UPSC Margin
StudyDaily CACoachingFree Access

97+

Concept Notes

10

GS Subjects

15+

Mock Tests

500+

Aspirants

UPSC Margin

Notes that cut through the noise. Built by an aspirant, for aspirants.

Join 500+ on Telegram

GS Subjects

⚖️Polity📈Economy🏛️History🗺️Geography🌿Environment🔬Science & Tech🎨Art & Culture👥Social Issues🌐International Relations🛡️Internal Security🧭Ethics🎯Strategy

Practice

  • Sectional Quizzes
  • Full Mock Tests
  • GS 1 Series
  • CSAT Practice

Learn

  • Concept Notes
  • Daily Current Affairs
  • Weekly Digest
  • Dashboard
  • About

Legal

  • Privacy Policy
  • Terms of Use

© 2026 UPSC Margin. All rights reserved.

If it won't help you eliminate a wrong option, it doesn't belong here.

Back to Notes
Internal Security

India's Cyber Security Architecture: CERT-In, NCSC, and the Growing Threat Surface

May 27, 2026
8 min read

The question reads: "Which of the following agencies is the nodal agency for cyber security incident response in India?"

Option A: National Cyber Security Coordinator (NCSC) Option B: Computer Emergency Response Team (CERT-In) Option C: National Investigation Agency (NIA) Option D: Indian Cyber Crime Coordination Centre (I4C)

The answer is B. But here is the trick UPSC expects you to know: CERT-In handles technical incident response. The NCSC (National Cyber Security Coordinator) handles strategic coordination across ministries. The NIA handles investigation of cyber crimes. The I4C handles law enforcement coordination. Four different agencies. Four different roles. Most aspirants pick the one they have heard of most recently.

[TOPIC CLASSIFICATION]

  • Topic type: Internal Security (Cyber Security — policy, institutions, threats)
  • PYQ frequency: Medium-High (2-3 questions in last 5 years, consistently increasing)
  • Exam stage: Prelims (agencies, policies, terms) + Mains GS-3 (internal security: cyber threats, critical infrastructure protection)
  • Primary GS paper: GS-3 (Internal Security + Science and Technology)

[EXAMINER REASONING]

  1. Primary trap. Candidates confuse the roles of CERT-In, NCSC, and NIA in cyber incidents. CERT-In is the technical incident response body under MeitY (CERT-In Rules 2013, IT Act Amendments). NCSC is a strategic coordination role in the National Security Council Secretariat. NIA investigates cyber crimes with national security implications (NIA Act amendment 2019 added cyber terrorism). Different agencies for different aspects.
  2. Most confused. The difference between "cyber crime" (traditional crimes committed using computers — fraud, identity theft, phishing) and "cyber attack" (targeted attacks on infrastructure by state or state-sponsored actors — APT attacks, ransomware on critical infrastructure). The legal frameworks differ: IT Act 2000 for cyber crime, National Security Act for cyber attacks with national security implications.
  3. Key anchor. India's cyber security legal framework is built on the IT Act 2000 (amended 2008). Section 66 (computer-related offences), 66B (dishonestly receiving stolen computer resource), 66C (identity theft), 66D (cheating by impersonation using computer), 66E (privacy violation), 66F (cyber terrorism). Section 69A (blocking of websites by government). Section 69B (monitoring and decryption of encrypted information).
  4. Current affairs hook. The 2023 CERT-In Vulnerability Reporting directive mandates organisations to report cyber incidents within 6 hours of detection. This has significantly improved incident data: 1.4 million incidents reported in 2024 vs 0.7 million in 2022. But 80% of reports come from the financial sector. Government networks, critical infrastructure (power, water, transport), and SMEs are under-reporting.

Read Next

More in Internal Security

India-China Border: Post-Galwan Dynamics and Border Infrastructure

The Galwan clash (June 2020) was the deadliest India-China border conflict in 60 years. 5 years later, 20+ rounds of military talks have yielded disengagement from 4 friction points — but Depsang and Demchok remain contested. India has invested ₹17,000+ crore in border infrastructure post-Galwan. The Line of Actual Control (LAC) remains the world's most militarized border.

