By Matt Weis — 

From April 29-30, India hosted its first major cybersecurity exercise, titled Cyberex, reflecting growing concerns over the country’s cybersecurity. These concerns are well founded. Potential economic losses from cyberattacks in the Asia-Pacific region reached $1.745 trillion, or 7 percent of regional gross domestic product during 2017, according to a Microsoft report. In the same year, 700 Indian government websites were hacked, and 76 percent of Indian companies experienced breaches in 2018. The struggle to prevent cyberattacks has not led to any legislative changes – India’s National Cyber Security Policy is now six years old, and only provides a framework without any regulations or guidelines to bolster investment in cybersecurity.  To remedy this, India should craft a new law based on the Reserve Bank of India’s (RBI) guidelines to strengthen cybersecurity legislation across all sectors and increase cybersecurity cooperation with the United States.

The RBI published its first cybersecurity recommendations in 2011, followed by guidelines 2016 and 2018. A survey by Symantec identified regulatory measures as the single largest driver of information security investment in India, highlighting the crucial role they play in helping secure the most lucrative targets for cyberattacks. Furthermore, the continuous progression of RBI’s cybersecurity legislation demonstrates their feasibility in the private sector. Unfortunately, 76 percent of cyberattacks in India do not target the financial sector, leaving the security of intellectual property (IP) and personal data up to individual companies. If Prime Minister Modi wants a “cyberspace free from disruption and conflict,” using RBI’s guidelines as a model for expanding cybersecurity legislation in India would be a great first step. Without further government support, cyberattacks could hinder India’s economic growth.

As India’s economy continues to digitize, cyberattacks will pose an increasing threat without government support to drive investment in cybersecurity. Despite India’s booming information technology sector, which already employs approximately 4 million people and is expected to grow to $350 billion by 2025, the country faces a huge cybersecurity workforce shortage. The continued growth of cyberattacks in India could harm its own economy as well as U.S. and European companies. India currently holds 38 percent of global market share in business process management, and exports 88 percent of its information technology and business process management (IT-BPM) services to the United States and European Union.

As India’s IT-BPM sector continues to grow, it will handle an increasing amount of sensitive information for U.S. and European businesses, further heightening the impact of exploits or hacks. Compromised systems can then be used to spread malware to clients’ computers, creating further issues as more systems become infected. If Indian firms cannot protect themselves from cyberattacks, U.S. and E.U. companies will have little choice but to look to other countries for IT-BPM imports. However, both the United States and India face similar cyber threats, and should use it as an opportunity to build on their preexisting partnership.

The United States signed a cybersecurity agreement in 2011 with India that was limited to information sharing between the Indian Computer Emergency Response Team (CERT-In) and the Department of Homeland Security (DHS). The United States and India also signed a “Framework for the U.S.-India Cyber Relationship” in August 2016, emphasizing the importance of continued cybersecurity cooperation. Cyberex brought together the National Technical Research Organization, National Security Council Secretariat, Defence Research and Development Organization, National Informatics Center, and CERT-In, as well as all three branches of India’s military. Moving forward, India should invite DHS as an observer for future iterations of the exercise to promote further cooperation between the two. Increasing cybersecurity cooperation would signal that cyberattacks targeting the private sector will not be taken lightly. Altogether, these actions would have the potential to deepen the U.S.-India relationship, and help protect both countries against cyber threats.

To bolster its cybersecurity, the government of India needs to strengthen its outdated legislation by using RBI’s guidelines, and build upon its partnership with the United States These steps would push India towards protecting its private sector and increase the difficulty of future attacks. Although increased cybersecurity regulations would impose additional costs on businesses, these measures will pay off in the long term. Increasing the cost and difficulty of conducting cyberattacks decreases the likelihood of state actors conducting them. This along with increasing efforts towards public attribution and increased U.S.-India cooperation on cybersecurity would greatly reduce the risk of state-sponsored IP theft undermining long term economic growth and competitiveness in India.

Mr. Matt Weis is a research intern with the Wadhwani Chair in U.S.-India Policy Studies at CSIS.