Cyber Security — Threats, Framework & Data Protection

Overview

Cyber security refers to the protection of computer systems, networks, programmes, and data from unauthorised access, attack, damage, or theft. For India, it is a matter of national security, economic stability, and individual privacy.

India's digital ecosystem has expanded at an unprecedented pace:

• Aadhaar: Over 1.4 billion enrolments — the world's largest biometric identity system
• UPI: Processing over 14 billion transactions per month (2025), making India's digital payment infrastructure a critical national asset
• Digital India: Government services, defence networks, banking, power grids, and telecom increasingly depend on digital infrastructure
• Data economy: India is the world's second-largest internet user base (~900 million users)

A single successful cyber attack on any of these systems can disrupt governance, cripple the economy, compromise national defence, and erode citizen trust. This makes cyber security a core internal security challenge tested across Prelims, Mains, and Interviews.

Cyber Threats — Types & Classification

Ransomware Trend: Ransomware has emerged as the most disruptive cyber threat globally. India saw a 53% increase in ransomware incidents in 2022 (CERT-In India Ransomware Report 2022). Most impacted sectors: IT/ITeS, finance, and manufacturing. Lockbit was the most commonly observed ransomware variant in India. The shift towards Ransomware-as-a-Service (RaaS) — where ransomware developers lease their tools to affiliates — has lowered the barrier for attackers significantly.

Exam Tip: For Mains, always classify cyber threats into state-sponsored (geopolitical motivation) and non-state (criminal/hacktivist motivation). This analytical framework strengthens your answer structure.

India's Cyber Security Architecture

Remember: CERT-In (under MeitY) handles cyber incidents and response. NCIIPC (under NTRO/PMO) handles critical infrastructure protection. These are the two most frequently confused institutions in Prelims.

CERT-In Directions 2022

On 28 April 2022, MeitY issued directions under Section 70B of the IT Act (effective 27 June 2022) — among the strictest cyber incident reporting norms globally:

Significance: India's 6-hour reporting window is one of the shortest globally (EU's GDPR requires 72 hours; USA has varying timelines). This reflects India's aggressive posture on cyber incident management but has raised concerns about compliance burden on startups and small businesses.

Legal Framework

A. Information Technology Act, 2000 (amended 2008)

India's primary legislation governing cyber space. Key sections relevant for UPSC:

Common Mistake: Students often confuse "struck down" with "read down." Section 66A was struck down (declared unconstitutional and removed). Section 79 was read down (reinterpreted to narrow its scope but remains valid). Section 69A was upheld as constitutional. All three were addressed in the Shreya Singhal judgment.

B. Digital Personal Data Protection (DPDP) Act, 2023

Passed by Lok Sabha on 7 August 2023, by Rajya Sabha on 9 August 2023, and received Presidential assent on 11 August 2023 — India's first comprehensive data protection law. DPDP Rules notified in 2025. The Act replaced the earlier Section 43A of IT Act and the IT (Reasonable Security Practices) Rules, 2011 as the primary data protection framework.

Key distinction: The DPDP Act 2023 follows a blacklist model for cross-border data transfer — personal data can flow everywhere EXCEPT to countries specifically restricted by the government. This contrasts with the EU's GDPR whitelist model, where data only flows to countries with "adequate" protection. As of early 2026, no restricted countries list has been notified, meaning transfers to all countries remain permissible. This is a fundamental conceptual difference tested in Mains.

Cyber Security Linkage: The DPDP Act 2023 complements the IT Act's cyber security framework by imposing mandatory breach notification obligations on Data Fiduciaries to the Data Protection Board. Combined with CERT-In's 6-hour incident reporting mandate (2022 Directions), India now has a dual reporting regime — organisations must notify both CERT-In (within 6 hours for cyber incidents) and the Data Protection Board (for personal data breaches). This overlap creates compliance challenges but also ensures that no breach goes unreported.

C. IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021

Critical Information Infrastructure (CII) Protection

Definition (Section 70, IT Act): "Those computer resources, the incapacitation or destruction of which shall have debilitating impact on national security, economy, public health, or safety."

