This article on the comparison between the cyber security laws in India & China is written by Ulrich Ouffoue, pursuing M.A. in business law from NUJS, Kolkata.
The last decade has seen the numbers of cyber-attacks increased on the earth globe, fueled by the giant economies and the geopolitics of the new millennium. The cold war has been seconded by the cyber security war and this occurred to powerful nations like China. The rapid scale of growth of China has similar patterns with India, the big giant market in the tech world. It is interesting to understand how those two giants are impacting the technology world and redistributing the cards on the political and economic chess game.
INDIA CYBER SECURITY LAW
Brief overview of existing India Cyber law-
Cyber security is described as the fact of protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification or destruction.
Since 2000 India has put in place an Information Technology Act which had as primary objectives to steer a legal recognition of electronic documents, to ascertain the electronic filing of documents with governments agencies and finally to amend certain acts such as Indian Penal Code, Indian Evidence Act.
This Act far from being the first initiative of this kind was preceded by the Indian Telegraph Act, 1885 which authorize the government to intercept messages for public emergency or public safety. But under section 69 of this Information Technology Act, 2000, expands the grounds for interception if such are carried out in the interest of:
- the sovereignty or integrity of India
- Defense of India
- Security of the State
- Friendly relations with foreign states
- Public order
- Preventing incitement to the commission of any cognizable offense relating to the above
- Investigation of any offense.
Additionally, the person or intermediary who fails to assist the agency in charge of the interception may be sentenced to imprisonment for 7 years and above and liable for a fine.
Apart from above statues, criminal statues also provide for the interception and the ways for proceedings with such. For example, the Unlawful Prevention Act, 1967 allows for information collected to be used as evidence for an offense under the Act but the material being enforceable the accused must be given a copy of the order approving the interception. The illegal communication interception is also not authorized before the court.
A number of states legislation also plays an important role for controlling the cyber security as legal framework such as the Maharashtra Control of Organized Crimes Act, 1999, the Andhra Pradesh Control of Organized Crime Act, 2001, to name a few.
Following are others Indian Laws which are core statues in that legal framework, the first on the list is Indian Post Office Act, 1898, Code of Criminal Procedure, 1973, Indian Wireless Telegraph Act 1933, Central Motor Vehicle Act 1898 and 2012 Rules.
Among above quoted laws, the latest Central Motor Vehicle Act 1898 and 2012 rules has earmarked innovative steps in regulatory stringency by proposing the radio frequency identification RFID which enables all heavy motors vehicles to be identified and monitored by electronic collection toll booths, the police and any other authority or person authorized to query and read RFID tags.
Internet Market in India and relevance to the surveillance provision in above statues is not behind the legal framework in the sense that all ISP (internet Service Providers) and TSP (Telecom Service Providers) operating in India need to obtain license Agreement issued by Government of India through its Ministry of Communications and Information Technology, Department of Telecommunications, Licensing.
This license agreement is governed by the Indian Telegraph Act, 1885, the Indian Wireless Telegraph Act 1933, and by the Telecom Regulatory Authority of Indian Act, 1997 with subsequent amendments.
The India License Agreement provision in clause 2.2 states that ‘’the license shall ensure that Bulk Encryption is not deployed by ISPs. Further, individuals/organizations/ groups are permitted to use encryption up to 40-bit key length in the symmetric key algorithms or its equivalent in other algorithms without obtaining permission from the licensor. However, if encryption equipment higher than this limit are to deployed, individuals/organizations/ groups shall obtain prior written permission of the licensor and deposit the encryption key, split into two parts, with the licensor’’.
Like the ISPs, TSPs (Telecom Service Providers) in India, have also to obtain licenses with particularism to comply with two licenses agreements in order to operate. The first license is the Cellular Mobile Telephone Service (CMTS), the second is for the Provision of Basic Telephone Service (BTS) and typically used by landlines services providers whereas the first one applies to cellular mobile communication.
It is important to emphasize that India’s license agreement BTS covers the interception of communications made with basic telephones services. It is even prohibited to use bulk encryption for the B TS license at the clause 1.10.1 of that BTS license agreement.
Otherwise, all telecom service providers are responsible for ensuring the privacy of communications through their network and that unauthorized interception does not take place (cf. clause 1.10.7). They are also liable at clause 23.14 to make arrangements for monitoring intergovernmental agencies communications and the provision of adequate software and hardware at their own expenses. They are also required to provide all call data records upon request of Indian security agencies.
