What is India's cybersecurity threat landscape?

India faces a RAPIDLY EXPANDING cyber threat landscape driven by the digital economy boom (UPI, India Stack, e-governance, AI). KEY STATISTICS: (1) CERT-In handled ~13.91 LAKH cyber incidents in 2022 (latest annual report) — up from ~3.94 lakh in 2019 — a 3.5× increase in 3 years; (2) Ransomware attacks on Indian organisations grew ~50% in 2023 (CERT-In data); (3) India ranks 4TH globally in cyber attacks (CrowdStrike); (4) Average COST of a data breach in India ~$2.18 million (IBM 2023); (5) PHISHING attacks doubled post-2020; (6) ~50,000+ Indian websites compromised yearly. MAJOR THREATS: (1) RANSOMWARE — particularly targeting hospitals, banks, government; (2) NATION-STATE attacks — China (APT41, Mustang Panda), Pakistan (SideCopy), North Korea (Lazarus); (3) PHISHING + smishing (SMS phishing) — affects millions of users; (4) FINANCIAL FRAUD — UPI fraud, digital arrest scams ~₹1,750 crore lost in 2023 (per RBI); (5) CRITICAL INFRASTRUCTURE — power grids, ports, water utilities at risk; (6) AI-POWERED attacks emerging — deepfakes, automated phishing; (7) IoT vulnerabilities — connected devices, smart meters, cars. KEY INCIDENTS: (1) NOVEMBER 2022 — AIIMS Delhi ransomware attack disrupted hospital for ~2 weeks; ₹200 crore demand; (2) AUGUST 2018 — Cosmos Bank, Pune — ₹94 crore stolen via cloned cards; (3) OCTOBER 2020 — Kudankulam Nuclear Power Plant intrusion (linked to DPRK); (4) MAY 2021 — Air India data leak; (5) Various 2023-24 incidents including HinduJaa Foundation, Star Health Insurance breach. CYBER THREATS to ELECTIONS — generative AI deepfakes in 2024 Lok Sabha; deepfake detection ongoing concern.

What is CERT-In and how does it work?

INDIAN COMPUTER EMERGENCY RESPONSE TEAM (CERT-In) is the NODAL NATIONAL AGENCY for cybersecurity incident response in India. ESTABLISHED in JANUARY 2004 by the Ministry of Electronics & Information Technology (MeitY) under SECTION 70B of the IT (Amendment) Act 2008 (gave statutory backing). HQ NEW DELHI. KEY FUNCTIONS: (1) COLLECT, ANALYSE, DISSEMINATE information on cyber incidents; (2) FORECAST, ALERT for cyber threats; (3) ISSUE GUIDELINES, ADVISORIES, vulnerability notes; (4) COORDINATE RESPONSE to cyber incidents nationally; (5) Operate INDIA's NATIONAL CYBER COORDINATION CENTRE (NCCC, launched 2017) — monitors metadata-level cyber activity, threats; (6) SECTOR-specific CERTs — CERT-Fin (Financial), CERT-Power, CERT-Telecom; CERT coordination with states. CRITICAL DIRECTIVES (28 APRIL 2022 'CERT-In Directions'): (1) MANDATORY REPORTING of cyber incidents within 6 HOURS by all service providers, intermediaries, body corporates; (2) MAINTAIN LOGS for 180 days within India; (3) VPN providers, data centres, virtual asset service providers must MAINTAIN CUSTOMER KYC data for 5 years; (4) GLOBAL CYBER SECURITY EXERCISES — coordinate with US-CERT, UK-CERT, Singapore, Australia, ASEAN CERT, Asia Pacific CERT. STAFF: ~400+ cybersecurity professionals. INTERNATIONAL ENGAGEMENT — CERT-In is FIRST/AsiaPacific signatory; participated in Indo-US iCET cybersecurity collaboration; QUAD cybersecurity working group. RECENT DEVELOPMENTS: (1) National Cyber Crisis Management Plan; (2) Cyber Surakshit Bharat (2018) — capacity building for government CISOs; (3) Cyber Hygiene Centre — public-facing tools; (4) Coordination during AIIMS attack 2022. CERT-In's mandate has expanded substantially since 2017 — but capacity and authority gap remains.

