Answer ... India has no dedicated cybersecurity law. The IT Act, read with the rules and regulations framed thereunder, deals with cybersecurity and the cybercrimes associated therewith. As discussed in question 1.3, the ‘body corporate’ that handles sensitive personal data or information (SPDI) must implement “reasonable security practices and procedures” by maintaining a comprehensive documented information security programme. This programme should include managerial, technical, operational and physical security control measures that are commensurate with the nature of information being protected. In this context, the SPDI Rules recognise the International Standard IS/ ISO/ IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements” as one such approved security standard that can be implemented by a body corporate for the protection of personal information.

However, these requirements may be difficult to implement where blockchain technology is used or deployed. In such cases, there is usually no controlling body corporate to hold accountable for cybersecurity incidents. Where blockchain operators are involved in handling personal data, including SPDI, they will be responsible for compliance with the cybersecurity requirements stipulated under the IT Act and the SPDI Rules. However, as the blockchain infrastructure is decentralised and there is not always a centralised ‘operator’ (as is the case with Bitcoin), there may be no mechanism to ensure compliance with the cybersecurity requirements prescribed under the IT Act and the SPDI Rules.

In addition, the existing standards on information security, such as the IS/ISO/IEC 27001, which the SPDI Rules prescribe may not suffice for the purposes of blockchain, as these were not formulated with its decentralised nature in mind.

Answer ... Blockchain can be instrumental in maintaining and enhancing data integrity, as its immutable cryptographic blocks are likely to frustrate any attempts to tamper with the data (as these would require a consensus among the majority of participating nodes in the blockchain). Accordingly, this makes a blockchain-based structure almost tamper-proof.

Blockchain technology can serve as a meaningful replacement to architecture that involves a human element in data storage. The human element can potentially cause errors, which can be exploited by hackers, resulting in data breaches. This technology can be used to prevent data breaches, identity theft and foul play in transactions.

Some of the ways in which blockchain can enhance cybersecurity include the following:

• Keeping the Domain Name System (DNS) secure: The DNS is vulnerable to attack by hackers who can disrupt DNS service providers, thereby affecting major web portals. Deploying blockchain to strong DNS entries can enhance the security of DNS, as it acts as a replacement to an identifiable single target which can be attacked.
• Mitigating denial of service attacks: In denial of service attacks, a server or network resource may be a target to deny service to genuine users of such resources. Blockchain can be deployed to provide protection against such attacks.
• Blockchain does not rely on traditional usernames and passwords, but rather on private keys and multi-level authentication, which reliably provides stronger protection.
• Blockchain may be used by organisations to validate their software configurations and component lists to identify malware.

Answer ... Depending on the nature and extent of the cybersecurity risks and the sensitivity of the sector in which the business operates, cyber-incident response strategies may differ from one business to another. Common measures that can be implemented to mitigate cybersecurity risks include:

• deploying a set of detailed information security policies;
• conducting regular transaction monitoring and information security risk assessments;
• setting up risk mitigation and transition plans;
• updating relevant stakeholders within the organisation on their respective roles in advancing and allocating appropriate personnel to engage with the regulatory authorities; and
• dealing with clients, service providers and other stakeholders.

Many companies also conduct regular assessment of the vulnerabilities in their systems, including by inviting focused hacking. Depending on the sector, organisations can also reach out to the Indian Computer Emergency Response Team and seek advice with respect to incident recovery, damage containment and systems recovery.

Audit firms in India are also developing measures to counter cybersecurity threats for the clients they represent. Some of these measures include:

• building in-house facilities for managed security services, including situational awareness on cybersecurity risks, ongoing monitoring and analysis of security parameters;
• implementing secure, vigilant and resilient approaches towards cybersecurity, to test their capability to counter cyberattacks; and
• adopting auditing codes for blockchain solutions that test the cybersecurity of such solutions.