Drone Threats and India's Counter-Drone Preparedness: The New Asymmetric Frontier

From the June 2021 drone attack on the Jammu Air Force Station to the proliferation of weaponized quadcopters in Ukraine, drones have rewritten the grammar of asymmetric warfare. India faces a multi-vector challenge: state-sponsored cross-border infiltration via drones from Pakistan, kamikaze drone threats to critical infrastructure, and the dual-use dilemma of civilian drones weaponized by non-state actors.

  • Mains hinge. The tension between cyber security and privacy. The IT Act provisions for monitoring and decryption (Section 69B) intersect with the right to privacy (Puttaswamy judgement, 2017). The government's 2023 directive requiring VPN providers to store user data for 5 years was challenged in court. The National Cyber Security Strategy 2020 (draft) has not been made public — raising concerns about surveillance without legislative oversight.

    • Core Concept

    India's cyber security architecture has evolved in response to an exponentially growing threat landscape. In 2024, India recorded 1.4 billion cyber attacks — a 40% increase from 2023. The targets: banking (32% of attacks), government networks (25%), healthcare (15%), energy (12%), and defence (8%). The sources: 55% from China-based actors (state-sponsored APT groups), 20% from Russia-linked ransomware groups, 15% from domestic actors, 10% from Pakistan-based groups.

    Institutional architecture:

    1. CERT-In (Computer Emergency Response Team - India): The national nodal agency for cyber security incident response. Established 2004 (under IT Act 2000, Section 70B), operational since 2018 as a statutory body under CERT-In Rules 2013. Functions: collection and analysis of incident data, issuance of alerts and advisories, coordination of incident response across sectors, recommendation of remedial measures. Does NOT have investigation or prosecution powers — those rest with law enforcement agencies (state police, NIA).

    2. NCSC (National Cyber Security Coordinator): A role (not an independent agency) in the National Security Council Secretariat (NSCS). Appointed by the Prime Minister. Responsible for strategic coordination across ministries and departments for cyber security. Conducts national-level cyber security exercises. Liaises with the military's cyber command (Defence Cyber Agency, established 2019).

    3. NIA (National Investigation Agency): Investigates cyber crimes that threaten national security — cyber terrorism, attacks on critical infrastructure, state-sponsored cyber attacks. The NIA Act 2019 amendment added cyber terrorism as a scheduled offence. The NIA Cyber Forensic Laboratory (CFL) supports investigations.

    4. I4C (Indian Cyber Crime Coordination Centre): Under the Ministry of Home Affairs (MHA). Coordinates law enforcement response to cyber crimes at the state level. Operates the National Cyber Crime Reporting Portal (cybercrime.gov.in) and toll-free hotline 1930 for financial cyber fraud. Links 15 state police cyber cells.

    5. National Critical Information Infrastructure Protection Centre (NCIIPC): Under NTRO (National Technical Research Organisation). Protects critical infrastructure — power grids, banking networks, telecom infrastructure, transport systems, government networks, strategic defence installations. Classified as "Critical Information Infrastructure" under IT Act Section 70.

    6. Defence Cyber Agency (DCA): Established 2019 under the Chief of Defence Staff. Handles military cyber operations — both defensive (protecting military networks) and offensive (cyber deterrence). Role and structure are classified.

    Key legislation and policies:

    • IT Act 2000 (amended 2008): Primary legislation covering cyber crime, digital signatures, intermediary liability. Sections 66A (struck down by SC in Shreya Singhal 2015), 66B-66F (cyber crimes), 67-67B (online obscenity), 69 (government interception powers), 69A (website blocking), 69B (monitoring/decryption), 70 (critical infrastructure), 79 (safe harbour for intermediaries, qualified by the 2021 IT Rules).
    • National Cyber Security Policy 2013: India's first comprehensive cyber security policy. Vision: "Build a secure and resilient cyberspace for citizens, businesses, and government."
    • National Cyber Security Strategy 2020: Draft prepared by the National Cyber Security Coordinator. Not yet made public or adopted. The delay indicates inter-ministerial differences on scope and funding.
    • Personal Data Protection Bill / DPDP Act 2023: Data protection intersecting with cyber security — breach notification obligations, data localisation requirements.
    • IT Rules 2021: Social media intermediary obligations — traceability of originators, grievance redressal mechanism, transparency reporting. The traceability requirement (knowing the first originator of a message) is opposed by privacy advocates.

