The National Cyber Security Policy of India (NCSP) was rolled out on 2nd July 2013 vide a notification from the Ministry of Communications and Information Technology, Department of Electronics and Information Technology (DEITY)
The policy has a Preamble, Vision statement, Mission, Objectives and Strategies. The Vision statement states the long term goal of building a secure and resilient cyberspace for its three main stakeholders i.e citizens, businesses and government while the Mission statement spells out the purpose and the primary objective of the policy, which is to protect information and information infrastructure, build capabilities to prevent and respond to cyber threats, reduce vulnerabilities and minimize damage from cyber incidents through a combination of institutional structures, people, processes, technology and cooperation. (India. DIETY, 2013).
The purpose of this essay is to discuss what this policy means from the legal perspective for businesses and people and whether additional legal support would be required to make the objectives effective. The Information Technology Act 2000, a substantive and procedural legislation on cyber crimes was enacted in the year 2000 and amended in the year 2008. No legislative changes have been made after the said policy was notified in year 2013. The Privacy (Protection ) Bill 2013 is ready but yet to be tabled before the Parliament. The essay explores the opportunities and challenges for business and people from the legal context. The discussion is restricted to three ingredients of the policy a) Creating a Secure Cyber Ecosystem b) Data protection and Privacy of Citizens and c) Global co-operation for security of cyberspace. (India. DIETY, 2013)
1. Creating a Secure Cyber Ecosystem
A. Role of Businesses and Individuals
As per the vision statement, in order to facilitate the growth and adoption of IT in the country at a large scale, creating a secure and resilient Cyberspace is a prerequisite. (India. DIETY, 2013)
Businesses and people are the enablers to build a secure cyber ecosystem and they are also the beneficiaries. The policy encourages all organizations to develop information security policies duly integrated with their business plans and to implement such policies as per international best practices. It also states that fiscal schemes and incentives be provided to encourage entities to install, strengthen and upgrade information infrastructure with respect to cyber security. Emphasis is also laid on creating an infrastructure for conformity assessment and certification of compliance to cyber security best practices, standards and guidelines. (India. DIETY, 2013)
Though the policy has cast an obligation on businesses and home users to secure their IT assets, it entails only voluntary participation and self regulation. It is an opportunity for industry associations to offer cyber security guidance for business and help sensitize businesses to look at cyber security as a significant business risk. (Great Britain. Cabinet Office, 2013 ) Use of industry led standards for security that are readily used and understood by businesses can also be encouraged by industry organizations. Compliant businesses can then make this their selling point. (Great Britain. Cabinet Office, 2011). In India, CERT-in has taken several steps to promote cyber security for organisations and individuals which include an awareness initiative “Secure Your PC” Secureyourpc (CERT-in , no date) and has also empanelled information security auditors whose services can be availed by businesses to assess risk and implement security policies. However scale of voluntary participation by businesses in IT security processes is largely dependent on the maturity and IS education levels of society. Maturity in India in this respect is still in its nascent stages.
Further, legislative compulsion to conform to an internationally accepted information security standard is only on those entities who handle sensitive personal information. IT Act 2000 mandates ISO/IEC 27001 compliance for such entities u/s 46A. A more explicit legislative overreach making it compulsory for small, medium or large business to adhere to an internationally accepted information security standard may become counter productive and put shackles in business growth due to the cost burden.
The challenge is therefore to find that right balance between voluntary participation and stringent legislation. A soft gradual approach with tax holidays, financial incentives, government funding, public recognition etc. may work and could gradually pave the way to a more defined legislation.
