How TCP/IP Became the Backbone of the Internet
Introduction
Have you ever wondered how the internet works? Yes, there are screens and wires, but what’s going on beneath the surface? Every time you open a website, send an email, chat on messaging apps, or stream movies, you’re relying on something you probably don’t think about: the TCP/IP protocol suite. Without it, the internet as we know it wouldn’t exist. Let’s take a look at why this unassuming set of rules allows us to connect to anyone anywhere in the world.
The Problem: Networks That Couldn't Talk to Each Other
The internet is widely called a network of networks. A network is a group of devices that are connected and can share data with each other.
Researchers and governments began building early computer networks in the 1960s and 70s. But as the Cold War intensified, the U.S. military felt the need to establish a robust data-sharing infrastructure through interconnected networks that could withstand attacks. At the time, each network had different standards and protocols, which meant getting networks to communicate wasn’t easy or efficient. One network would have to be subsumed into another. This would lead to major problems in the reliability of data relay, flexibility of including more nodes, scalability of the interconnected network, and innovation.
The Breakthrough: Open Architecture Networking
This changed in the 1970s, when Bob Kahn proposed the concept of open architecture networking. It was a simple but revolutionary idea. He envisioned a system where all networks could talk to each other as equals. In this conceptualisation, all networks, even though unique in design and interface, could connect as peers to facilitate end-to-end communication. End-to-end communication helps deliver data between the source and destination without relying on intermediate nodes to control or modify it. This helps to make data relay more reliable and less prone to errors.
Along with Vint Cerf, he developed a network protocol, the TCP/IP suite, that would go on to enable different networks across satellite, wired, and non-wired domains to communicate with one another.
What Is TCP/IP?
TCP/IP stands for Transmission Control Protocol / Internet Protocol. It’s a set of communication rules that allow computers and devices to exchange information across different networks.
It’s powerful because:
- Layered and open architecture: Each function (like data delivery or routing) is handled by a specific layer. This modular design makes it easy to build new technologies like the World Wide Web or streaming services on top of it.
- Decentralisation: There's no single point of control. Any device can connect to another across the internet, making it scalable and resilient.
- Standardisation: TCP/IP works across all kinds of hardware and operating systems, making it truly universal.
The Core Components
- TCP (Transmission Control Protocol): Ensures that data is delivered accurately and in order. If any piece is lost or duplicated, TCP handles it.
- IP (Internet Protocol): Handles addressing and routing. It decides where each packet of data should go and how it gets there.
- UDP (User Datagram Protocol): A lightweight version of TCP, used when speed is more important than accuracy, such as for video calls or online gaming.
Why It Matters
The TCP/IP protocol suite introduced a set of standardised guidelines that enable networks to communicate, thereby laying the foundation of the Internet. It has made the Internet global, open, reliable, interoperable, scalable, and resilient, — features because of which the Internet has come to become the backbone of modern communication systems. So the next time you open a browser or send a message, remember: it’s TCP/IP quietly making it all possible.
References
- https://www.techtarget.com/searchnetworking/definition/ARPANET
- https://www.internetsociety.org/internet/history-internet/brief-history-internet/
- https://www.geeksforgeeks.org/tcp-ip-model/
- https://www.oreilly.com/library/view/tcpip-network-administration/0596002971/ch01.html
Related Blogs

Governments in nations across the globe are consequently vying to draw in data centre investments as components of the wider AI sovereignty policies. However, recent events in Ireland make it clear that such an infrastructure is associated with significant environmental and social price tags. In geographically dense and resource-strained countries such as India, these trade-offs pose some pressing questions of whether today's AI ambitions are socially or environmentally sustainable. The data centre crisis in Ireland provides a handy reminder. It puts emphasis on the capacity of land use, water stress, energy demand, and disruption of communities to amplify quickly as digital infrastructure continues to increase at a faster rate than the regulatory and ecological capacity. These lessons should be paid close attention to as India continues to develop the IndiaAI Mission and establish itself as an AI hub in the future.