NCIIPC-Identified CII Sectors:

1. Power and Energy — power grids, nuclear installations, oil and gas
2. Banking, Financial Services, and Insurance (BFSI) — RBI systems, NPCI (UPI backbone), stock exchanges
3. Telecom — undersea cables, mobile networks, internet backbone
4. Transport — railways, aviation (air traffic control), shipping
5. Government — NIC networks, Aadhaar/UIDAI systems, defence networks
6. Strategic/Public Enterprises — ISRO, DRDO, ordnance factories

Key Issue: There is no statutory, publicly available list of designated CII. NCIIPC designates CII on a case-by-case basis and the designations are classified. This lack of transparency has been criticised by experts who argue it creates uncertainty about compliance obligations.

Cyber Warfare & State-Sponsored Threats

Cyber space is now recognised as the fifth domain of warfare (alongside land, sea, air, and space).

Threat Actors Targeting India

India's Position

• Defence Cyber Agency (DCyA) provides tri-service military cyber capabilities
• India has not signed the Budapest Convention on Cybercrime (Council of Europe) — India's objection: the Convention was drafted without developing country participation
• India actively participated in drafting the UN Convention against Cybercrime (adopted 2024) — reflects preference for a UN-led framework over Western-led Budapest Convention
• Need for offensive cyber capabilities — deterrence in cyber space requires ability to respond in kind
• Cyber diplomacy is handled by MEA; India participates in UN GGE (Group of Governmental Experts) and OEWG (Open-Ended Working Group) on cyber norms

National Cyber Security Policy / Strategy

National Cyber Security Policy, 2013

India's first dedicated cyber security policy, released by MeitY (then DeitY) — now largely outdated but remains important for Prelims. Key objectives and features:

• Vision: To build a secure and resilient cyber space for citizens, businesses, and government
• Workforce target: Create a workforce of 5 lakh cyber security professionals through education, training, and skill development
• 24x7 mechanism: Envisioned a national and sectoral round-the-clock mechanism for cyber threat response through NCIIPC and CERT-In
• Sectoral CERTs: Proposed creation of sector-specific CERTs under the umbrella coordination of CERT-In
• Indigenous solutions: Promote R&D for development of indigenous cyber security technologies and solutions
• Public-Private Partnership: Develop effective PPP models for cyber security capacity building
• Open standards: Encourage use of open standards to facilitate interoperability and data exchange
• Testing and certification: Create an assurance framework with designated agencies for testing and certification of IT products
• Reduce national vulnerability to cyber attacks
• Minimise the damage and recovery time from cyber incidents

Limitations: The 2013 policy lacked enforcement mechanisms, had no binding obligations, did not address offensive cyber capabilities, and set no timelines for implementation. Most of the 14 objectives remained unmet, prompting calls for a replacement strategy.

National Cyber Security Strategy (Awaited)

A comprehensive National Cyber Security Strategy has been under preparation (Lt Gen Rajesh Pant, then National Cyber Security Coordinator, led the drafting). As of 2026, the strategy document has not been publicly released, though several components have been implemented through executive directions (such as CERT-In Directions 2022).

Key gap: India currently operates without a single, consolidated, and publicly available national cyber security strategy. The 2013 policy is outdated; CERT-In Directions 2022, DPDP Act 2023, and various institutional mechanisms function as piecemeal measures rather than a unified strategic framework. This fragmentation remains a significant vulnerability — especially as India's digital attack surface expands rapidly with Digital India, UPI, and Aadhaar.

