The Economics of Cyberattacks – India at Risk

Sachin Tiwari
March 12, 2019


In recent times, India has emerged as one of the major target countries of cyberattacks with detrimental effects for the Indian economy. Cyberattacks on global businesses recently have led to financial losses expanding at a much faster rate, reaching $ 600 billion globally. There has been a significant growth of ransomware industry in cyberspace with Wannacry ransomware attack in 2017 targeting the industrial systems and spreading to an estimated 150 countries. India was the third worst hit, affecting key companies in the country. The Indian economy has largely been transforming towards the digital space with initiatives such as Digital India and other low-cost technology options driving the change. However, India was one among top three target countries with 6.95 Lakh cyberattacks in a period of six months in 2018. The growth of the large digital infrastructure and weak security architecture have contributed to it.

India’s cyber policy which regulates the cyberspace largely rests on the Information Technology Act enacted in 2000 and amended in 2008. The nature and extent of the attacks have changed subsequently with legislation being pushed to keep pace with the technological changes. The 2013 National cybersecurity policy created the framework for the protection of government and business, placing emphasis on critical infrastructure, offsetting the susceptibility of companies and providing a safe cyber environment. However, major gaps exist in India’s cyber posture amidst offensive cyber policy development by several countries. Clearer guidelines for implementation are yet to be realized. The capacity and enforcement of the policies by the majority of Indian states shows a significant gap leading to the lack of secure local environment, thus limiting the policy approach.

The cyberspace environment allows for the participation of various actors ranging from individuals, non-state actor and states which makes the situation complicated both in number and intensity. Microsoft report on the financial cost of cyberattacks in Asia-Pacific reveals that the average cost of the cyberattacks to the Indian companies is $10.3 million on an average. Apart from the direct cost, indirect cost to companies include reputation loss, declining customer base, and job loss. With India being the major offshoring destination for IT services, the weak cybersecurity environment affects the option for foreign investment. Also, the current security architecture in India lacks a central coordination mechanism.

The Cosmos Bank cyberattack of 2018 represents a major episode resulting in economic loss of $13.5 million. The attack had an international reach with suspicious transaction activities appearing in 28 countries. The current retaliatory mechanism which includes Mutual Legal Assistance Treaty (MLAT) is too complex and time consuming due to the issue of territoriality and sovereignty. Increasing involvement of state-sponsored attackers makes the situation more complex. In the Cosmos Bank case, the attribution was made to the North Korean hacking group Lazarus; also held responsible for the Bangladesh Central Bank cyberattacks in 2016.

The RBI Annual report 2017-18 has noted that among the financial frauds, the losses due to the cyberattacks is a fourth major reason for revenue loss. A large number of financial frauds reveals the extent of malicious cyber activity. Institutional changes such as the introduction of Cert-Fin (computer emergency mechanism) for the financial sector were introduced in 2017. Yet the transformation is largely reactive to major incidents as it lacks priority and a larger roadmap for effective cybersecurity.

The measures being implemented such as data localization have emerged as viable options for the protection of the data and reaping the economic benefits from data harvesting. Mandatory localization in a way enhances the access to the data for the enforcement agencies and data harvesting for companies. However, the current move is overlooking critical factors such as the problem of encryption, cost-benefit analysis of localization, tax structure, and privacy protection. There has been an intense debate over internet regulation in India. Due to the presence of major data centers in the US, the CLOUD ACT which was passed by the US Congress in 2018 can help Indian authorities to get access to the critical data at times of emergency. The regulatory environment in which foreign IT companies can share data with Indian authorities is evolving one. Given, the global nature of the information technology, rudimentary policies without taking stakeholder into account would be detrimental to the growth of India as an attractive offshore destination.

The prospective outlook is moving India towards digitization where bridging the digital gap is essential. There is a need to position cybersecurity as a separate field with collaboration among the private sector, the states, and local enforcement agencies to fix the gaps. Linking cybersecurity with academia is vital with the introduction of a new curriculum and growth of qualified workforce which is in deficit. Basic safe cyber practices through awareness campaign especially using social media is essential with increasing user base in rural areas. The attitude of fulfilling the compliance structure has to move towards an emphasis on greater resource allotment and clearer policies both on a domestic and international level.

*** The author is currently a PhD scholar at the Centre for Canadian, US & Latin American Studies, School of International Studies, Jawaharlal Nehru University ***