Why Data Centres Are Ecological Stress Multipliers
The data centres are sometimes referred to as clean digital infrastructure; however, in an actual sense, they are heavy industrial guardians of resources. Centres of large proportions demand an extensive amount of land, constant electricity, and a significant amount of water to cool down.
The most apparent effect is on energy consumption. Data centres are 24/7, round the clock, and need to be powered with a high-quality and stable electricity supply. By 2022, data centres had more than a quarter of the overall national electricity demand in Ireland, which created problems regarding grid stability and energy security (EirGrid, 2022). This compelled regulators to limit new connections in some of the areas. These trends also bring some similarities to certain regions of the United States, especially in Virginia, where particular data centres have led to peaks in the electricity demand in the region (U.S. Energy Information Administration, 2023).
Another primary source of pressure is the use of water. Heavy liquid coolers are very intensive systems in data centres, which tend to use the local freshwater sources. This may directly compete with residential and agricultural requirements in case of heatwaves or drought. In the western US, environmental advocates have issued notices that data centres contribute to a water deficit in other overextended basins (New York Times, 2023).
It also depends on local pollution and land use. Data centres are normally constructed on large plots close to urban or peri-urban centres, having good accessibility. This may push aside farmlands, increase property rates, and change local ecologies. The backup diesel generators, which are employed during power cuts, add to air and noise pollutants, and they thus impact the adjacent communities.
Ireland’s Experience and the Social Backlash
The low corporate taxes, cool climate, and PIC access to the EU market made Ireland a big data centre hub. The concentration of facilities around Dublin was, however, done unintentionally, leading to its rapid concentration. The population in their local communities also experienced mounting housing pressure, power competition, and underemployment because the number of long-term jobs created by a data centre is comparatively low.
The Irish government later realised that data centre expansion was causing strain on climate commitments and electricity infrastructure on a national level. The grid operators started denying new connections to data centres in sections of the country, which amounted to a kind of moratorium on further growth (TechPolicy.Press, 2024). What was initially a digital success story became a government issue, an ecology versus economic plan clash.
This experience particularly applies to smaller or densely populated countries. Countries such as Ireland and India have concentrated influences on fewer points, unlike the United States or China, which are able to spread data centres over wide areas.
India’s Emerging Data Centre Geography
India is advertising data centres as a way of advancing its digital and AI platforms. There are a number of states that have published data centre policies, such as Maharashtra, Tamil Nadu, Telangana, and Uttar Pradesh. The connectivity, financial infrastructure, and location to large user bases are making Mumbai, Chennai, Hyderabad, and Noida major hubs (MeitY, 2023).
Nevertheless, these areas are already stressed in terms of the environment. Mumbai also suffers from land shortage and flooding. There is a permanent water scarcity in Chennai. Hyderabad and Noida cannot cope with the intensity of population growth and energy demand in urban areas. Locating such large-scale data centres in these locations will pose a risk of augmenting the existing vulnerabilities instead of decentralising the benefits of development.
India, in contrast to the United States or China, does not have continental-scale low-density areas with spare water and power near demand centres. Each additional data centre in India is thus likely to have an impact on an increasing number of people per unit of infrastructure, by land acquisition, water diversion, grid pressure, or environmental externalities.
Community Impacts and Uneven Costs
The cost incurred by local communities to increase their data centre expansion is not proportionate to the benefits enjoyed. The after construction efforts to generate employment is minimal and the long term effects include strains on infrastructure. Tariffs can be increased with the growth of electric power demand. The extraction of water may have impacts on local supply. The prices of real estate may crowd out the lower-income population.
These impacts may be enhanced in India, where urban inequality is already high. The informal settlements along the industrial areas are such that they are vulnerable to pollution as well as diversion of resources. Data centres will otherwise be yet another project that creates unequal development without proper consultation with the community and other environmental protection measures.
What This Means for India’s AI Sovereignty Plans
The IndiaAI Mission of India focuses on developing local AI potential, data networks, and processing units to minimise the use of external systems ( IndiaAI Mission Document, 2024). This vision is based on data centres. Nevertheless, the concept of simple AI autonomy is made difficult by ecological limits.