Legal landscape of cyber security
Rules 2009 under section 69B of IT Act on Procedure and safeguards for monitoring and collecting traffic data or information gives following guidelines for the monitoring and traffic data collection by competent authority for questions related to cyber security as below:
- Forecasting of imminent cyber incidents;
- Monitoring network application with traffic data or information on computer resource;
- Identification and determination of viruses or computer contaminants;
- Tracking cyber security breaches or cyber security incidents;
- Tracking computer resource breaching cyber security or spreading virus or computer contaminants
- Identifying or tracking any person who has breached, or is suspected of having breached or likely to breach cyber security;
- Undertaking forensic of the concerned computer resource as a part of investigation or internal audit of information security practices in the computer resources;
- Accessing stored information for enforcement of any provisions of the laws relating to cyber-security for the time being in force;
- Any other matters relating to cyber security.
Several other threats for fighting against the cyber crimes and terrorism are part of provisions of the IT Act, among them we have:
Hacking (Section 43 of IT Act)
Cyber Terrorism which is related to the sovereignty, security and integrity of India by unauthorized attempt of introducing a malware to any computer
Voyeurism (see section 66 E of IT Act) which is mostly dealing with privacy but the section 345C of the Indian Penal Code, 1860 is also providing same protection `
Breach of Confidentiality and Privacy which can lead to imprisonment for up to three 3 years and a fine which can extends five lakh rupees.
Others are Identity theft, teaching by impersonation and Offences relating to Interception*
CHINA CYBERSECURITY LAW
China: Like India is imposing requirements to the IT sector
China Cyber-security law has an important legal landscape which can be assimilated to India IT Act. For example, it is an obligation for internet services providers to assist public companies involved in security in protecting national security and investigating crimes. Furthermore, article 51 gives the state full access to unlimited systems for cyber security monitoring, early warning, and notification, and this is an obligation to all ISP (Internet Services Providers).
States agencies in the greater China are also deploying many regulations as permitted by article 53 of the cyber security law for the purpose of establishing sound cybersecurity risk evaluations and emergency response efforts.
At the same time, article 29 provides that “relevant industry organizations will establish sound cyber security standards and mechanisms for collaboration”
Article 24, for example, mandates that companies verify an individual’s real identity before providing internet services. The China Cyberspace Administration has enforced similar requirements on blogs, instant-messaging services, discussion forums, and other internet outlets for over a year.
Article 12, prohibits persons or organizations from “subverting national sovereignty” or “overthrowing the socialist system,” which is substantially similar to Article 15 of the 2015 National Security Law. Article 58 gives the State Council and other government entities the ability to temporarily restrict internet access as required by “national security” or to preserve “social order.”
Non-Compliance Sanctions in China
Chapter VI provides a detailed array of financial, civil, and criminal punishments for non-compliance with the Cyber security Law. Fines are the most common punishment and can range from roughly 7,400 to 148,000 USD for companies and 740 to 15,000 USD for personally responsible individuals. Regulatory agencies can revoke business licenses and shut down websites for more serious violations (e.g., critical information infrastructure where information is illegally stored abroad). In the extreme, the Public Security Bureau may also detain offending individuals for up to fifteen days (e.g., for publishing information related to perpetrating fraud, selling prohibited items, or other illegal activities).
Individual protections in China
The law does, however, provide substantial individual protections. Articles 41 through 43 restrict the amount of personally identifiable information that can be collected, limit how it can be transferred, and give an individual the right to request that information be deleted if mishandled.
China New Cyber Security Law landscape
China has drafted a new law as kind of directives for foreign companies operating in its territory, the objectives of same are among others:
- Clarify the cyberspace sovereignty principle;
- Clarify the security obligation of network product and service providers;
- Clarify the security obligation of network product and service operators;
- Further improve personal information protection rule;
- Establish the critical information infrastructure security protection system;
- Establish the cross-border data transmission rules of important data on Critical Information Infrastructure.
Article 15 about the Network Products stipulates that the State establishes and revises network security standards. The States Council administrative Department for Standardization and other relevant State Council departments organized the formulation and revision of pertinent national and industry standards for network security management as well as for the security of network products, services and operations. Pay close attention to the network product standard issued by each department.