Important for UPSC

Prelims Focus

• CERT-In: Est. 2004, under MeitY, Section 70B of IT Act, 6-hour mandatory incident reporting (2022 Directions)
• NCIIPC: Est. 2014, under NTRO/PMO, Section 70A of IT Act, protects Critical Information Infrastructure
• Section 66A: Struck down in Shreya Singhal v. Union of India (2015) — violated Article 19(1)(a)
• Section 69A: Power to block websites — upheld as constitutional; used for banning Chinese apps (2020)
• DPDP Act 2023: Data Protection Board of India; penalties up to Rs 250 crore; blacklist model for cross-border transfer
• IT Rules 2021: SSMI threshold — 50 lakh+ registered users
• Defence Cyber Agency: Tri-service, approved 2018, operational 2019, reports to CDS
• I4C: Inaugurated 10 Jan 2020, under MHA; 7 components; toll-free helpline 1930; National Cyber Crime Reporting Portal launched Aug 2019
• National Cyber Security Policy 2013: India's first cyber security policy; target of 5 lakh professionals; now largely outdated

Mains GS-3 Dimensions

1. Security vs Privacy: Balancing national security needs (Section 69 interception powers) with fundamental right to privacy (Puttaswamy, 2017)
2. Adequacy of architecture: Is India's fragmented cyber security structure (CERT-In under MeitY, NCIIPC under PMO, CIS under MHA, DCyA under CDS) effective, or does it need a unified Cyber Command?
3. CERT-In 6-hour rule: Impact on ease of doing business vs security imperatives — is 6 hours realistic for small enterprises?
4. Cyber warfare as fifth domain: India's preparedness for state-sponsored cyber attacks; need for offensive capabilities and cyber deterrence doctrine
5. Data protection: DPDP Act 2023 — strengths and weaknesses compared to GDPR; is the blacklist model adequate?
6. Critical infrastructure vulnerability: Lessons from AIIMS attack (Nov 2022 — servers down for 6 days, operations shifted to manual, attack traced to servers in China), power grid probing (2020–2021)
7. Cyber crime coordination: Role of I4C in bridging gaps between Centre and states; effectiveness of 1930 helpline and National Cyber Crime Reporting Portal in addressing citizen grievances

Interview Angles

• Should India develop offensive cyber capabilities openly, or maintain strategic ambiguity?
• How to protect Aadhaar and UPI infrastructure — single points of failure?
• Can India balance Digital India expansion with cyber security readiness?
• Is the DPDP Act 2023 strong enough to protect citizens' data from both private companies and the State?
• The AIIMS ransomware attack (2022) exposed healthcare as critical infrastructure — should hospitals be formally designated as CII under Section 70?
• Is the National Cyber Security Policy 2013 adequate, or does India urgently need the long-awaited National Cyber Security Strategy?
• How effective is the I4C's 1930 helpline and cybercrime.gov.in portal in addressing cyber fraud at scale across states?

Current Affairs Connect

Vocabulary

Phishing

• Pronunciation: /ˈfɪʃ.ɪŋ/
• Definition: A form of cyber attack in which a malicious actor sends fraudulent emails, messages, or creates fake websites that impersonate trusted entities in order to trick victims into revealing sensitive information such as usernames, passwords, and credit card details.
• Origin: A respelling of fishing ("trying to find or catch"), with the ph- influenced by phreaking (fraudulent manipulation of telephone systems); the term emerged in hacker communities in the 1990s, with the earliest documented use in 1996 on the Usenet newsgroup alt.2600.

Malware

• Pronunciation: /ˈmæl.weər/
• Definition: Software intentionally designed to damage, disrupt, or gain unauthorised access to computer systems, encompassing viruses, worms, trojans, ransomware, spyware, and other malicious programmes.
• Origin: A portmanteau of malicious + software; the term was first recorded in 1990 and gained widespread use during the 1990s as internet-connected computer threats proliferated.

Troll

• Pronunciation: /trəʊl/
• Definition: In internet usage, a person who deliberately posts inflammatory, provocative, or off-topic messages in online forums, social media, or comment sections to disrupt discussions, provoke emotional responses, or manipulate public discourse.
• Origin: The internet sense derives from the fishing term trolling (dragging a baited line through water to lure fish), metaphorically describing the act of luring people into emotional reactions; first attested in online communities in the early 1990s, with the earliest Oxford English Dictionary citation from 1992.