An AI infrastructure that compromises water security, energy availability, or climate objectives could come under opposition and regulation backlash, as in the case of Ireland. This would delay deployment and add up to more expenses. Physical expansion is not sufficient to have true AI sovereignty. It should also take into consideration sustainability, decentralisation, and efficiency.
This brings about strategic concerns. India must invest more vigorously in energy-efficient computing, edge AI and model optimisation as opposed to scale. Is renewable energy integration viable to maintain the information centre demand? Is data centre siting to comply with long term water and land use planning, and not the short-term incentives of investment?
Towards a Sustainable Digital Infrastructure Strategy
India can still afford to learn not to repeat the errors experienced elsewhere. This will necessitate data centres being regarded as digital assets, not important infrastructures that have an environmental and social impact. Both more robust environmental impact assessments and public water and energy accounting and community involvement must become unavoidable.
From an AI policy perspective, sustainability should be seen as a pillar of sovereignty. An AI ecosystem that depends on fragile ecological foundations is not resilient. By learning from Ireland and adapting global lessons to local realities, India can pursue AI leadership without creating new environmental crises.
The future of AI will not be decided only by algorithms and talent. It will also be shaped by land, water, energy, and the communities that live alongside digital infrastructure. Ignoring those realities would make AI ambition fragile rather than sovereign.
References
- TechPolicy.Press. What Ireland’s Data Center Crisis Means for the EU’s AI Sovereignty Plans. 2024. https://techpolicy.press
- EirGrid. Electricity Demand Forecast Statement. 2022. https://www.eirgridgroup.com
- U.S. Energy Information Administration. Data Centers and Energy Demand. 2023. https://www.eia.gov
- New York Times. Data Centers Are Straining Water Supplies in the American West. 2023. https://www.nytimes.com
- Ministry of Electronics and Information Technology. India Data Centre Policy and Digital Infrastructure Initiatives. 2023. https://www.meity.gov.in
- IndiaAI Mission. Official Mission Document and Framework. 2024. https://indiaai.gov.in

Introduction
In June 2026, the Government of India temporarily restricted access to Telegram amid concerns that the platform had been used to facilitate examination related malpractice, including the alleged circulation of leaked question papers during the NEET UG re examination. The move reignited a familiar debate about the responsibility of digital platforms for unlawful activities carried out through them.
Critics of such restrictions raise a fundamental question: if a traffic accident occurs on a road, do we shut down the road? If theft takes place inside a shopping mall, do we close the entire mall? By the same logic, is it reasonable to block a communication platform because some individuals misuse it? These questions lie at the heart of a broader conflict between state interests in maintaining public order and the protection of digital rights, privacy, and freedom of communication in an increasingly interconnected world.
The controversy surrounding Telegram therefore extends beyond a single examination or messaging application. It raises a deeper and more pressing question: who should bear responsibility for illegal acts committed through encrypted digital platforms, and where should the law draw the line between effective enforcement and the preservation of fundamental digital freedoms?
Beyond mere communication for millions of students in India, Telegram is a classroom in the digital sense, an archive for their notes, practice papers, lecture recordings, and community groups that hundreds of millions of candidates refer to every single day. Therefore, why on a routine day in June 2026 did the messaging app top every other channel? Temporary internet restriction on the platform had become necessary to stop examination-related malpractice like leakage of question papers and was temporarily suspended, with reports suggesting that this move by the government was on the occasion of the NEET-UG re-examination.
This ban once again brings up a bigger question that cannot be contained within one particular examination. When has it become okay to hold a communication platform responsible and accountable for illegal acts committed over it? Or are the perpetrators solely to blame, and the service can be prohibited? Ultimately, where is the line drawn between public interest, law enforcement, and digital rights and privacy?
End-to-End Encryption: Architecture and Benefits
At the heart of these discussions of Telegram and other apps lies a technology referred to as "end-to-end encryption" or "E2EE." Quite literally, it means a message is locked with cryptography on the sender's device and can only be unlocked by the intended recipient. Not even the tech platform running the communication app can decipher it for everyone else; it just looks like random gibberish.