In 1946, The Industrial Employment (Standing Orders) Act 1946 made it mandatory for employers in Industrial Establishments to define conditions of employment and make it known to workers. A parallel can be drawn from this, making it mandatory on businesses to publish their security policy and file an annual compliance report to DEITY making them entitled for government subsidies, accelerated depreciation on computer equipment, tax exemptions or other incentives. (India. Central Government,1946)
Though a regulatory compliance is not mandated by the Policy, the vision of a Secure Cyber Ecosystem proposed by NCSP is an opportunity for law makers not only to frame appropriate legislation but also to the legal fraternity and judiciary to apply and interpret the law that reinforces the urgent need for compliance by businesses to secure its IT infrastructure. Adjudicating Officer appointed under IT Act as well as the Consumer courts may stress upon this requirement as inadequate security measures means negligence and deficiency in service.
B. Software Piracy a major hindrance in security
Software Piracy is another major roadblock for creating a secure cyber ecosystem. As per the report of Business Software Alliance (BSA) of year 2011, piracy rate in India in 63% and has fallen by only one percent every year since year 2004. Shadow Market (BSA, 2012). A Study carried out by Reinig and Plice, 2010 indicates that software piracy is reduced by increase in per capita Gross National Income (GNI) and it further states that one percent increase in the relative size of the country’s IT industry would imply 10% unauthorized software licenses getting converted to authorized licenses.
BSA in collaboration with chambers of commerce has initiated anti-piracy drives to promote the value of software licenses as organizational assets. BS Reporter (2014). However such initiatives are not sufficient as they are not helping in regularization of use of unlicensed software. Further such initiatives are perceived as an arm twisting method of forcing compliance. (State of Maharashtra Vs Aditya Kuber). Compliance may only be in the form of payment of a penalty and not in letter and spirit, making it very likely that usage of cracked licenses continue.
Anti Piracy provisions are also well enshrined in the IT Act 2000 as well as The Copyright Act 1956 when it was amended in the year 2000 to include the term computer programmes within the definition of literary work, making software license infringement a cognizable offence. Further the offence under the Copyright Act is not compoundable which means the option of regularizing the violation and making an out of court settlement is not available. The law is therefore stringent enough to act as a deterrent for software piracy.
Inspite of initiatives by private organisations to curb piracy and strong IPR legislation, the percentage of piracy is decreasing only at a dismal rate of approximately 1% per annum.
The challenge is multifold and complex. As piracy is more of a commercial and economic offence in which inter-se rights are violated, settlement or compromise between the parties needs to be permitted by law by making the offence compoundable as it was done under the Negotiable Instruments Act in the year 1999. The Government may also announce amnesty schemes urging businesses and corporate bodies to regularize its software usage without penalizing them for past infringements. Software pricing is a very contentious issue in negotiated settlements thus leading to an increased tendency to mask irregularities and this trend in likely to continue in emerging economies until the per capita GNI does not increase. As observed by Gopal and Lawrence (2009) “in the fight against piracy, the legislative and educational weapons may win a few battles, but the overall war against privacy cannot be won without addressing the current draconian pricing policies.” As income levels do affect the ability of consumers to purchase software, a price discrimination model is required to be adopted by the software publishing industry to realize significant reduction in the global piracy rates. Gopal and Lawrence (2009). This is a very delicate area and price discrimination policies will have to be resolved at an international level as the majority of software used by businesses and individuals are owned by foreign companies.
2. Personal Privacy and Data Protection
Protection of citizens data is one of the objectives stated in the Policy however ground reality and government actions are contrary to this objective. A timely legislative and judicial intervention seems the only recourse to protect the Right to privacy guaranteed by the Constitution.
A. Personal Privacy
The Right of Privacy, as interpreted by the Supreme Court is a right to lead a life without government interference and is a fundamental right enshrined in the right to Life under the Indian Constitution . Kharak Singh Vs. State of Uttar Pradesh (1964) 1 SCR 332.
Indian Government initiatives like “Netra” and the Central Monitoring Scheme where surveillance, monitoring and even profiling is being carried out without any legislative overreach and with scant respect for civil liberties, make an utter mockery of democracy and have once again brought the discussion of the balance between national security and personal liberty to the forefront. Collection of personal data, surveillance of least suspecting citizens and processing it through pattern recognition software is illegal, unconstitutional and ultravires and cannot be justified as a necessary tradeoff for national security. (Office of United States High Commissioner of Human Rights , 2008) (Murugeshan, 2013).
