The Government of India (Allocation of Business) (Three Hundred and Seventy Seventh Amendment) Rules, 2024 (AoB Rules) were notified on September 27, 2024, to assign responsibilities across different government bodies in the cybersecurity domain. Accordingly, the following items have been added to AoB Rules:
- The Department of Telecommunications (DoT) shall oversee matters relating to the security of telecom networks,
- The Ministry of Electronics and Information Technology (MEITY) shall address matters relating to cyber security as assigned in the IT Act, 2000 and support other ministries/departments on cyber security,
- The Ministry of Home Affairs (MHA) shall oversee matters relating to cyber-crime, and
- The National Security Council Secretariat (NSCS) shall provide overall coordination and strategic direction for cybersecurity.
The designation of NSCS as the nodal agency for providing overall coordination and strategic direction is an important step for enabling inter-ministerial coordination in the cybersecurity domain. This is especially relevant given the rising number of cyber security incidents in India, which grew by a CAGR of over 60% from 2018 to 2022.[i]
Going forward, NSCS would have to establish appropriate coordination mechanisms for addressing various issues, such as duplicative notification obligations in India’s Critical Information Infrastructure (CII) framework, and absence of interactions (both procedural and tech-enabled) between different fraud reporting channels in the digital payment ecosystem.
The need for greater coordination among the agencies involved was highlighted by the Parliamentary Standing Committees on at least two separate occasions. The 59th Report of the Standing Committee on Finance (SCF Report), in July 2023, had recommended establishing a centralised regulatory authority, to specifically focus on cybersecurity, for ensuring greater coordination among relevant entities.[ii] Later, in February 2024, the Standing Committee on Communications and Information Technology, in its 54th Report (SCC&IT Report), recommended assessing the feasibility of having a nodal centre to address cyber-crimes in the financial sector.[iii]
It is generally agreed that most aspects of digital security risk management cannot be successfully addressed by an isolated party.[iv] As such, the amended AoB Rules should set the stage for a cohesive and coordinated approach to cybersecurity, both within the government and with non-governmental stakeholders.
Last Decade: Evolution of regulatory landscape
Cybersecurity is a shared responsibility across multiple government agencies/bodies, each tasked with distinct roles and responsibilities. Government had initiated key steps in 2013 to strengthen capacity when the Cabinet Committee on Security approved the Framework for Enhancing Cyber Security of Indian Cyber Space and allocated the cybersecurity responsibility between three principal organisations: National Technical Research Organisation (NTRO), Ministry of Defence, and MEITY/Indian Computer Emergency Response Team (CERT-In). Under this framework, MHA was tasked with framing policies on classification, handling, and security of information relating to government, and monitoring their implementation.
Since then, various other government agencies/bodies have also assumed different roles and responsibilities in the cybersecurity domain. An illustrative list of these entities and their respective roles is provided in Table 1 below.
|
Government Agencies/Bodies
|
Mandate
|
|
CERT-In
|
National agency for incident response in cybersecurity domain. Mandated with performing various functions such as forecast and alerts of cybersecurity incidents, and coordination of cyber incidents response activities.
|
|
National Cyber Coordination Centre (NCCC)
|
NCCC has been set up under CERT-In to generate situational awareness regarding existing and potential cyber security threats.
|
|
National Critical Information Infrastructure Protection Centre (NCIIPC)
|
National nodal agency in respect of critical information Infrastructure protection. NCIIPC comes under the administrative control of the NTRO.
|
|
NSCS
|
Central body for providing overall coordination and strategic direction for cybersecurity.
|
|
Cyber and Information Security (C&IS) Division
|
Division under the MHA for dealing with matters relating to cybersecurity, cybercrime, National Information Security Policy & Guidelines, NATGRID etc.
|
|
Indian Cybercrime Co-ordination Centre (I4C)
|
Nodal point under MHA to curb cybercrime, engage with law enforcement agencies, and coordinate all activities related to implementation of Mutual Legal Assistance Treaties with other countries related to cybercrimes.
|
Further, sectoral regulators such as Reserve Bank of India (RBI), Securities Exchange Board of India (SEBI), Insurance Regulatory and Development Authority of India (IRDAI), and Department of Telecommunications (DoT) oversee cybersecurity-related issues in their respective domains. Sectoral computer security incident response teams, such as CSIRT-Power and CSIRT-Fin have also been set up for managing cyber security incidents in dedicated sectors.