The Process
This kind of modern communication relies on public key cryptography. Each person has a public key they can share with anyone and a private key that stays only on their devices. When they send you a message, it is scrambled with crypto that can be unlocked by only your private key. WhatsApp and Signal, for example, use the Signal Protocol, which features "perfect forward secrecy" and is designed to protect communications from ever being unlocked even if one key is compromised. Telegram's approach is a bit unique. By default, Telegram messages aren't encrypted with end-to-end crypto; this only comes via an optional feature called "Secret Chats," a key difference in the regulatory debate.
The Dark Side: Crime, Misuse, and the Moderation Dilemma
The very features that make end-to-end messaging popular among everyday people are privacy, speed, anonymity, and mass reach which also make end-to-end messaging popular among criminals. That, unfortunately, is the catch for policymakers globally: The technology designed to protect innocent users is also the technology that facilitates criminal activity.
3.1 Criminal Abuse
Telegram, in particular, has frequently come under fire for its role in hosting a spectrum of criminal activities, most notably in the recent controversy in India regarding NEET-UG 2026 examination papers where channels allegedly advertised leaked question papers for enormous sums, convincing desperate candidates. In these instances, messages could be altered or deleted using Telegram’s message editing feature, fabricating evidence of prior leaks. However, this extends to illicit marketplaces, drug trafficking, financial fraud, money laundering, and distributing other prohibited content. Telegram's usage in disseminating extremist propaganda and aiding criminal organizations is also frequently cited, leading to bans or restrictions in countries ranging from Brazil to Nepal to Somalia to Vietnam.
3.2 The Moderation Dilemma
But the difficulty is not just with misuse; it’s also about effective moderation. Moderation, however, requires content transparency. Strong encryption is built to obscure just that. Many end-to-end messaging services like Signal and WhatsApp emphasize that even if they wanted to, they would have been able to decipher the content of a user’s message due to their architecture. Telegram has been in scrutiny for years due to its limited cooperation with law enforcement agencies because its default chats are not completely end-to-end encrypted, though there has been an attempt by Pavel Durov, the platform’s founder, to increase cooperation following his 2024 arrest in France.
This gives policymakers the following challenge: How can governments require increased access to fight crime without forcing tech companies to weaken security for everyone? As cryptographers point out, a specific "backdoor" intended to allow access to law enforcement officials can be easily exploited by hackers, foreign governments, and any other actor with nefarious intent.
Comparison of Regulatory Approaches Worldwide
4.1 Authoritarian Countries' Responses
China, for instance, has had the app blocked as part of its strategy to control access to the internet since 2015, and Iran did so in 2018 when the app was used to help organize protests against the government. An infamous Russian bid to block Telegram in 2018 turned into a cautionary story. Trying to censor the service disrupted the IPs of millions of computers, including significant services like those run by Amazon and Google. The move was met by a surge of users turning to VPNs to get access. It’s an expensive, disruptive, and incomplete form of censorship.
4.2 Democratic Countries' Approaches
Democratic jurisdictions generally prefer targeted interventions. Telegram was suspended in Brazil in 2022 and 2023, though again, only in response to a judge’s order in relation to particular investigations, and was lifted when it came into compliance. The EU’s approach has been to build on an established approach of regulation by use of a broader legislative framework, including the Digital Services Act and the Digital Markets Act, aimed at platform liability rather than outlawing encryption outright.
Meanwhile, the proposed scanning of encrypted communications has run into strong judicial headwinds, with the European courts stressing the danger of backdoors to privacy.
4.3 The United Kingdom Approach
The UK offers a middle way. With its Investigatory Powers Act, the government can oblige tech companies to collaborate in legitimate investigations. But this came to a head earlier this year with the case of Apple and the government's attempts to force it to unlock encrypted iCloud backups. Apple not only refused to reduce its encryption but also decided instead to disable some of its features for British users. This has created a problem for democracies across the world: how to balance access for investigators against the need to maintain the security that makes our systems safer.
