Research & Opinion
The Missing Link: Why India’s Cybersecurity Framework Needs Inter-Departmental Collaboration
By Prof Triveni Singh, Ex-IPS: The Indian government’s recent notification dated September 27 on the roles of its various ministries and departments related to telecom, cyber security, and cyber crime represents a step toward clarity. But there is a glaring oversight: the lack of a coordinated, inter-departmental approach to tackle the increasingly interconnected world of cyber threats. This oversight could prove costly in moments of national cyber crises, where clear command structures and quick decision-making are vital.
Cybersecurity and Cybercrime: Two Sides of the Same Coin
Cybersecurity and cybercrime are two interconnected aspects of the digital landscape, often seen as two sides of the same coin. Cybersecurity focuses on protecting systems, networks, and data from unauthorized access, while cybercrime involves exploiting vulnerabilities in these areas for malicious purposes. As technology advances, the tactics of cybercriminals become more sophisticated, prompting a continuous evolution of cybersecurity measures. Both exist in a dynamic relationship, where advancements in one directly influence the challenges of the other. Ultimately, the effectiveness of cybersecurity defines the success of defending against cybercrime. In fact, under Indian law, even the mere attempt to breach cybersecurity constitutes a criminal offense and is classified as cybercrime.
The Need for a Centralized Cyber Command
The notification, issued under the Allocation of Business Rules, 1961, has designated the Ministry of Communication to oversee telecom security, the Ministry of Electronics and Information Technology (MeitY) to handle cyber security, and the Ministry of Home Affairs (MHA) to manage cyber crime. Each department now has a clearly defined role, but what happens when these roles overlap during a national emergency?
For instance, the recent ransomware attack on the All India Institute of Medical Sciences (AIIMS) highlighted the severe lack of coordination between investigating agencies and ministries. The attack was a test case of how unprepared the system was in handling a nationwide cyber crisis, with multiple agencies attempting to mitigate the damage without a unified command center. The Ministry of Communication, MeitY, MHA, Delhi Police and other bodies, including the National Security Council Secretariat (NSCS), were all involved, yet there was no singular authority leading the charge.
The government’s notification fails to address how these agencies would collaborate in such situations. It merely assigns specific responsibilities but lacks a mechanism for coordination. Without a central agency acting as the nodal authority, India risks a bureaucratic bottleneck when swift action is needed most.
ALSO READ: Join The Movement: Registration Open for ‘Cyber Safe Uttar Pradesh’ Event by FCRF on October 17
The government’s latest cabinet notification attempts to streamline responsibilities for telecom security, cybercrime, and cyber security. However, a critical flaw remains: the lack of clear coordination between state authorities and central agencies, particularly in investigating cybercrimes. In a country where crime is largely a state subject, how will state police forces and the Ministry of Home Affairs (MHA) collaborate without a well-defined structure? This oversight could lead to further complications in responding to cyber threats, leaving significant vulnerabilities in India’s cyber security framework.
Crime is a State Subject: A Jurisdictional Challenge
India’s Constitution categorizes crime as a state subject, meaning that state governments and their police forces hold the primary responsibility for investigating crimes within their jurisdiction. This creates a jurisdictional challenge when it comes to cybercrimes, where the lines of authority blur between state and central agencies. While the Ministry of Home Affairs (MHA) is responsible for cybercrime at the national level, it cannot directly issue orders or instructions to state police forces in investigative matters.
This division of authority raises the fundamental question: How will coordination happen in the event of a cyber attack that requires joint action from both central agencies and state law enforcement? The notification does not address this crucial gap. In a complex and interconnected cyber environment, where breaches often have national and international implications, the absence of a framework for collaboration between the MHA and state agencies could lead to delayed responses, miscommunication, and ineffective investigations.
Cyber Attacks: Who Monitors, Who Investigates?
The notification assigns the monitoring of cyber threats and cybersecurity to CERT-In (Indian Computer Emergency Response Team) under MeitY and Telecom Infra Security to the Department of Telecommunications (DoT) and Cybercrime to MHA. While these agencies are tasked with detecting and responding to cyber attacks, the notification remains silent on how they are supposed to work with state police forces during investigations.