What is NCIIPC and how does it protect critical infrastructure?

NATIONAL CRITICAL INFORMATION INFRASTRUCTURE PROTECTION CENTRE (NCIIPC) was established on 16 JANUARY 2014 under SECTION 70A of the IT (Amendment) Act 2008. It is the NODAL AGENCY for the protection of Critical Information Infrastructure (CII) in India. PARENT: National Technical Research Organisation (NTRO) — India's premier technical intelligence agency under National Security Adviser. HQ DELHI. SECTION 70(1) of IT Act DEFINES CRITICAL INFORMATION INFRASTRUCTURE as 'computer resource the incapacitation or destruction of which shall have debilitating impact on national security, economy, public health or safety.' SEVEN SECTORS DESIGNATED as CII: (1) POWER & ENERGY — power grid, oil refineries, gas pipelines; (2) BANKING, FINANCIAL SERVICES & INSURANCE (BFSI) — RBI infrastructure, NPCI (UPI), SBI, major banks, payment systems; (3) TELECOM — Reliance Jio, Bharti Airtel, BSNL backbone, submarine cables; (4) TRANSPORT — Indian Railways, airports (Delhi, Mumbai, Bangalore), major ports (JNPT, Chennai); (5) GOVERNMENT — strategic e-governance systems (e-office, MCA21, GST); (6) STRATEGIC & PUBLIC ENTERPRISES — defence PSUs (HAL, BEL, BEL, BDL, BHEL, NTPC); (7) HEALTH — major hospital networks (AIIMS, Tata Memorial, MAX, Apollo); designated databases. NCIIPC FUNCTIONS: (1) Designate CII sectors and entities; (2) Issue Standard Operating Procedures (SOPs); (3) Conduct security audits; (4) Coordinate response to attacks on CII; (5) RESPONSIBLE DISCLOSURE programme for security researchers; (6) Threat intelligence sharing; (7) Cyber crisis management. SECTION 70(3) — Penalty up to 10 YEARS imprisonment for unauthorised access to CII (similar to Espionage Act). NCIIPC works in CONCERT with CERT-In (CERT-In handles incidents; NCIIPC handles critical infrastructure protection specifically). RECENT ACTIVITY: NCIIPC issued advisories during AIIMS attack 2022, Kudankulam intrusion 2020. CHALLENGES: (1) Limited STAFF (~150-200); (2) DEPENDENCY on private sector security; (3) Coordination with sector regulators (RBI, SEBI, IRDA, PNGRB); (4) GROWING attack surface as digitalisation expands.

What is the IT Act 2000 and DPDP Act 2023?

INFORMATION TECHNOLOGY ACT 2000 (IT Act 2000), enacted 17 OCTOBER 2000, is India's foundational cyber law. Significantly amended by IT (AMENDMENT) ACT 2008. KEY PROVISIONS: (1) LEGAL RECOGNITION of ELECTRONIC RECORDS and DIGITAL SIGNATURES; (2) CYBER CRIMES — Section 65 (tampering with computer source code), Section 66 (hacking; max 3 yrs + ₹5 lakh); Section 66B (receiving stolen device); Section 66C (identity theft); Section 66D (cheating by impersonation using computer); Section 66E (violation of privacy); Section 66F (CYBER TERRORISM — max LIFE imprisonment); Section 67 (publishing obscene material; max 5 yrs + ₹10 lakh); Section 67A (sexually explicit material); Section 67B (child pornography); Section 69 (interception, monitoring); (3) CYBER REGULATORY AUTHORITY — Controller of Certifying Authorities (CCA); (4) ADJUDICATING OFFICERS at state level; (5) CYBER APPELLATE TRIBUNAL — abolished 2017, merged with TDSAT (Telecom Disputes Settlement Tribunal). 2008 AMENDMENT — added: (1) Section 66A (objectionable messages — STRUCK DOWN by SC in Shreya Singhal 2015); (2) Section 67A/B; (3) Section 70A (NCIIPC) + 70B (CERT-In); (4) Section 79 (intermediary liability — safe harbour). IT RULES 2021 — Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules — require social media platforms with 50+ lakh users to appoint Indian compliance officers, traceability requirements (challenged by WhatsApp); rules for OTT and online news. 2023 DRAFT IT Rules amendments. DIGITAL PERSONAL DATA PROTECTION ACT 2023 (DPDP Act 2023), enacted 11 AUGUST 2023 — India's first dedicated data protection law: (1) Defines PERSONAL DATA and consent requirements; (2) Establishes DATA PROTECTION BOARD of INDIA; (3) Rights — to access, correction, erasure, grievance redressal; (4) Significant penalties up to ₹250 CRORE for major violations; (5) CHILD DATA — special protection; verifiable parental consent required; (6) Cross-border data transfer rules; (7) Notable exemptions for state agencies (national security); (8) Implementation rules expected 2024-25. The IT Act 2000 + IT Rules 2021 + DPDP Act 2023 together form India's cyber legal framework — replacing what was earlier dispersed across various provisions.