Surveillance presently comes under the ambit of the Indian Telegraph Act 1885, a law enacted when mass surveillance was unimaginable. Hence its applicability in the present scenario is limited. This seems to be the most opportune time for judicial review or intervention by way of a Public interest litigation to develop and establish the rules of surveillance. The Supreme Court in the landmark judgment delivered by a 13 judge constitutional bench in the case of Kesavananda Bharati Vs State of Kerala (AIR 1973 SC 1461) ruled, while upholding the fundamental rights of citizens, that the Parliament does not have powers to alter the fundamental features of the Constitution. The fundamental right to Privacy is again at stake and can be protected by timely judicial intervention.
Protection of personal information and sensitive personal information is another aspect of personal privacy. Presently IT Act 2000 (Section 43A) makes it mandatory on organisations that handle sensitive personal information to adhere to a specific information security standard and demonstrate due diligence, failing which, they are exposed to a risk of facing a monetary liability. Section 72A of the IT Act 2000 prescribes a punishment for disclosure of personal information in breach of a lawful contract.
However there is no protection available to citizens against unauthorized gathering, usage or disclosure of data . Government schemes like ‘Aadhar’ are building a national database of citizens and tagging its citizens without any protection against misuse of the data collected.
The Privacy (Protection)Bill 2013 seeks to build an effective regime to protect the privacy of all persons and their personal data from the government, public authorities, private entities and others and sets out conditions upon which surveillance of persons and interception and monitoring may be conducted.
The policy has clearly mentioned protection of information while in process or transit or storage so as to safeguard privacy of citizen’s data as one of its objectives. The policy has further stated that the government shall promote adoption of global best practices in information security and compliance and thereby enhance the cyber security posture, thereby operationalizing the data protection requirement to a certain extent. (India. DIETY, 2013)
Area of Data protection has opened huge opportunities to the legal profession.
Appropriate legislation and litigation will not only be instrumental in developing the law relating to data protection but will also help in crystalizing citizen’s rights on its own data and reciprocal obligations of government and private corporations to protect it.
With collective application of the NCSP, IT Act 2000, timely enactment of the Privacy (Protection) Bill 2013 and judicial precedents, a citizen can expect a reasonable protection of his or her personal data and be assured it is used fairly, for a limited purpose, is kept safe and secure and not transferred elsewhere without adequate protection.
3. Global co-operation for security of cyberspace
NCSP clearly has global cooperation and shared understanding on its agenda. Several criminal investigations and trials meet a dead-end for want of data that are lying on servers outside the country. As there is no common treaty urging countries to share information, requests for information made by investigating agencies to email service providers and social media situated outside India either remain unanswered without any explanation or are refused on the grounds of protection of privacy.
UK has ratified the Budapest Convention on cyber crime which proposes measures to be taken at national and international level to deter action directed against the confidentiality, integrity and availability of computer systems (The Budapest Convention, 2001)
The dilemma faced by India and other emerging economies for signing this convention is unique. Gady F (2014) has attributed the reluctance of India to sign the Convention to its diplomatic and economic ties with China and Russia stating that the way the west perceive their adversaries China and Russia is different from the way New Delhi sees them as China is an immediate neighbor for India with an unsettled border dispute and a legacy of war and Russia is India’s biggest weapon supplier .
The National Security Adviser, India on the other hand is blaming the U.S. and U.K. agencies and ISPs of being stingy when it comes to sharing of information by citing inability to respond due to privacy laws. India has on several occasions met with a dead end on cyber crime investigations as most of the data and evidence is residing on servers based in US or UK. (The Hindu Reporter, 2013) In one particular instance, when Pune cyber crimes cells were carrying out investigation in the year 2011 in respect of emails that had caused panic amongst students from the North Eastern region of India and resulted in a mass exodus, the email service providers in US had failed to respond to repeated requests made by the investigating authorities relating to IP address of the email account and thus the investigation reached a dead end .