This is a critical oversight, as any attempt of a cyber attack or breach is classified as a crime under Indian law, falling under the purview of the state police for investigation. However, it has often been observed that CERT-In and the Telecom Ministry fail to inform state authorities when they detect a breach. This lack of communication not only impedes investigations but also leaves state police forces in the dark, potentially allowing attackers to exploit these gaps in coordination.
The Silence on NCIIPC: A Critical Oversight
Perhaps the most significant omission in the new cabinet notification is the absence of any mention of the National Critical Information Infrastructure Protection Centre (NCIIPC). NCIIPC is a government body responsible for safeguarding India’s Critical Information Infrastructure (CII)—the backbone of the nation’s essential services, from power grids to financial systems. Given the growing cyber threats to critical infrastructure globally, one would expect that any comprehensive framework for cyber security governance would prominently feature NCIIPC’s role. Yet, the notification is entirely silent on this critical institution.
This raises serious concerns about the coordination between NCIIPC and the other ministries mentioned in the circular. In a cyberattack that threatens critical infrastructure, NCIIPC is the designated agency to respond, but how will it work with CERT-In, MeitY, the DoT, or the MHA when the jurisdictional lines are so blurred? Without a clear framework, India’s cyber security response risks becoming fragmented and inefficient, particularly during a major attack on critical infrastructure.
Conflicting Jurisdictions and Decision-Making Delays
In the event of a major cyber attack or a breach of national importance, having multiple agencies working independently could create jurisdictional conflicts and delays in crucial decision-making. Who takes the lead? Who has the final say in how resources are allocated? These are questions the notification does not answer.
A glaring example of this was the AIIMS ransomware attack, where multiple investigating agencies—both state and central—were involved in the probe. The lack of an overarching command not only delayed the response but also created confusion among the agencies. The attack crippled the hospital’s systems for days, proving that cybersecurity is no longer just a departmental issue but a national one, cutting across ministries and sectors.
When a cyber attack affects both telecom infrastructure and sensitive data, it is not clear how the Ministry of Communication and MeitY would collaborate, or who would take the lead. Similarly, when the attack is also a criminal offense, the MHA’s role would be significant. Yet, the notification doesn’t outline how these ministries will work together in real-time when every second counts.
The new notification seems to double down on the idea of segmented responsibilities. This fragmentation of roles might work well in theory but in practice, the complex nature of cyber threats demands a more fluid and collaborative approach.
The Way Forward: A Unified Cybercrime Investigation Authority
Cybercrime is complex and often requires international cooperation to obtain digital evidence, as most major hosting service providers and significant social media intermediaries are based overseas. Access to logs, financial data, and ISP information is crucial for investigations.
Additionally, KYC checks often require ground verification across different states, making interstate coordination challenging but essential for effective cybercrime investigations.
As a result, there is a need for a central cybercrime investigation authority to streamline these processes.
India’s cyber threat landscape is also growing more sophisticated, with state-sponsored actors, organized crime syndicates, and individual hackers all playing a role. We need to evolve our approach accordingly. While specifying roles and responsibilities for each ministry is a necessary first step, what we truly need is a unified command structure—a single authority that can bring together the expertise of all stakeholders.
Such an authority would act as the nodal agency in times of crisis, making crucial decisions and ensuring that all relevant departments and ministries are aligned. The National Security Council Secretariat (NSCS) could potentially take on this role, given its oversight of both internal and external security. However, even the NSCS would need to be empowered to issue commands and make decisions during national cyber crises.
A collaborative model is essential for a comprehensive cybersecurity strategy. Without it, the system will continue to struggle with conflicting jurisdictions and delayed responses. As we move forward, the government must recognize that cybersecurity is not a siloed issue—it’s an issue that affects every facet of national security, and it requires a coordinated, centralized response.
India has made strides in improving its cybersecurity infrastructure, but the recent notification underscores a fundamental weakness: the lack of inter-departmental coordination. The next major cyber crisis could be just around the corner, and we cannot afford to have our ministries working in silos when that happens. It’s time to move beyond assigning roles and toward creating a structure that enables seamless collaboration across the board. The stakes are too high to do otherwise.