What is India's cybersecurity policy and where is it going?

NATIONAL CYBER SECURITY POLICY 2013 — India's FIRST and currently ONLY comprehensive national cyber policy. Notified by MeitY in JULY 2013. VISION: 'To build a SECURE and RESILIENT CYBERSPACE for citizens, businesses, and government.' KEY OBJECTIVES (4 broad areas): (1) PROTECT CRITICAL INFRASTRUCTURE; (2) DEVELOP CAPACITY (skilled professionals, R&D); (3) ENHANCE COOPERATION with international partners; (4) Cyber AWARENESS for citizens. NCSP 2013 created the ROADMAP for: (1) NCIIPC (operationalised 2014); (2) CERT-In expansion; (3) Cyber awareness campaigns; (4) National Cyber Coordination Centre (NCCC, 2017); (5) Cyber Surakshit Bharat 2018. NCSP 2013 has been overdue for revision — NATIONAL CYBER SECURITY STRATEGY 2020 was drafted but never released officially (Lt Gen Rajesh Pant, India's first National Cyber Security Coordinator, led drafting). CURRENT INSTITUTIONAL ARCHITECTURE: (1) National Cyber Security Coordinator (NCSC) — under NSA; (2) National Information Board (Cabinet Secretariat); (3) National Crisis Management Committee (during cyber crises); (4) National Investigation Agency (NIA) — for cyber-related terrorism. KEY INITIATIVES (2018-25): (1) CYBER SURAKSHIT BHARAT — CISO capacity building; (2) CYBER SWACHHTA KENDRA (Botnet Cleaning & Malware Analysis Centre) by CERT-In; (3) CYBER HYGIENE CENTRE — public tools; (4) SAFER INTERNET DAY participation; (5) Indo-US iCET cybersecurity collaboration; (6) QUAD cybersecurity working group; (7) ISA — Information Sharing & Analysis Centre proposals. PATH FORWARD: (1) Release of National Cyber Security STRATEGY 2024+; (2) National Cyber Security Agency proposal (Pant Committee 2020); (3) Strengthen cybersecurity workforce — India has ~5 lakh cyber professionals vs estimated need of 10-15 lakh; (4) DPDP Act 2023 implementation; (5) AI-specific cyber rules; (6) Strengthen telecom security (Telecom Act 2023); (7) Joint Cyber Doctrine for armed forces; (8) International cybersecurity diplomacy (UN OEWG, GGE). India is building cybersecurity architecture in real-time as the digital economy expands.

Cybersecurity in India — CERT-In, NCIIPC, DPDP Act 2023 | UPSC Notes

Why this matters now

India's digital economy now runs the world's largest real-time payments system (UPI), India Stack public infrastructure, the world's largest national biometric identity (Aadhaar), and the world's third-largest internet user base. Every one of these is an attack surface. Three reasons cybersecurity deserves its own GS-3 deep-dive. First, the threat landscape has grown 3.5× since 2019. Second, the legal-institutional architecture (IT Act, DPDP Act, CERT-In, NCIIPC) has not kept pace and is being rebuilt in real time. Third, recent incidents (AIIMS 2022, Kudankulam 2020, Cosmos Bank 2018) have brought cybersecurity into mainstream policy debate.