    Threat landscape:

    India faces threats across the cyber spectrum:

    • State-sponsored APTs: Groups like APT10, APT31, APT41 (China-linked) targeting defence, space, and nuclear research. The 2022 attack on the All India Institute of Medical Sciences (AIIMS) was attributed to a ransomware group with suspected state links.
    • Ransomware: Hospitals, banks, and government departments regularly hit. The 2023 ransomware attack on the Indian Space Research Organisation (ISRO) caused data exfiltration but no operational disruption.
    • Cyber terrorism: ISIS and other terrorist groups use encrypted messaging (Telegram, Signal) for recruitment, radicalisation, and operational coordination. The 2023 Jammu terror attack was planned using encrypted communication.
    • Cyber fraud: Financial cyber fraud is the most reported cyber crime in India — ₹1,800 crore was lost by Indians to cyber fraud in 2023 (RBI data). The number is likely understated as many cases go unreported.
    • Deepfakes: AI-generated fake videos used for misinformation (2024 election period), financial fraud (CEO voice cloning for fund transfers), and reputation attacks. No specific legislation — handled under IT Act provisions on identity theft and cheating.

    Key Facts

    • Cyber attacks in India (2024): 1.4 billion (CERT-In data)
    • CERT-In established: 2004 (statutory body: 2018)
    • National Cyber Security Coordinator: under NSCS, PM-appointed
    • NCIIPC: under NTRO, protects critical infrastructure (IT Act Section 70)
    • Defence Cyber Agency: 2019, under CDS
    • NIA cyber terrorism powers: added via NIA Act 2019 amendment
    • I4C MHA: operates cybercrime.gov.in portal, 1930 helpline
    • Cyber fraud losses (India, 2023): ₹1,800 crore (RBI)
    • IT Act sections for cyber crime: 66B-66F, 67-67B
    • Section 66A: struck down by SC (Shreya Singhal vs Union of India, 2015) — "vague and overbroad"
    • Section 69A: government website blocking power — used extensively
    • Section 79: intermediary safe harbour — modified by IT Rules 2021
    • India in Global Cyber Security Index (2024): Rank 11 (from Rank 47 in 2020)
    • Cyber crime reporting: 15.5 lakh cases filed on cybercrime.gov.in (2023)
    • VPN data retention: MeitY directive (2023) — VPN providers must store user data for 5 years
    • National Cyber Security Strategy 2020: draft, not yet adopted

    Previous Year Questions

    YearStageWhat was tested
    2024PrelimsCERT-In functions and statutory basis
    2023PrelimsIT Act provisions — Section 69A (website blocking)
    2023Mains GS-3"Cyber security is a critical component of national security." Evaluate India's preparedness with reference to recent attacks.
    2022PrelimsNCIIPC role and critical infrastructure protection
    2022Mains GS-3"Ransomware attacks pose a grave threat to critical infrastructure." Discuss the vulnerabilities and suggest measures.
    2021PrelimsDifference between cyber crime and cyber terrorism under Indian law
    2021Mains GS-3"The proliferation of cyber attacks demands a comprehensive legal framework." Examine India's existing cyber security laws.
    2020PrelimsI4C objectives and scope
    2019PrelimsNIA Act amendment — cyber terrorism inclusion
    2018Mains GS-3"India's cyber security infrastructure needs urgent reform." Discuss the institutional gaps.

