ABSTRACT
India today faces cyber attacks every single day. Individuals lose money, hospitals get locked out of patient records, banks face intrusions and government systems are constantly under attack. Organisations that experience these attacks gather intelligence about the nature of the attack and the identity of those behind it. When this intelligence is shared with other organisations and with the government each organisation’s experience becomes a shield for everyone else. However this sharing is not happening effectively in India today because the existing legal framework does not support or protect it. The Information Technology Act 2000[1] was written in a different era and says nothing specific about how threat intelligence should be shared. The Digital Personal Data Protection Act 2023[2] which came much later has actually made things more complicated because sharing threat intelligence often means sharing personal data and the Act creates legal risk for organisations that do so in good faith. The United States passed a dedicated law for this in 2015[3] and the European Union addressed it through GDPR[4] and the NIS2 Directive.[5] India has done neither. This paper looks at the existing Indian legal framework governing Cyber Threat Intelligence sharing, examines where privacy law and cybersecurity requirements conflict with each other and argues for specific legislative reforms that India must urgently adopt.
Keywords: Cyber Threat Intelligence, CTI Sharing, IT Act 2000, DPDP Act 2023, CERT-In, Cybersecurity Law India.
INTRODUCTIONNot a single week passes in India today without a major cyber attack making news. Hospitals lose access to patient records, banks face intrusions, power infrastructure is targeted and government networks come under attack from cybercriminals, hacktivists and state sponsored groups who have identified India’s digital infrastructure as a valuable and vulnerable target.
Organisations that face these attacks do not simply suffer and move on. They collect information about what happened, who was responsible and how the attack was carried out and this collected and analysed information is what we call Cyber Threat Intelligence. It tells security teams not just that an attack occurred but who the attacker was, what methods they used and what indicators to watch for next time. When one organisation shares this with others the same attack does not need to happen twice because a threat identified at one bank can protect every other bank in the country if the intelligence is shared in time.
India recorded more than thirteen lakh cybersecurity incidents in 2022 alone according to CERT-In[6] and this number has only grown since then. Despite this India still has no law that specifically governs how organisations should share this intelligence with each other and with the government. The Information Technology Act 2000[7] was not designed for this purpose and the Digital Personal Data Protection Act 2023[8] has introduced privacy obligations that sit very uncomfortably alongside what effective threat intelligence sharing actually requires. In my opinion this gap directly affects India’s ability to defend itself against cyber attacks and this paper is an attempt to examine what is missing and what needs to change.
[1]The Information Technology Act, 2000 (Act 21 of 2000).
[2]The Digital Personal Data Protection Act, 2023 (Act 22 of 2023).
[3]Cybersecurity Information Sharing Act, 2015, Pub. L. No. 114-113, Division N (United States of America).
[4]Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of such Data (General Data Protection Regulation) OJ L 119 (European Union, 2016).
[5]Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on Measures for a High Common Level of Cybersecurity across the Union (NIS2 Directive) OJ L 333 (European Union, 2022).
[6]Indian Computer Emergency Response Team, Annual Report 2022 (Ministry of Electronics and Information Technology, Government of India, New Delhi, 2022).
[7]The Information Technology Act, 2000 (Act 21 of 2000).
[8]The Digital Personal Data Protection Act, 2023 (Act 22 of 2023).