13.9 L

CERT-In incidents 2022

4th

Global cyber attack rank

CII sectors

₹250 cr

DPDP max penalty

Threat landscape

Ransomware — targeting hospitals, banks, government; ~50% increase in 2023;
Nation-state attacks — China (APT41, Mustang Panda), Pakistan (SideCopy), North Korea (Lazarus);
Phishing + smishing — affects millions;
Financial fraud — UPI fraud, digital arrest scams; ~₹1,750 crore lost in 2023 per RBI;
Critical infrastructure — power grids, ports, water utilities;
AI-powered attacks emerging — deepfakes, automated phishing;
IoT vulnerabilities — connected devices, smart meters, cars;
Election threats — generative AI deepfakes in 2024 Lok Sabha.

Major incidents

Year	Incident	Impact
2018	Cosmos Bank, Pune	₹94 crore stolen via cloned ATM cards
2020	Kudankulam Nuclear Power Plant intrusion	Linked to North Korea (Lazarus)
2021	Air India data leak	~45 lakh passenger records
2022 (Nov)	AIIMS Delhi ransomware	Systems down ~2 weeks; ₹200 crore demand
2023	Star Health Insurance breach	3+ crore customer records
2024	Generative AI deepfakes during Lok Sabha	Multiple political figures impersonated

Indian Computer Emergency Response Team (CERT-In)

India's nodal national cybersecurity incident-response agency. Established January 2004 by MeitY; given statutory backing through Section 70B of the IT (Amendment) Act 2008.

Functions

Collect, analyse, disseminate cyber incident information;
Forecast and alert on cyber threats;
Issue guidelines, advisories, vulnerability notes;
Coordinate national response to cyber incidents;
Operate the National Cyber Coordination Centre (NCCC, 2017);
Coordinate sector-specific CERTs — CERT-Fin (financial), CERT-Power, CERT-Telecom.

CERT-In Directions, 28 April 2022

Major regulatory expansion:

Mandatory reporting of cyber incidents within 6 hours;
Maintain logs for 180 days within India;
VPN providers, data centres, virtual asset service providers must maintain customer KYC for 5 years;
Global cybersecurity coordination — US-CERT, UK-CERT, ASEAN CERT, Asia-Pacific CERT.

NCIIPC and Critical Information Infrastructure

National Critical Information Infrastructure Protection Centre — established 16 January 2014 under Section 70A of the IT (Amendment) Act 2008. Parent: National Technical Research Organisation (NTRO) under the National Security Adviser.

Section 70(1) of the IT Act defines Critical Information Infrastructure as "computer resource the incapacitation or destruction of which shall have debilitating impact on national security, economy, public health or safety."

Seven CII sectors

Power & Energy — grid, refineries, gas pipelines;
BFSI — RBI, NPCI, banks, payment systems;
Telecom — Jio, Airtel, BSNL, submarine cables;
Transport — Railways, airports, ports;
Government — strategic e-governance (MCA21, GST, e-Office);
Strategic & Public Enterprises — HAL, BEL, BHEL, NTPC;
Health — major hospital networks and databases.

Section 70(3) — penalty up to 10 years imprisonment for unauthorised access to CII.

IT Act 2000 + 2008 Amendment

India's foundational cyber law. Enacted 17 October 2000; significantly amended 2008.

Key cybercrime sections

Section	Offence
65	Tampering with computer source code
66	Hacking (max 3 years + ₹5 lakh)
66B	Receiving stolen device
66C	Identity theft
66D	Cheating by impersonation using computer
66E	Violation of privacy
66F	Cyber terrorism (max life imprisonment)
67	Publishing obscene material
67A/B	Sexually explicit material / child pornography
69	Interception, monitoring

Section 66A (objectionable messages) was struck down by the Supreme Court in Shreya Singhal v. Union of India (2015) as violative of Article 19(1)(a).

IT Rules 2021

Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules — require platforms with 50+ lakh users to appoint Indian compliance officers, address traceability requirements (challenged by WhatsApp), and regulate OTT and online news.

DPDP Act 2023

The Digital Personal Data Protection Act 2023, enacted 11 August 2023 — India's first dedicated data protection law.