Key Terms

CERT-In

• Pronunciation: /sɜːt ɪn/
• Definition: The Indian Computer Emergency Response Team, established in January 2004 and given statutory backing under Section 70B of the Information Technology Act, 2000 (inserted via the 2008 Amendment, effective 27 October 2009), serving as the national nodal agency under the Ministry of Electronics and Information Technology (MeitY) for responding to computer security incidents, issuing threat advisories, tracking cyber intrusions, and coordinating cybersecurity incident management across India. It has authority to call for information from and issue directions to any service provider, intermediary, data centre, or body corporate in India.
• Context: Established by the Government of India in 2004, modelled after the original CERT Coordination Center founded at Carnegie Mellon University (USA) in 1988 following the Morris worm incident. On 28 April 2022, CERT-In issued landmark Directions under Section 70B(6) of the IT Act, mandating that all cyber security incidents — including targeted scanning, ransomware, data breaches, and identity theft — must be reported to CERT-In within 6 hours of being noticed (effective 27 June 2022). The Directions also require entities to maintain ICT system logs for 180 days within Indian jurisdiction. Non-compliance is a criminal offence punishable with up to one year imprisonment or a fine of Rs 1 lakh per instance. CERT-In is distinct from NCIIPC (National Critical Information Infrastructure Protection Centre), which operates under the PMO/NTRO and protects Critical Information Infrastructure under Section 70A.
• UPSC Relevance: GS3 Internal Security — Prelims tests establishment year (2004), parent ministry (MeitY), legal basis (Section 70B of IT Act), and the 6-hour mandatory incident reporting rule (2022 Directions, effective June 2022). Mains asks about India's cyber security architecture — specifically the CERT-In (MeitY) vs NCIIPC (PMO/NTRO) vs Defence Cyber Agency (CDS) fragmentation and whether India needs a unified Cyber Command. Also tested: the impact of the 6-hour rule on ease of doing business vs security imperatives, and CERT-In's role during the AIIMS ransomware attack (November 2022).

IT Act 2000

• Pronunciation: /aɪ.tiː ækt tuː ˈθaʊ.zənd/
• Definition: The Information Technology Act, 2000 (Act No. 21 of 2000), India's primary legislation governing electronic commerce, digital signatures, cybercrime, data protection, and intermediary liability, providing legal recognition for electronic transactions and records, and establishing offences and penalties for cyber crimes including hacking, identity theft, cyber terrorism, and data breaches. It also grants the government powers to intercept, monitor, and block digital content in the interest of national security and public order.
• Context: Enacted by the Parliament of India and notified on 17 October 2000, based on the UNCITRAL Model Law on Electronic Commerce (1996). Significantly amended in 2008 (effective 27 October 2009) to address emerging cyber threats — adding provisions on cyber terrorism (Section 66F), intermediary liability (Section 79 safe harbour), data protection (Section 43A), website blocking (Section 69A), and establishing CERT-In (Section 70B) and NCIIPC (Section 70A). Section 66A, which criminalised "grossly offensive" online speech, was struck down as unconstitutionally vague by the Supreme Court in Shreya Singhal v. Union of India (March 2015) for violating Article 19(1)(a). However, Section 69A (government power to block websites) was upheld as a narrowly drawn provision with adequate safeguards. Despite the 2015 ruling, over 1,307 cases were filed under the struck-down Section 66A after the judgment.
• UPSC Relevance: GS3 Internal Security — Prelims tests key sections: 66A (struck down, Shreya Singhal 2015), 66F (cyber terrorism), 69A (website blocking — upheld), 79 (safe harbour for intermediaries), 70A (NCIIPC), 70B (CERT-In). Mains asks about balancing security with free speech (Section 69 interception powers vs Puttaswamy 2017 privacy right), the adequacy of the IT Act for modern threats (ransomware, deepfakes, AI-driven attacks), and whether a new Digital India Act is needed. A foundational law that connects to the DPDP Act 2023, IT (Intermediary Guidelines) Rules 2021, and the Telecommunications Act 2023.

Sources: CERT-In, MeitY, DPDP Act 2023 — MeitY, PRS India