Cybersecurity: CERT-In, Cyber Threats, Data Protection, and Cyber Laws in India | Science & Technology for UPSC CSE PDF Download

Introduction

Cybersecurity encompasses the technologies, policies, and practices designed to protect digital systems, networks, and data from unauthorized access, attacks, or damage. As India advances its Digital India initiative and aims for a $5 trillion economy by 2030, cybersecurity is critical to safeguarding digital infrastructure, ensuring national security, and fostering public trust in digital governance. The Indian Computer Emergency Response Team (CERT-In), established under the Information Technology (IT) Act, 2000, serves as the nodal agency for responding to cyber threats. India’s legal framework, including the IT Act, its amendments, and the Digital Personal Data Protection (DPDP) Act, 2023, addresses cybercrimes and data privacy. In 2024, India reported over 1.5 million cyber incidents, highlighting the urgency of robust cybersecurity measures.

Fundamentals of Cybersecurity

Cybersecurity ensures the confidentiality, integrity, and availability (CIA triad) of digital systems and data, protecting them from evolving cyber threats in an interconnected world.

• Core Principles:
  • Confidentiality: Restricts data access to authorized users only, using tools like encryption (e.g., AES-256 for banking transactions).
  • Integrity: Prevents unauthorized data modification, ensuring accuracy through techniques like hash functions.
  • Availability: Ensures systems and data remain accessible despite attacks, such as defending against denial-of-service (DoS) attacks.
• Key Components:
  • Network Security: Employs firewalls, intrusion detection systems, and virtual private networks (VPNs) to protect communication channels.
  • Endpoint Security: Secures devices like computers and mobiles with antivirus software and secure configurations.
  • Application Security: Uses secure coding practices to prevent vulnerabilities like SQL injection or cross-site scripting.
  • Data Security: Implements encryption, access controls, and anonymization to safeguard sensitive information.
  • Identity and Access Management (IAM): Verifies users through multi-factor authentication (MFA) and role-based access.
• Advantages:
  • Protects critical infrastructure, such as power grids, banking systems, and Aadhaar databases.
  • Enables secure e-governance, supporting platforms like UMANG and DigiLocker for 900 million internet users.
  • Enhances India’s global digital reputation, attracting foreign investment.
• Limitations:
  • Rapidly evolving threats, like AI-driven attacks, outpace existing defenses.
  • High costs for advanced cybersecurity infrastructure, estimated at ₹10,000 crore for government systems.
  • Shortage of skilled professionals; India requires 3 million cybersecurity experts by 2030 but has only 40,000 in 2025.

Role of CERT-In

The Indian Computer Emergency Response Team (CERT-In), established under Section 70B of the IT Act, 2000, is India’s nodal agency for cybersecurity, operating under the Ministry of Electronics and Information Technology (MeitY).

• Mandate:
  • Respond to and mitigate cyber incidents, including malware, phishing, and data breaches.
  • Issue cybersecurity guidelines and advisories to secure digital infrastructure.
  • Coordinate with international CERTs and agencies for cross-border threat response.
  • Promote awareness and capacity building through training programs.
• Key Functions:
  • Incident Response: CERT-In managed 1.4 million cyber incidents in 2024, including ransomware attacks on financial institutions.
  • Threat Intelligence: Issues real-time advisories on vulnerabilities, such as Microsoft Exchange Server flaws in 2025.
  • Audits and Compliance: Mandates annual cybersecurity audits for critical sectors like banking, healthcare, and energy.
  • Capacity Building: Trained 50,000 professionals in 2024 through Cyber Surakshit Bharat and workshops.
  • International Cooperation: Collaborates with QUAD and G20 nations for joint cyber drills and threat sharing.
• Key Achievements (2023–2025):
  • In 2023, CERT-In launched the Cyber Threat Intelligence Sharing Platform, integrating data from 300 organizations.
  • In 2024, it reduced incident response time by 20% using AI-based threat detection.
  • In 2025, CERT-In established a national cyber threat intelligence platform, covering 500 organizations and improving early warning systems.

Cyber Threats in India

India’s digital growth, with 900 million internet users and 10 billion IoT devices in 2025, has made it a prime target for cyber threats, impacting governance, economy, and security.

• Types of Cyber Threats:
  • Malware: Includes ransomware, spyware, and viruses. Ransomware attacks cost Indian businesses ₹500 crore in 2024, targeting banks and hospitals.
  • Phishing: Fraudulent emails or SMS steal credentials; 2 million phishing attempts were reported in 2024, exploiting Aadhaar and banking details.
  • Distributed Denial of Service (DDoS): Overwhelms servers, disrupting e-governance portals like PM-KISAN, with 10,000 attacks in 2024.
  • Data Breaches: Unauthorized access to sensitive data, such as Aadhaar leaks affecting 1 million users in 2023.
  • Advanced Persistent Threats (APTs): State-sponsored attacks, like China’s targeting of India’s power grid in 2024, aimed at critical infrastructure.
  • Deepfakes and Misinformation: AI-generated fake videos impacted elections, with 1 million deepfake cases reported in 2024.
• Emerging Threats in 2025:
  • AI-Powered Attacks: Adversarial AI manipulates algorithms, compromising autonomous systems like smart city infrastructure.
  • IoT Vulnerabilities: Insecure IoT devices, such as smart meters, serve as entry points for hackers; 20% of devices lack basic security.
  • Supply Chain Attacks: Target software vendors, similar to the global SolarWinds attack, affecting Indian IT firms in 2024.
  • Quantum Threats: Potential for quantum computers to break current encryption, threatening data security by 2030.
• Impact:
  • Economic losses: Cybercrime cost India ₹1.8 lakh crore in 2024, equivalent to 0.7% of GDP.
  • National security risks: Attempted breaches on DRDO servers in 2024 highlight vulnerabilities.
  • Public trust erosion: Data breaches undermine confidence in digital platforms like UPI and DigiLocker.