Article 37 on Personal and important business data stored in mainland China stipulates that Personal information and other important business data gathered and produced by Critical Information Infrastructure operators during operations within the mainland territory of the People’s Republic of China shall be stored within mainland China. When business requirements it is necessary to transmit data outside the mainland, the measures jointly formulated by the State Network Information departments of the State Council requiring a security assessment shall be followed unless laws and/or administrative regulations provide otherwise in which case `they shall take precedence. This provision establishes the following three specific principles:
- Principle of the cross-border restriction of personal information
Personal information and other important business data gathered by Critical Information Infrastructure operators during operations within mainland territory of the People’s Republic of China. In other words, personal information and important business data falls not only under the scope of civil property or commercial assets but also subject to the rules of sovereignty regulation.
- Server Domestication Principle
Article 37 places strong emphasis on the storage of information and data within the territory, requiring any server containing personal information and data considered to be critical must be located within the territory of the People’s Republic of China. Although the information may be transmitted globally, the relevant operators will legally be responsible for the storage of the information and data on storage devices physically located in China.
- Principles for the review of cross-border flow of critical information and data
When business requirements it is necessary to transmit data outside the mainland, the measures jointly formulated by the State Network information departments and the relevant departments of the State Council requiring a security assessment shall be followed unless laws and/ or administrative regulations provide otherwise in which case they shall take precedence.
Article 35 on Counter measures of transnational enterprises
- Pay close attention to the list of the Critical Information Infrastructure operators
Article 35`of the “Cybersecurity law” restricts the “Critical Information Infrastructure”. In article 31 The State implements the key protection of public communication and information services, power, traffic, water, finance, public services, electronic governance, and other critical Information Infrastructures that if destroyed, lose function, or leak data might seriously endanger national security, national welfare, the people’s livelihood, or the public interest on a tiered protection system.
The State Council will formulate the specific scope and security protection measures for Critical Information Infrastructure. Accordingly, the network operator should be concerned about Infrastructure operators to determine whether to adapt to the restrictions of Article 35.
- Adhere to the requirement of physical storage in mainland China
Storage devices containing personal information or important data and their backup storage devices must strictly adhere to the requirement that the physical storage location is in the mainland China. In addition, the data must be isolated physically from any associated foreign servers and/ or storage devices.
- Establish a rigid internal data security management system
For information or data brought into the control scope of Chinese cyberspace sovereignty, strict data security management and data transmission control systems must be implemented. Any interior person is strictly forbidden to perform data transmission until the relevant department safety assessment is completed.
Below is a partial translation of the Cyber Security Law:
- What is Critical Information Infrastructure?
Critical Information Infrastructure refers to information systems or industrial control systems which provide network information services or support the operation of important industries such as energy, communication, finance, traffic, and public utilities. Systems, that if destroyed, might seriously endanger the normal operation of vital industries and/ or result in severe disruption to national politics, the economy , science and technology concerns, national defense, social or cultural traditions, the environment and/ or people’s livelihood.
The Critical Information Infrastructure includes: websites categories (e.g. websites or party and government institutions, enterprise, institutions, and news sites), platform categories (e.g. instant messaging , online shopping, online payments, search engines, email, forums, GPS maps, audio and video, etc.), network service platforms, production business categories (e.g. office and business systems, industrial control systems, large data centers, cloud computing platforms and television relay systems, etc.)
- How to identify Critical Information Infrastructure?
The identification of Critical Information Infrastructures usually involves three steps:
- Identification of critical services
- Identification of Information systems or industrial control systems supporting mission-critical services
- Identification based on the degree of dependency of critical services on the information or industrial control system and the resultant loss(es) caused by a network security incident.
CASES STUDY OF CYBER ATTACKS
A group of hackers called ‘D4RK 4NG31’ infiltrated the National Green Tribunal’s website in October 2016 and posted profanities on it in an act of “revenge” against the Indian army’s surgical strikes operated weeks earlier.
“We are unbeatable. You… kill innocent people in Kashmir and call yourself defenders of your country. You…violate the ceasefire on border and call it ‘surgical strikes’. Now kiss the burn of cyberwar” have posted the hackers.
The Government Law College’s official website was hacked into the same month of October 2016 by a group calling itself ‘PakCyberPyrates’. Students who visited the website were directed to its homepage, which had the following message, ‘National Securities Depository Limited.