The Budapest Convention though it aims at international cooperation on cybercrimes, has not taken into consideration issues faced by India or other emerging economies and does not mandate the requested countries to disclose information. Pratap V.S (2013) Further states are generally reluctant to rectify or accede to Conventions that they have not helped in developing. (United Nations, 2010)
To overcome this impasse, countries will need to develop standard operating procedures where the issues of all the participating countries are taken into consideration. The popular legal maxim of “ Not only must justice be done ; it must also be seen to be done “ is most certainly applicable when it comes to reciprocity in international conventions. A mere appearance of a bias is enough for countries to shy away from being a party to a convention. It appears that the ‘ripe moment’ has not yet arrived (Zartman. W, 2001)
Mutual understanding and respect and a common intention of maintaining openness, which is the basic tenor of the internet has to be present when countries draft and accept international conventions on cyber crime. The actions need to be de-hors of political and economic influence of large and powerful states in international relations. (Ji, 2011)
Information security, data protection and privacy in cyberspace are posing unique challenges to the existing laws and the legal system forcing the same to revisit existing laws and enact new ones. Increased litigation in the area will pave the way for development of law and policy making. With the right balance of education, incentive programs and legislation, creation of a secure cyber ecosystem can be achieved. However unique challenges such as mandating Information Security standards, Software Piracy, Data Protection and Personal privacy are required to be addressed with flexibility and a proper mix of incentives and legislative overreach. Global cooperation needs a handshake with a genuine intent to mutually cooperate and the interest of all the participating countries have to be considered else mutual collaboration is nothing but a hollow phrase.
India. Department of Electronics and Information Technology (2013) National Cyber Security Policy. [online] Available at http:// deity.gov.in/sites/upload_files/dit/files/National_cyber_security_policy-2013.pdf (Accessed :13 March 2014)
India . Department of Electronics and Information Technology (2000) The Information Technology Act 2000 [Online]Available at: http://eprocure.gov.in/cppp/sites/default/files/eproc/itact2000.pdf. (Accessed :14 March 2014)
India . Department of Electronics and Information Technology (2000) The Information Technology (amendment )Act 2008 [Online]Available at: http://deity.gov.in/sites/upload_files/dit/files/downloads/itact2000/it_amendment_act2008.pdf. (Accessed :14 March 2014)
Computer Emergency Response Team , CERT-in (no date) Secureyourpc.[Online] Available at http://www.cert-in.org.in/secureyourpc.in/SPC_colored_English/large/index.html (Accessed :14 March 2014)
Great Britain. Cabinet Office (2013) The National Cyber Security Strategy Forward Plans [ONLINE] Available at: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/265386/The_National_Cyber_Security_Strategy_Our_Forward_Plans_December_2013.pdf(Accessed :14 March 2014)
Great Britain. Cabinet Office (2011) The UK Cyber Security Strategy [ONLINE] Available at: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60961/uk-cyber-security-strategy-final.pdf. (Accessed: 15 March 2014)
India. Central Government (1946) The Industrial Employment (standing orders) Act 1946.[Online]Available at http://indiankanoon.org/doc/1376794/ . (Accessed:13 March 2014)