Coordination: More than the sum of parts
The presence of multiple government bodies in the cybersecurity domain, along with their complementary roles and capabilities, necessitates establishing adequate coordination mechanisms. For instance, addressing cases of cyber frauds in India’s digital payments ecosystem requires close coordination between involved agencies, such as I4C under the MHA, RBI, National Payments Corporation of India (NPCI), DoT, MEITY, Cert-In, and Law Enforcement Agencies (LEAs). As per the SCC&IT Report, while these agencies have taken different initiatives at their level to address issues related to cyber security and cyber frauds, effective coordination among them is currently missing.[v]
A macroscopic view of India’s cybersecurity landscape also points to the importance of the private sector, which has led the way in developing strong policies and standards.[vi] A coordinated approach to cybersecurity can further leverage the expertise of private sector and facilitate cooperation on relevant areas of focus, such as information sharing, talent shortage, and capacity building to further strengthen the ecosystem.
Incident reporting frameworks are another area of focus which can benefit from government-industry cooperation. Given the presence of multiple government agencies, understanding industry’s perspective on various aspects, including multiplicity of reporting obligations, use of different formats, stipulated timelines, and frequency of mandated audits, becomes critical for effectively responding to cybersecurity challenges.
India’s efforts to foster a coordinated approach to cyber security are in line with what is happening the world over.[vii] For example:
- The UK in 2022 focused its National Cyber Strategy to implement a holistic approach to cyber policy. As part of this strategy, the UK has set up the National Cyber Advisory Board as a forum of engagement between government, industry, and academia.
- The US set up the Office of the National Cyber Director in 2021, which, among other mandates, coordinates with federal agencies for implementing the new National Cybersecurity Strategy of 2023.
- The EU has, since 2019, taken multiple significant steps towards strengthening, integrating and harmonising its cyber security efforts among its member states.[viii] The Joint Cyber Unit, as outlined in the EU Cybersecurity Strategy of 2020, works to strengthen coordination among involved stakeholders in the EU.
- Singapore updated its Cybersecurity Strategy in 2021 to highlight focus on international co-operation, in addition to building resilient infrastructure and a safer cyberspace. Under the pillar of building resilient infrastructure, the Strategy focuses on taking a coordinated approach to national cybersecurity.
- Japan has over the last six years invested significantly in improving its cyber security apparatus and more recently, in 2024, announced a significant shift in its cyber strategy by including active cyber defence, which is under debate.[ix]
Given India’s growing role in a global economy, the focus on coordination and cooperation in the cybersecurity domain is expected to be crucial both domestically and internationally. This is likely to require a significant capability to engage effectively in the ecosystem and to deliver optimum outcomes.
[ii] Standing Committee on Finance (2022-2023), Cyber Security and Rising Incidence of Cyber/White Collar Crimes (July 2023), at page no. 64. (“While the NSCS is responsible for coordinating, overseeing, and ensuing compliance of cyber security policies, there is no central authority or agency solely dedicated to cyber security. The Committee feel that the existing decentralised approach disperses regulation and control and thus hinders unified direction and a proactive approach to combating cyber threats. The Committee, therefore, strongly recommend establishment of a centralised overarching regulatory authority specifically focused on cyber security.”)
[iii] Standing Committee on Communications and Information Technology (2023-24), Digital Payment and Online Security Measures for Data Protection (February 2024), at page no. 42. (“…the Committee are concerned to note that that effective coordination among the different agencies which is required to tackle cybercrime is found wanting going by the rising magnitude of cybercrimes. To fight the menace of cybercrimes, better management and coordination among all the agencies involved are sine qua non. The Committee would like the Ministry to see the feasibility of having a nodal centre which houses representatives of all the agencies to address issues holistically.”)