Judicial and Legislative Perspectives: India and Beyond
In the Indian context, to have a perspective about the legal frameworks concerning content moderation, let’s explore some of the foundational decisions from the Supreme Court. Three decisions have laid the building block for digital rights laws: the first being Shreya Singhal v. Union of India (2015), where Section 69A of the IT Act, 2000, was upheld, but only by laying rigorous conditions on the review process and chance of challenging the said decision. Another important decision in this sphere is Justice K.S. Puttaswamy v. Union of India (2017) which stated that the right to privacy is fundamental in nature under Article 21 of the Constitution and stipulated the constitutional requirements of legality, legitimacy, and proportionality against the state’s interventions in fundamental rights. The most recent important case law to consider, in this context, would be Anuradha Bhasin v. Union of India (2020) which set certain limitations, such as any internet shut-downs or orders have to be temporary, proportional, and have scope for appeal. Further, the Supreme Court demanded transparency around any and all orders of blocking.
These principles of proportionality and legal limitations are highly pertinent to the Telegram issue, especially since Section 69A confers powers to block information in case of concerns about public order, national security, etc., but activists often cite this power to target specific content rather than entire platforms like Telegram. The ban on Telegram in June 2026 and disabling of message editing will force authorities to justify not only their statutory authority but also the need for proportionate means.
These aspects are amplified by IT Rules, 2021, which mandate that some instant messaging platforms may require identification of the ‘first originator’ of messages, and the Digital Personal Data Protection Act, 2023, to protect digital personal data by ensuring it does not undermine national security exceptions to this end.
Moreover, the use of encryption to ensure secure and private communications is becoming an important point of legal discourse globally. Recently, the European Court of Human Rights in Podchasov v. Russia (2024) held that mandating decryption on devices as a tool of investigative power constituted a disproportionate interference with an individual's right to privacy implying that while states may indeed have authority to regulate communication and digital services, any such measures limiting the scope of encryption will have to meet strict requirements of legality, necessity, and proportionality to be legally justifiable.
Constitutional Validity of the Ban
The government's case for a constitutional ban on Telegram rests upon its ability to satisfy the proportionality framework established by Puttaswamy and Anuradha Bhasin.
- Legitimate aim: The state's strong suit. This is the government's best argument. Protection of the integrity of NEET-UG, a high-stakes test with close to 2.4 million students, can indeed be a legitimate state objective. Given that there is evidence of channels that allegedly were involved in selling leaked question papers, the action is presumably justifiable under section 69A for preventing the incitement or occurrence of public disorder or preventing cognizable offenses.
- Necessity: The National Testing Agency (NTA) itself admitted that localized removal of suspicious accounts on Telegram had already mitigated the risks, while Telegram insisted that it had independently taken down numerous channels. The fact that the block affected more than 150 million users in India, where the medium is widely used for personal communication and is also utilized on other platforms like WhatsApp, Discord, and Instagram to a similar or higher extent, raises the responsibility to justify a strict platform-wide ban. Moreover, there is a significant legal question regarding the state’s authority under section 69A to direct Telegram to disable its message-editing capability.
- Proportionality and process: The block, even though it was temporary and intended to ensure fairness in the examination system, severely undermined legitimate uses of the platform by students who used it to share educational materials and organize study groups. Moreover, the opaqueness around the section 69A order is itself hard to reconcile with the transparency requirements set out in Anuradha Bhasin.
Thus, while the objectives of preventing exam fraud may be legitimate, the necessity and proportionality of single platform-wide bans remain highly suspect under Indian constitutional law.
Policy Recommendations and the Path Forward
The Telegram controversy points to the need for a better balancing act in platform governance in India. Firstly, instead of blanket platform shutdowns, action should target specific channels, bots, or URLs, as may be the case. Secondly, any attempt to dictate changes to features, such as disabling message editing, should be based on specific statutory provisions, not an expansive reading of Section 69A. Furthermore, there is a dire need for increased transparency; blocking orders must state the justification for the order, what is being blocked, and for how long, as far as possible. In the long run, stricter cross-border cooperation via streamlined MLATs, or through the appointment of local legal representatives by foreign platforms, would facilitate easier enforcement. Ultimately, all major blocking decisions must be accompanied by proportionality assessments. Lastly, India must resist pressure to provide access to encryption backdoors; while this might ease investigative burdens, doing so would severely jeopardise the cybersecurity of India, its businesses, and citizens.