In the same month of October, several accounts of about 50 IT companies were attacked by Pakistan-based hackers.
Compared to China, India has much progress to be made for implementing a sound effective cyber security policy, starting with robust protection mechanism like the data security management system in China and also to develop mechanisms to safeguard the State of India against such cyber-attacks.
Nevertheless, actions to secure cyberspace are on the program of action of the Indian Ministry of Information Technology, there are:
Preventing cyber-attacks against the country critical infrastructures reduce national vulnerability to cyber-attacks and minimize damage and recovery time from cyber-attacks. Big projects are on the program on topics like below examples:
Security Policy, Compliance and Assurance
Security Incident-Early warning and response (http://meity.gov.in/content/cyber-laws)
- Rapid identification, information exchange, and remediation can often mitigate the damage caused by malicious cyberspace activity. For those activities to take place effectively at a national level, it requires a partnership between government and industry to perform analyses, issue warnings, and coordinate response efforts. Because no cyber security plan can be impervious to concerted and intelligent attacks, information systems must be able to operate while under attack and also have the resilience to restore full operations in their wake. The National Cyber Alert System will involve critical infrastructure organizations, public and private institutions to perform analysis, conduct watch and warning activities, enable information exchange, and facilitate restoration efforts.
(c) Creation and Augmentation of Response Capabilities
Augmentation of CERT-In: CERT-In is operational since January 2004 and is catering to the security needs of Indian Cyber community, especially the Critical Information Infrastructure. In line with the expectation of the user community and various stake holders, there is a need to augment the facilities at CERT-In in terms of Manpower, Communication systems, tools, etc. for vulnerability prediction, analysis & mitigation, Cyber forensics/artifact analysis, Cyber space monitoring & interception Capabilities and Critical information infrastructure Security health check. The National Information Board and National Security Council have endorsed the need for augmentation of facilities at CERT-In.
Creation/augmentation of Sectoral CERTs: For an effective National Cyber Security Alert System, there is a need to create sectoral CERTs to cater to the very specific domain needs of different sectors. In this direction sectoral CERTs have been established by Army, Air force and Navy in Defense sector, IDRBT in Finance sector. But the facilities of these sectoral CERTs are at primitive levels and need to be augmented to meet the needs of respective sectors. Similarity sectoral CERTs with state-of-the-art facilities need to be created in other critical sectors such as Aviation, Energy, Telecommunication, Railways etc.
(d) International cooperation and information sharing
The cyber threat sources and attacks span across countries. As such as there is a need to enhanced global cooperation among security agencies, CERTs and Law Enforcement agencies of various countries to effectively mitigate cyber threats. Accordingly it vital to have well developed Cyber Security and Information Assurance research and development Programme which is executed through different government agencies in broad collaboration with private sectors, partners and stakeholders in academia, national and international agencies.
In this context the priorities for collaboration are:
- Cyber Security and Information Assurance Technology to prevent, protect against, detecting, responding, and recovering from cyber-attacks in critical information infrastructure that may have large-scale consequences.
- Collaboration for training personnel in implementing and monitoring secure government intranets and cyber space
- Joint R&D projects in the area of Steganography, water marking of documents, security of next generation networks and Cyber Forensics
- Coordination in early warning, threat & vulnerability analysis and incident tracking
- Cyber security drills/exercises to test the vulnerability & preparedness of critical sectors
Final Words
The comparative study of the China and Indian cyber security has revealed several gaps in the policy making and enlightened the protectionism and imperialism motivations driving the regulatory systems in those economies.
In China, the new Cyber security law is too tight and brings restrictions to foreign companies doing business in China and has the potential to discriminate against foreign technologies in favor of domestic industry.
In 2013, Government of India introduced a National Cyber Security Policy with the aim of protecting information infrastructure, reducing vulnerability, increasing capability and safeguarding it from cyber-attacks. However, the policy was not a success as it was just a compilation of statements and objectives without specifying any roadmap for implementation.
1.Definition must refer to the provision of constitutional approval granted to cyber law in our country or which provisions of the existing Law has provided insertion of the cyber laws so that the rules should be within frame work of Indian Laws.
2.Agencies should be identified, approved, authorised, delegated with powers, postal addresses, names, designations, jurisdictions must be identified and made known to public by local Destrict Authorities for local people.