How ready is India for a cyber pandemic?

Neeladri Bhattacharjee | April 30 | Jamshedpur

In a pandemic-hit world, importance of cyber security has increased with burgeoning cyberattacks across the world. While emergency measured have evaded some catastrophes, legislation for data protection has become increasingly more important.

While Europe deliberates on improving upon their existing Global Data Protection Regulation (GDPR), cybersecurity experts in India have insisted on a similar regulation in India as well. The Personal Data Protection Bill of 2019, thereby looks like a panacea to a long standing issue of data privacy and protection.

‘A Cyber Pandemic after Covid-19’

Gil Shwed, the founder of Israeli cybersecurity firm Check Point, in an online summit last year, had warned the world about a ‘cyber pandemic’ that may come after COVID.

“We know it will happen, and we need to secure it”, he had said. In 2020, his predictions materialised as every country was hit by online attacks of one type or the other. Even the World Health Organization reported a five-fold increase in cyberattacks.

India, like every other country was affected by the burgeoning online attacks.

In a study by tech firm Comparitech and cybersecurity giants Kaspersky, India was ranked as one of the most unsafe countries in terms of cybersecurity. Denmark was deemed as the safest country while Tajikistan was the most unsafe.

Cyberattacks in India

According to the Home Ministry, the number of cyberattacks in India increased from 3,94,499 attacks in 2019 to 11,58,208 – an increase of about 300% (approximately 293.59%).

One of the most common yet widespread attacks has been data breaches, be it the MobiKwik Data Breach, or Facebook Data Breach.

According to IBM’s study on data breaches, the average cost of data reaches has been $2 million. In a country dying for oxygen, that amount is enough to set up two oxygen plants in India, each with a capacity of producing 33,000 litres of oxygen every day.

In response of the attacks, the Ministry of Electronics and Information Technology (MeitY), in co-ordination with Indian Computer Emergency Response Team (CERT-In) took several measures, highlights of which are as follows (Lok Sabha Unstarred question no. 1625):

  • CERT-In issued 23 advisories on various issues of web security, including best practices during work from home. It also conducted 3 cyber crisis exercises for mitigation of pandemic related cyberattacks, wherein 72 organisations participate.
  • Mock drills were conducted for assessment of cyber vulnerabilities as well. In 49 such drills conducted by CERT-In, 434 organisations from different sectors participated.
  • The Government has launched the Cyber Swachhta Kendra (Botnet cleaning and Malware Analysis Centre), which assists in detection and removal of malicious programs.
  • Government has initiated setting up of National Cyber Coordination Centre (NCCC) to generate necessary situational awareness of existing and potential cyber security threats and enable timely information sharing for proactive, preventive and protective actions by individual entities. Phase-I of NCCC has been made operational.

Then where is the problem?

The data protection infrastructure in India brings organisations under the gamut of data protection. The onus of personal data thereby remains the responsibility of the vendor a consumer is using, as per Information Technology Act, 2000 (under Information Technology Amendment, 2008), with the country under no position to safeguard the same.

Under Section 43A of the IT Act, a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

However, there is no provision for data localisation for organisations – a reason that led to ban of 59 Chinese mobile applications, “in the interest of sovereignty and integrity of India”, under section 69A of the IT Act.

What is data localisation?  

Data Localisation refers to the processing of data from a country in the host country itself and not in some other country. For example, personal data, such as Netflix passwords, credit card details and phone numbers from Mumbai will be processed first in India, even of the website storing them is a Belgian one.

The consequence of such a provision reduces possibilities of personal data breach in foreign countries.

In times when Prime Minister Narendra Modi is pushing for programs such as Digital India, Startup India and Make in India, data localisation becomes increasingly important.

To ensure the same along with an organised infrastructure for data protection under a country, appropriate legislation is necessary, say experts.

Sandeep Sengupta, the director of Indian School of Ethical Hacking, says, “India need a law. Unlike Europe, who have the GDPR to adhere to, India, without proper legislation will fall apart like a house of cards.”


  • Higher funding: Cybersecurity is an issue prioritised by both Europe and United States of America. While funding for the same has thereby increase for them in the 2019-20 session, it has decreased for India.

Compared to the expenditure per country in the European Union, India’s expenditure not even been 25%. The gap in spending has kept on widening ever since. Covering that gap may not give immediate results, but will be a step in the right direction, says Souvik Mal, a senior cyber expert at National Cyber Security services.

  • The Personal Protection of Data Bill: This bill takes a legislative route prevent applications from processing data according to their wishes within India. Inspired by European Union’s Global Data Protection Regulation, it has undergone multiple revisions and was presented by Joint Parliamentary Committee for tabling in 2021.

India may be dreaming of Digital India in a post-pandemic world, but only time will tell whether their attempts for a country run online is a success or a move too soon.