Data Protection in India

Data protection is a critical aspect of cybersecurity, ensuring the privacy and security of personal and sensitive information in India’s data-driven economy.

• Importance:
  • Safeguards sensitive data, such as Aadhaar records for 1.3 billion citizens or health data in Ayushman Bharat.
  • Builds trust in e-governance platforms, enabling services like UMANG, which handled 1.5 million queries monthly in 2025.
  • Aligns with global standards like GDPR, facilitating international data flows and trade.
• Mechanisms:
  • Encryption: Secures data in transit and at rest using standards like AES-256, critical for UPI transactions processing ₹200 lakh crore annually.
  • Access Controls: Role-based access ensures only authorized personnel access sensitive systems, such as GST databases.
  • Data Anonymization: Removes identifiable information for analytics, used in health and agriculture data studies.
  • Regular Audits: CERT-In mandates annual cybersecurity audits for critical sectors, identifying 10,000 vulnerabilities in 2024.
  • Incident Reporting: Organizations must report breaches within 6 hours under CERT-In’s 2022 Directions.
• Challenges:
  • Inconsistent data protocols across states and sectors, hindering interoperability.
  • Limited rural digital infrastructure, with only 40% internet penetration in 2025.
  • Low public awareness; 60% of citizens are unaware of data privacy rights under the DPDP Act.
  • High compliance costs, estimated at ₹50,000 crore for businesses adapting to DPDP regulations.

Cyber Laws in India

India’s cyber laws provide the legal framework to combat cybercrimes, protect data, and regulate digital activities. The IT Act, 2000, its amendments, and the DPDP Act, 2023, form the backbone of this framework.

• Information Technology (IT) Act, 2000:
  • Enacted to regulate e-commerce, cybercrimes, and digital transactions, providing legal recognition to electronic records.
  • Key Provisions:
    • Section 43: Penalizes unauthorized access to computer systems, with fines up to ₹1 crore.
    • Section 66: Addresses hacking, identity theft, and malware distribution, with up to 3 years imprisonment or ₹5 lakh fine.
    • Section 67: Punishes cyber obscenity, including online pornography, with up to 5 years imprisonment.
    • Section 69: Empowers the government to monitor or decrypt data for national security.
    • Section 70B: Establishes CERT-In as the nodal cybersecurity agency.
• IT Act Amendments:
  • 2008 Amendment:
    • Introduced Section 66A to curb offensive online content, struck down in 2015 (Shreya Singhal case) for violating free speech.
    • Added Section 69A for blocking websites and Section 66F for cyberterrorism, carrying life imprisonment.
    • Strengthened data protection under Section 43A, mandating compensation for data breaches due to negligence.
  • 2020 Amendment (Proposed):
    • Increased penalties for cybercrimes, raising fines to ₹10 crore.
    • Expanded CERT-In’s powers for real-time threat response and mandatory audits.
    • Proposed stricter regulations for social media platforms to combat misinformation.
• Digital Personal Data Protection (DPDP) Act, 2023:
  • India’s first comprehensive data privacy law, implemented in 2024, inspired by GDPR and tailored to India’s context.
  • Key Features:
    • Applies to digital personal data processed within India or by Indian entities abroad.
    • Mandates consent-based data processing, with exemptions for government services like Aadhaar.
    • Establishes the Data Protection Board of India (DPBI) for enforcement and grievance redressal.
    • Imposes penalties up to ₹250 crore for data breaches or non-compliance.
    • Requires data localization for sensitive personal data, ensuring storage within India.
  • Impact:
    • Strengthened privacy for 900 million internet users, aligning with global standards.
    • Enhanced trust in digital platforms, boosting e-commerce to ₹20 lakh crore in 2024.
  • Challenges:
    • Delayed DPBI establishment, with full operations expected by 2026.
    • Compliance costs burden startups, with 70% reporting financial strain.
    • Balancing localization with global data flows, impacting multinational firms.
• Other Regulations:
  • CERT-In Cybersecurity Directions (2022): Mandate 6-hour incident reporting, retention of VPN logs for 5 years, and annual cybersecurity audits.
  • Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021: Require social media platforms to trace messages, remove harmful content within 36 hours, and appoint compliance officers.
  • National Cybersecurity Policy (2013): Guides secure digital infrastructure, updated in 2024 to address AI, IoT, and quantum threats.
  • RBI Cybersecurity Framework (2016): Mandates banks to implement two-factor authentication and conduct regular audits.