Conclusion
The Telegram ban is an example of the tricky equilibrium between protection of public interest and protection of digital liberties in our hyper-connected world. While the intent to counter exam fraud is justifiable, a blanket ban on any platform has much broader implications on questions of necessity, proportionality and transparency. India has a well-developed constitutional and legal framework to deal with this issue already, and the challenge will be to see if those powers are used appropriately.
References
Cases:
- Shreya Singhal v. Union of India (2015) 5 SCC 1 — Supreme Court of India
- Justice K.S. Puttaswamy v. Union of India (2017) 10 SCC 1 — Supreme Court of India (Nine-Judge Bench)
- Anuradha Bhasin v. Union of India (2020) 3 SCC 637 — Supreme Court of India
- Podchasov v. Russia, European Court of Human Rights (Application No. 33696/19, February 2024)
- Apple Inc. v. United States (In re Search of an Apple iPhone, C.D. Cal. 2016)
- Telegram Messenger Inc. v. Union of India & Anr., Delhi High Court (June 2026) — Sub judice
Legislation & Rules:
- Information Technology Act, 2000 (India) — Sections 69A, 79
- IT (Procedure and Safeguards for Blocking Access to Information by Public) Rules, 2009
- IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
- Digital Personal Data Protection Act, 2023 (India) & DPDP Rules, 2025
- EU Digital Services Act, 2022 (Regulation 2022/2065)
- EU Digital Markets Act, 2022 (Regulation 2022/1925)
- EU Child Sexual Abuse Regulation (CSAR) Proposal — In Trilogue, June 2026
- UK Investigatory Powers Act, 2016
Policy Sources:
- Internet Freedom Foundation, Statement on Telegram Block, 16 June 2026
- European Commission, ProtectEU Security Strategy, June 2025
- MeitY Section 69A Blocking Order re: Telegram (June 2026)
- NTA Press Release on NEET-UG 2026 Re-Examination, 16 June 2026

Introduction
The Data Security Council of India’s India Cyber Threat Report 2025 calculates that a staggering 702 potential attacks happened per minute on average in the country in 2024. Recent alleged data breaches on organisations such as Star Health, WazirX, Indian Council of Medical Research (ICMR), BSNL, etc. highlight the vulnerabilities of government organisations, critical industries, businesses, and individuals in managing their digital assets. India is the second most targeted country for cyber attacks globally, which warrants the development and adoption of cybersecurity governance frameworks essential for the structured management of cyber environments. The following global models offer valuable insights and lessons that can help strengthen cybersecurity governance.
Overview of Global Cybersecurity Governance Models
Cybersecurity governance frameworks provide a structured strategy to mitigate and address cyber threats. Different regions have developed their own governance models for cybersecurity, but they all emphasize risk management, compliance, and cross-sector collaboration for the protection of digital assets. Four such major models are:
- NIST CSF 2.0 (U.S.A): The National Institute of Standards and Technology Cyber Security Framework provides a flexible, voluntary, risk-based approach rather than a one-size-fits-all solution to manage cybersecurity risks. It endorses six core functions, which are: Govern, Identify, Protect, Detect, Respond, and Recover. This is a widely adopted framework used by both public and private sector organizations even outside the U.S.A.
- ISO/IEC 27001: This is a globally recognized standard developed jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It provides a risk-based approach to help organizations of all sizes and types to identify, assess, and mitigate potential cybersecurity threats to Information Security Management Systems (ISMS) and preserve the confidentiality, integrity, and availability of information. Organizations can seek ISO 27001 certification to demonstrate compliance with laws and regulations.
- EU NIS2 Directive: The Network and Information Security Directive 2 (NIS2) is an updated EU cybersecurity law that imposes strict obligations on critical services providers in four overarching areas: risk management, corporate accountability, reporting obligations, and business continuity. It is the most comprehensive cybersecurity directive in the EU to date, and non-compliance may attract non-monetary remedies, administrative fines up to at least €10 million or 2% of the global annual revenue (whichever is higher), or even criminal sanctions for top managers.