Business Software Alliance (2011) Shadow Market 2011 BSA Global Software Piracy Study , Ninth Edition May 2012. [Online] Available at http://globalstudy.bsa.org/2011/ (Accessed :16 March 2014)
Reinig, B.A and Plice, R.K (2010) “Modelling Software Piracy in developed and emerging economies” 43rd Hawaii International Conference on System Sciences , Honolulu , HI Jan 2010 IEEE Xplore Digital Library [online]. Available at http://ieeexplore.ieee.org/xpl/articleDetails.jsp?tp=&arnumber=5428578&queryText%3Dmodelling+software+piracy (Accessed: 16 March 2014)
BS Reporter 2014, BSA FICCI to launch tool-kit to protect IPR Business Standard 20 February [Online] . Available at http://www.business-standard.com/article/companies/bsa-ficci-to-launch-tool-kit-to-protect-ipr-114022001209_1.html (Accessed :18 March 2014)
Gopal , R.D and Sanders, G.L (2009) “Global Software Piracy . You can’t get blood out of a turnip” Communications of the ACM, 43(9),pp 82-29 [Online]. Available at . http://dl.acm.org/citation.cfm?id=348941.349002&coll=DL&dl=GUIDE&CFID=304907372&CFTOKEN=99696387 (Accessed : 16 March 2014)
Kharak Singh vs The State Of U. P. & Others on 18 December, 1962. [ONLINE] Available at: http://indiankanoon.org/doc/619152/. (Accessed :15 March 2014)
Office of the United Nations High Commissioner for Human Rights. (2008). Human Rights, Terrorism and Counter-Terrorism. United Nations, Office Of the United Nations High Commissioner for Human Rights, Geneva.[ONLINE] available at http://www.ohchr.org/Documents/Publications/Factsheet32EN.pdf (Accessed:16 March 2014)
Rajani Murugeshan . The Designs of National Level Cyber Security [ONLINE] available at www.seoulcyber2013.kr (Accessed 16 March 2014)
Annegret Bendiek At the Limits of the Rule of Law. [ONLINE] Available at: http://www.swp-berlin.org/fileadmin/contents/products/research_papers/2011_RP05_bdk_ks.pdf. (Accessed: 16 March 2014)
Data protection – GOV.UK. 2014. Data protection – GOV.UK. [ONLINE] Available at: https://www.gov.uk/data-protection/the-data-protection-act. (Accessed: 15 March 2014)
Privacy Protection Bill [ONLINE] Available at: http://cis-india.org/internet-governance/blog/privacy-protection-bill-2013.pdf. (Accessed: 15 March 2014)
Budapest Convention on Cybercrime , 2012 Available at: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/238194/8309.pdf. (Accessed: 16 March 2014)
Reporter 2014 , NSA scoffs at Indian Prism, favours cooperation on cyber security – The Hindu . 2014. [ONLINE] Available at: http://www.thehindu.com/news/national/nsa-scoffs-at-indian-prism-favours-cooperation-on-cyber-security/article4938279.ece (Accessed: 16 March 2014)
Gady F (2014 ) The International Relations and Security Network ‘US-India Cyber Diplomacy: A Waiting Game ‘[ONLINE] Available at: http://www.isn.ethz.ch/Digital-Library/Articles/Detail/?lng=en&id=154951. (Accessed :16 March 2014)
Pratap Vikram Singh , 2013 india-wont-sign-budapest-pact-cyber-security Governance Now 15 October [Online] http://governancenow.com/news/regular-story/india-wont-sign-budapest-pact-cyber-security (Accessed :18 March 2014)
United Nations, 2010 12th UN Congress on Crime Protection and Criminal, Salvador, Brazil
Kesavananda Bharati Vs State of Kerala AIR 1973 SC 1461
Ji, S. J. (2011). Civil Liberties vs. National Security. [ONLINE] Available at: http://www2.tku.edu.tw/~ti/Journal/8-2/824.pdf. (Accessed: 16 March 2014)
Zartman, I. William, ‘The Timing of Peace Initiatives: Hurting Stalemates and Ripe Moments,’ The Global Review of Ethnopolitics, vol. 1, no. 1, September 2001, pp. 8-18.[Online] Available at, http://www.ethnopolitics.org/ethnopolitics/archive/volume_I/issue_1/zartman.pdf (Accessed : 20 March 201ß4)