.

Finally, the Report notes the views of the Special Rapporteur on Free Expression on hate speech and characterizing most efforts to counter them as “misguided”. However, the Report also “recognizes the importance of not letting hate speech go unchecked …” In one sense, the Special Rapporteur expressly rejects American First Amendment jurisprudence, which does not acknowledge hate speech as a permissible restriction to free speech. At the same time, the Report’s insistence that “the underlying causes should also be addressed” instead of being satisfied with mere prosecutions is a policy aspiration that needs serious thought in India.

This Report on violent extremism (as distinct from terrorism) is much-needed and timely. The strong human rights concerns espoused, with its attendant importance attached to a context-driven approach in prosecuting speech acts, are a sobering reminder about the many inadequacies of Indian terror law and its respect for fundamental rights.

Nakul Nayak was a Fellow at the Centre for Communication Governance from 2015-16.

[1] Para 24.

[2] Para 24.

[3] Para 38.

[4] Para 39.