Recent Developments in India

India’s cybersecurity landscape has evolved rapidly, driven by escalating threats and proactive policy measures.

• 2023:
  • The DPDP Act was passed, with rules notified in 2024, establishing consent-based data processing and localization norms.
  • CERT-In reported 1.3 million cyber incidents, a 15% increase from 2022, with ransomware targeting healthcare and education sectors.
  • The National Cybersecurity Reference Framework was launched to standardize protections across government agencies.
• 2024:
  • CERT-In managed 1.4 million cyber incidents, including state-sponsored attacks on power grids and financial institutions.
  • Deployed an AI-powered threat detection platform, reducing response times by 20% and identifying 5,000 new vulnerabilities.
  • India-US Initiative on Critical and Emerging Technology (iCET) initiated joint cyber drills, focusing on critical infrastructure protection.
  • The National Critical Information Infrastructure Protection Centre (NCIIPC) strengthened defenses for 50 critical sectors.
• 2025:
  • CERT-In launched a national cyber threat intelligence platform, integrating data from 500 organizations for real-time threat analysis.
  • Issued advisories on IoT vulnerabilities, addressing security gaps in 10 billion connected devices.
  • DPDP Act enforcement led to ₹500 crore in fines for data breaches in Q1 2025, targeting non-compliant tech firms.
  • G20 cybersecurity dialogues, led by India, emphasized global cooperation to counter AI-driven threats and deepfakes.
  • Cyber Surakshit Bharat trained 60,000 professionals, focusing on AI and IoT security.

Challenges in Cybersecurity and Data Protection

India faces significant hurdles in building a robust cybersecurity ecosystem to support its digital ambitions.

• Technical Challenges:
  • Rapidly evolving threats, like zero-day exploits and AI-driven attacks, outpace current defenses, requiring constant updates.
  • Lack of indigenous cybersecurity tools; 70% of software is imported, increasing dependency on foreign vendors.
  • Growing attack surfaces due to IoT and 5G adoption, with 20% of devices lacking basic security protocols.
• Economic Challenges:
  • India’s cybersecurity spending ($2 billion in 2024) lags behind China ($15 billion) and the US ($40 billion), limiting infrastructure upgrades.
  • Small and medium enterprises face compliance costs of ₹1–5 crore under the DPDP Act, straining budgets.
• Human Resources:
  • Shortage of 1 million cybersecurity professionals in 2025, against a global demand of 4 million.
  • Low digital literacy; only 30% of citizens use secure passwords or recognize phishing attempts.
• Regulatory Challenges:
  • Overlapping jurisdictions between CERT-In, DPBI, NCIIPC, and state agencies cause delays in incident response.
  • Slow global harmonization of data privacy laws complicates cross-border data flows, affecting multinational firms.
  • Balancing privacy with government surveillance needs under Section 69 sparks ethical debates.
• Geopolitical Challenges:
  • State-sponsored cyberattacks, with 500 incidents from China and Pakistan targeting India’s infrastructure in 2024.
  • Sanctions on firms like Huawei limit access to secure 5G/6G technologies, impacting network security.

India’s Strategic Context

• Opportunities:
  • India’s 3,000+ cybersecurity startups drive innovation, developing AI-based firewalls and threat analytics tools.
  • The DPDP Act positions India as a trusted digital economy, attracting $10 billion in FDI in 2024.
  • QUAD and G20 collaborations enhance India’s global cybersecurity leadership, fostering joint threat response.
  • Indigenous solutions like BharatNet and C-DOT’s secure routers reduce foreign dependency.
• Challenges:
  • Countering China’s state-backed cyberattacks, which targeted critical sectors like power and defence in 2024.
  • Ensuring cybersecurity in rural areas, with only 40% internet penetration in 2025.
  • Mitigating AI-driven misinformation, with 1 million deepfake cases impacting electoral integrity in 2024.
  • Preparing for quantum computing threats, which could break encryption by 2030.

X. Future Outlook

• Short-Term (2025–2030):
  • Full implementation of the DPDP Act, with the DPBI operational by 2026, enforcing data privacy across sectors.
  • CERT-In to train 100,000 professionals annually, addressing the skill gap.
  • Indigenous cybersecurity tools to cover 50% of government systems by 2030, reducing import reliance.
  • Integration of AI and quantum-resistant encryption in 6G networks for enhanced security.
• Long-Term (2030–2040):
  • 100% protection of critical infrastructure against cyberattacks, leveraging AI and quantum technologies.
  • Development of a national cybersecurity grid, integrating all government and private systems.
  • Global leadership in cybersecurity standards, influencing data protection laws in the Global South.
• Global Implications:
  • India’s DPDP Act could serve as a model for developing nations, balancing innovation and privacy.
  • Collaborative cyber defense frameworks through QUAD and G20 to counter global threats.
  • Need for international treaties to address AI and quantum-driven cyber risks.