Introduction: Digital Public Infrastructure and Cybersecurity Landscape in India

The Chief Economic Adviser (CEA) recently highlighted the dual-edged nature of India’s expanding Digital Public Infrastructure (DPI) ecosystem. As of 2023, India boasts over 900 million internet subscribers (TRAI Annual Report 2023), with DPI platforms like Aadhaar facilitating more than 1.3 billion biometric authentications daily (UIDAI Annual Report 2023). This digital expansion underpins India’s digital economy, projected to reach $1 trillion by 2025 (NITI Aayog 2023). However, the rapid growth has exposed systemic cybersecurity vulnerabilities, with cybercrime losses estimated at $18 billion annually (Cybersecurity Ventures 2023). The CEA stresses the urgency of strengthening legal frameworks, institutional coordination, and investments to protect economic growth and citizen data privacy.

Legal Framework Governing Cybersecurity in India’s DPI

The Information Technology Act, 2000 (IT Act 2000) forms the primary legal backbone for cybersecurity, with key provisions including Section 43A (compensation for failure to protect data), Section 66 (hacking), and Section 72A (breach of confidentiality). However, the Act predates many modern cyber threats such as ransomware and supply chain attacks, limiting its efficacy.

The pending Personal Data Protection Bill, inspired by the European GDPR, aims to fill gaps by instituting comprehensive data privacy and protection norms. The Supreme Court’s landmark judgment in Justice K.S. Puttaswamy v. Union of India (2017) recognized privacy as a fundamental right under Article 21, strengthening the legal basis for data protection.

• National Cyber Security Policy 2013 outlines strategic objectives but has seen limited updates, reducing its relevance against evolving threats.
• CERT-In operates under the Ministry of Electronics and Information Technology (MeitY) as the national agency for incident response and cybersecurity threat mitigation.

Economic Significance and Cybersecurity Risks in the DPI Ecosystem

India’s digital economy, driven by DPI platforms, is a key growth engine. The digital payments market alone is expected to grow at a 20% CAGR to $1.4 trillion by 2026 (IBEF 2024). The government allocated ₹8,000 crore for cybersecurity initiatives in the 2023-24 Union Budget (Ministry of Finance), reflecting recognition of the economic risks posed by cyber threats.

Cybercrime losses of $18 billion annually impose a significant drag on economic productivity and investor confidence. The DPI ecosystem’s reliance on biometric authentication and digital identity systems like Aadhaar increases exposure to identity theft, data breaches, and fraud.

• Over 1.3 billion Aadhaar biometric authentications daily (UIDAI 2023) create vast attack surfaces.
• Fragmented cybersecurity governance leads to overlapping mandates and delayed threat response.

Institutional Architecture and Coordination Challenges

India’s cybersecurity governance involves multiple institutions with overlapping roles:

• CEA advises on economic implications of digital infrastructure and cybersecurity policy.
• MeitY formulates and implements digital infrastructure and cybersecurity policies.
• CERT-In handles cybersecurity incident response and threat mitigation.
• UIDAI manages Aadhaar, a core DPI component for digital identity.
• NCIIPC protects critical digital infrastructure from cyber threats.
• NITI Aayog provides strategic policy inputs on digital economy and cybersecurity.

This multiplicity creates coordination challenges, with no single nodal agency empowered to enforce cybersecurity standards across sectors. The IT Act 2000 lacks provisions for proactive threat intelligence sharing and mandatory breach disclosures, unlike international frameworks.

Comparative Analysis: India vs Singapore Cybersecurity Frameworks

Critical Gaps in India’s DPI Cybersecurity Ecosystem

• Fragmented Governance: Overlapping institutional mandates impede unified action and rapid response.
• Outdated Legal Framework: IT Act 2000 lacks provisions for emerging threats like ransomware and supply chain attacks.
• Limited Policy Updates: National Cyber Security Policy 2013 has not been revised to address evolving cyber threats.
• Reactive Posture: Absence of mandatory threat intelligence sharing and breach notification mechanisms delays mitigation.
• Insufficient Investment: ₹8,000 crore allocation is significant but insufficient relative to the scale of threats and economic stakes.

Way Forward: Strengthening DPI Cybersecurity in India

• Enact Comprehensive Data Protection Law: Expedite passage of the Personal Data Protection Bill with provisions for cybersecurity obligations.
• Institutional Rationalization: Establish a centralized cybersecurity authority akin to Singapore’s CSA for coordinated policy and enforcement.
• Update Cybersecurity Policy: Revise the National Cyber Security Policy to incorporate emerging threats and proactive threat intelligence sharing.
• Mandatory Breach Reporting: Legislate compulsory disclosure of cyber incidents to enable timely response and public awareness.
• Increase Budgetary Allocation: Scale up investments in cybersecurity infrastructure, capacity building, and research.
• Public-Private Partnerships: Foster collaboration between government, industry, and academia for threat detection and mitigation.

Jharkhand & JPSC Relevance

• JPSC Paper: Paper 2 (Governance and Public Policy), Paper 3 (Science and Technology)
• Jharkhand Angle: Increasing digital penetration in Jharkhand’s rural areas raises cybersecurity concerns for local government services and citizen data protection.
• Mains Pointer: Frame answers highlighting the state’s digital infrastructure growth, cybersecurity risks in local e-governance, and the need for capacity building and legal awareness at the state level.