- GDPR: The General Data Protection Regulation (GDPR)of the EU is a comprehensive data privacy law that also has major cybersecurity implications. It mandates that organizations must integrate cybersecurity into their data protection policies and report breaches within 72 hours, and it prescribes a fine of up to €20 million or 4% of global turnover for non-compliance.
India’s Cybersecurity Governance Landscape
In light of the growing nature of cyber threats, it is notable that the Indian government has taken comprehensive measures along with efforts by relevant agencies such as the Ministry of Electronics and Information Technology, Reserve Bank of India (RBI), National Payments Corporation (NPCI) and Indian Cyber Crime Coordination Centre (I4C), CERT-In. However, there is still a lack of an overarching cybersecurity governance framework or comprehensive law in this area. Multiple regulatory bodies in India oversee cybersecurity for various sectors. Key mechanisms are:
- CERT-In Guidelines: The Indian Computer Emergency Response Team, under the Ministry of Electronics and Information Technology (MeitY), is the nodal agency responsible for cybersecurity incident response, threat intelligence sharing, and capacity building. Organizations are mandated to maintain logs for 180 days and report cyber incidents to CERT-In within six hours of noticing them according to directions under the Information Technology Act, 2000 (IT Act).
- IT Act & DPDP Act: These Acts, along with their associated rules, lay down the legal framework for the protection of ICT systems in India. While some sections mandate that “reasonable” cybersecurity standards be followed, specifics are left to the discretion of the organisations. Enforcement frameworks are vague, which leaves sectoral regulators to fill the gaps.
- Sectoral regulations: The Reserve Bank of India (RBI), the Insurance Regulatory and Development Authority of India (IRDAI), the Department of Telecommunications, the Securities Exchange Board of India (SEBI), National Critical Information Infrastructure Protection Centre (NCIIPC) and other regulatory bodies require that cybersecurity standards be maintained by their regulated entities.
Lessons for India & Way Forward
As the world faces unprecedented security and privacy threats to its digital ecosystem, the need for more comprehensive cybersecurity policies, awareness, and capacity building has perhaps never been greater. While cybersecurity practices may vary with the size, nature, and complexity of an organization (hence “reasonableness” informing measures taken), there is a need for a centralized governance framework in India similar to NIST2 to unify sectoral requirements for simplified compliance and improve enforcement. India ranks 10th on the World Cybercrime Index and was found to be "specialising" in scams and mid-tech crimes- those which affect mid-range businesses and individuals the most. To protect them, India needs to strengthen its enforcement mechanisms across more than just the critical sectors. This can be explored by penalizing bigger organizations handling user data susceptible to breaches more stringently, creating an enabling environment for strong cybersecurity practices through incentives for MSMEs, and investing in cybersecurity workforce training and capacity building. Finally, there is a scope for increased public-private collaboration for real-time cyber intelligence sharing. Thus, a unified, risk-based national cybersecurity governance framework encompassing the current multi-pronged cybersecurity landscape would give direction to siloed efforts. It would help standardize best practices, streamline compliance, and strengthen overall cybersecurity resilience across all sectors in India.
References
- https://cdn.prod.website-files.com/635e632477408d12d1811a64/676e56ee4cc30a320aecf231_Cloudsek%20Annual%20Threat%20Landscape%20Report%202024%20(1).pdf
- https://strobes.co/blog/top-data-breaches-in-2024-month-wise/#:~:text=In%20a%20large%2Dscale%20data,emails%2C%20and%20even%20identity%20theft.
- https://www.google.com/search?q=nist+2.0&oq=nist+&gs_lcrp=EgZjaHJvbWUqBggBEEUYOzIHCAAQABiPAjIGCAEQRRg7MgYIAhBFGDsyCggDEAAYsQMYgAQyBwgEEAAYgAQyBwgFEAAYgAQyBwgGEAAYgAQyBggHEEUYPNIBCDE2MTJqMGo3qAIAsAIA&sourceid=chrome&ie=UTF-8
- https://www.iso.org/standard/27001
- https://nis2directive.eu/nis2-requirements/
- https://economictimes.indiatimes.com/tech/technology/india-ranks-number-10-in-cybercrime-study-finds/articleshow/109223208.cms?from=mdr