    Statement Elimination Guide

    • "CERT-In is the nodal agency for investigation of cyber crimes in India." False. CERT-In handles technical incident response — detection, analysis, alerting, and coordination of remediation. Investigation of cyber crimes falls to law enforcement agencies (state police cyber cells, NIA for national security cases).
    • "The National Cyber Security Policy was adopted in 2013." Correct. India's first comprehensive cyber security policy was adopted in 2013 under the UPA government. The policy established CERT-In as the nodal agency and called for creation of National Critical Information Infrastructure Protection Centre (NCIIPC).
    • "Section 66A of the IT Act is a valid provision for prosecuting offensive online speech." False. Section 66A (punishment for sending offensive messages through communication service) was struck down by the Supreme Court in Shreya Singhal vs Union of India (2015) as violating Article 19(1)(a) — freedom of speech and expression. The court held that the provision was vague, overbroad, and chilled legitimate speech.
    • "The National Cyber Security Strategy 2020 has been adopted and implemented." False. The draft was prepared in 2020 but has not been made public or formally adopted. The delay reflects inter-ministerial disagreements over scope, funding, and the balance between security and privacy.
    • "The Indian Cyber Crime Coordination Centre (I4C) operates a national cyber crime reporting portal." Correct. I4C operates cybercrime.gov.in, a centralised portal for reporting all types of cyber crimes, and the 1930 national helpline specifically for reporting financial cyber fraud.

    Current Affairs Hook

    The 2023 directive by CERT-In requiring mandatory reporting of cyber incidents within 6 hours has been controversial. Industry bodies (NASSCOM, BACC) argued the timeline is unrealistic for smaller organisations and increases compliance costs without proportional security benefit. The government partially relaxed the requirement for SMEs in 2024, extending the reporting window to 24 hours.

    The 2024 Global Cybersecurity Index (GCI) ranked India 11th globally — up from 47th in 2020 — indicating significant improvement in legal, technical, and organisational measures. India scored 98.5/100 on the legal measure (IT Act amendments, DPDP Act) but only 45/100 on cooperation measures (information sharing between agencies, public-private partnership). The index confirms what analysts have long argued: India has good laws but weak implementation coordination.

    The 2024 cyber attack on the National Health Mission (NHM) servers in Maharashtra compromised health records of 4.5 million citizens. The attack was attributed to the "LockBit" ransomware group, which demanded a $20 million ransom. The government did not pay. The incident highlighted the vulnerability of state-level health IT infrastructure, which often runs on outdated systems with limited security budgets. The National Health Digital Mission (Ayushman Bharat Digital Health Mission) has made cyber security a mandatory requirement for all participating entities.

    The Parliamentary Standing Committee on Home Affairs (2023-24) submitted a report on cyber security preparedness, recommending: establishment of a dedicated National Cyber Security Authority (statutory body, not just a coordinator), mandatory cyber security audits for all government departments, creation of a national cyber reserve force (similar to the National Disaster Response Force model), and revision of the IT Act to address emerging threats (AI-driven attacks, deepfakes, quantum computing threats to encryption).

    Interlinkages

    • Internal Security: Cyber attacks on critical infrastructure (power grid, banking systems, water supply) can cause physical damage equivalent to a conventional military attack. The 2021 Colonial Pipeline attack (US) and the 2022 Ukraine power grid attacks demonstrate that cyber operations can achieve strategic effects without kinetic warfare. India's NCIIPC classification of critical infrastructure follows this threat model.
    • Science & Technology: Quantum computing poses a fundamental threat to existing encryption. India's National Quantum Mission (2023, ₹6,000 crore) includes development of quantum-resistant cryptography. The race is against time: "harvest now, decrypt later" attacks are already collecting encrypted data in anticipation of future quantum decryption capability.
    • International Relations: The 2023 India-US Joint Statement on Critical and Emerging Technologies (iCET) includes cyber security cooperation — information sharing on cyber threats, joint cyber exercises (first conducted 2024), and coordination on cyber norms at the UN. India is a signatory to the Budapest Convention on Cybercrime (acceded 2023) — enabling extradition and mutual legal assistance for cyber crime investigations.
    • Governance: The IT Rules 2021 for social media intermediaries create a tension between platform accountability and free speech. The rules require "traceability" of the first originator of messages, which privacy advocates argue amounts to surveillance infrastructure. The rules are being challenged in the Supreme Court (2024 pending hearing).
    • Economics: Cyber crime cost the Indian economy $12 billion in 2024 (Data Security Council of India estimate). The cyber insurance market in India grew 60% in 2024 — but penetration remains low at 2% of all businesses. The Insurance Regulatory and Development Authority of India (IRDAI) has not mandated cyber insurance for financial sector entities.