Defines personal data and consent requirements;
Establishes Data Protection Board of India;
Rights — access, correction, erasure, grievance redressal;
Significant penalties up to ₹250 crore for major violations;
Child data — verifiable parental consent required;
Cross-border data transfer rules;
Exemptions for state agencies (national security);
Implementation rules expected 2024-25.

DPDP also amended Section 8(1)(j) of RTI to broaden personal-information exemption — currently being challenged in the Supreme Court.

National Cyber Security Policy 2013 — and the proposed 2024 strategy

NCSP 2013 notified July 2013. India's first and currently only comprehensive national cyber policy. Vision: "To build a secure and resilient cyberspace for citizens, businesses, and government."

Four broad objectives:

Protect critical infrastructure;
Develop capacity (skilled professionals, R&D);
Enhance cooperation with international partners;
Cyber awareness for citizens.

NCSP 2013 created the roadmap for NCIIPC (2014), CERT-In expansion, NCCC (2017), and Cyber Surakshit Bharat (2018). A draft National Cyber Security Strategy 2020 was prepared by Lt Gen Rajesh Pant (India's first National Cyber Security Coordinator) but never officially released. The expected 2024+ strategy is overdue.

Key cybersecurity programmes

Cyber Surakshit Bharat (2018) — CISO capacity building;
Cyber Swachhta Kendra — Botnet Cleaning & Malware Analysis Centre by CERT-In;
Cyber Hygiene Centre — public tools;
National Cyber Coordination Centre (NCCC) — 2017; metadata-level monitoring;
I4C — Indian Cyber Crime Coordination Centre (MHA, 2020);
Cyber Crime Reporting Portal — cybercrime.gov.in;
Citizen Helpline 1930 — cyber financial fraud reporting;
Indo-US iCET cybersecurity collaboration;
QUAD cybersecurity working group;
Information Sharing & Analysis Centres (ISAC).

Gaps and path forward

Workforce gap — India has ~5 lakh cyber professionals vs estimated need of 10-15 lakh;
Strategy overdue — National Cyber Security Strategy 2024+ still pending release;
Sector coordination — RBI, SEBI, IRDA, TRAI, PNGRB silos;
Private sector engagement — limited threat intelligence sharing;
Cross-border data — DPDP transfer rules pending;
Pegasus and surveillance — accountability framework needed;
AI security rules — emerging deepfake threat;
State CERTs — only a few state-level CERTs operational;
Joint Cyber Doctrine for armed forces — being developed.

"India's cybersecurity stack is being built while the threats it must counter are evolving faster than the law. The next decade will be defined by whether India can close the workforce, institutional, and legal gaps before the next major critical-infrastructure attack." — paraphrasing a recurring Standing Committee on Communications & IT theme

UPSC PYQs and likely future questions

UPSC angle

Cybersecurity is now a recurring GS-3 theme. Strong answers cite CERT-In's 2022 directions, NCIIPC's 7 CII sectors, the IT Act's key sections (66, 66F, 70A, 70B), the DPDP Act 2023, and recent incidents (AIIMS, Kudankulam, Cosmos Bank).

2018 GS-3: "Discuss the potential threats of cyber attack and the security framework to prevent it."
2022 GS-3: "What are the different elements of cyber security? Keeping in view the challenges in cyber security, examine the extent to which India has successfully developed a comprehensive National Cyber Security Strategy."
2024 GS-3: "Discuss the role of CERT-In and NCIIPC in protecting India's Critical Information Infrastructure. What are the recent challenges?"
2020 GS-3: "Examine the role of supercomputers in the development of India's cyber and digital infrastructure."
Likely 2026: "Examine the Digital Personal Data Protection Act 2023 in the context of India's cybersecurity architecture. What are the implementation challenges?"
Likely 2026: "Discuss the AIIMS Delhi 2022 ransomware attack as a case study for India's critical-infrastructure cybersecurity. What lessons for policy?"

🔐

Internal Security cluster — 3/4

One more deep-dive remaining: Coastal & Maritime Security (post-26/11 architecture). Closes Internal Security at 4/4.

All deep-dives →