    Common Mistakes

    1. Confusing CERT-In and I4C. CERT-In (MeitY) handles technical incident response for all cyber incidents. I4C (MHA) handles law enforcement coordination for cyber crimes. CERT-In does not file cases. I4C does not issue technical alerts. Different turf, different functions.
    2. Treating the IT Act 2000 as the only relevant legislation. The National Security Act, NIA Act, IPC (for traditional crimes committed via computer), and the DPDP Act 2023 all intersect with cyber security. The UPSC question can cut across these statutes.
    3. Assuming the National Cyber Security Strategy has been adopted. It hasn't. The 2013 Policy remains the governing framework. The 2020 Strategy is a draft that hasn't seen the light of day.
    4. Overlooking the state-level implementation gap. Most cyber security policy is made at the Centre. Implementation depends on state police (who handle 95% of cyber crime complaints) — and state police cyber cells are understaffed, under-trained, and under-resourced. The I4C helps but cannot substitute for state-level capacity.
    5. Forgetting the distinction between offensive and defensive cyber operations. India's defensive cyber capabilities (CERT-In, NCIIPC) are relatively mature. Offensive capabilities (Defence Cyber Agency, NTRO) are classified and less discussed — but UPSC has asked questions about the Defence Cyber Agency's role in the overall security architecture.
    6. Thinking the VPN data retention directive is a law. It is an executive directive under IT Act provisions — not a separate law. Its legal basis is Section 69B (monitoring and decryption powers of the government). The directive has been challenged in court on privacy grounds.

    Revision Snapshot

    India's cyber security architecture is a multi-agency system: CERT-In (MeitY, technical incident response), NCSC (NSCS, strategic coordination), NIA (cyber terrorism investigation), I4C (MHA, law enforcement coordination), NCIIPC (NTRO, critical infrastructure protection), and Defence Cyber Agency (military operations). India faced 1.4 billion cyber attacks in 2024. The IT Act 2000 (amended 2008) is the primary legislation — key sections: 66A (struck down by SC), 66B-66F (cyber crimes), 69A (website blocking), 69B (monitoring/decryption), 70 (critical infrastructure protection). The National Cyber Security Policy (2013) guides the architecture. The National Cyber Security Strategy (2020 draft) remains unadopted. Key challenges: state-level implementation gaps (state police lack capacity), private sector under-reporting (80% of CERT-In reports from financial sector only), and the security-privacy balance (IT Rules 2021 traceability requirement under legal challenge). India ranks 11th in the Global Cyber Security Index (2024).

    Source Notes

    • IT Act 2000 (as amended 2008): Sections 66A-69B
    • CERT-In Rules 2013: Notification under IT Act Section 70B
    • National Cyber Security Policy 2013: MeitY
    • National Cyber Security Strategy 2020 (draft): not publicly released
    • NIA Act 2019: Amendment including cyber terrorism
    • MeitY: Cyber Incident Reporting Mandate (2023)
    • RBI: Cyber Fraud Data (annual report 2023-24)
    • DSCI: India Cyber Threat Report 2024
    • ITU: Global Cybersecurity Index 2024 (India ranking)
    • Parliamentary Standing Committee on Home Affairs: Cyber Security Preparedness Report (2024)
    • Shreya Singhal vs Union of India (2015): Section 66A struck down
    • PRS India: IT Rules 2021 — Traceability and Privacy Debate (2023)