UPSC GS Paper III: Science Tech, Cybersecurity, IT Act, Data Protection Bill, Cyber Threats

Must?Know

• Information Technology Act, 2000 – Enacted to provide legal recognition to electronic transactions, based on UNCITRAL Model Law on Electronic Commerce 1996.
• Section 43A of IT Act, 2000 – Mandates compensation for failure to protect data, introduced via 2008 amendment, basis for judicial enforcement in State of Tamil Nadu v. Suhas Katti (2004).
• Section 66A – Criminalized offensive messages via communication service, struck down in Shreya Singhal v. Union of India (2015) for violating Article 19(1)(a).
• Section 69 – Grants government power to intercept, monitor, or decrypt any information in the interest of sovereignty, security, or public order.
• Section 69A – Enables blocking of public access to information through intermediaries, used in blocking social media platforms during 2021 farmers’ protest.
• Section 70B – Established Indian Computer Emergency Response Team (CERT-In) as the national nodal agency for cybersecurity incident response.
• IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 – Require significant social media intermediaries to appoint Chief Compliance Officer, nodal contact person, and grievance officer.
• Data Protection Bill, 2019 – Drafted by B.N. Srikrishna Committee (2018), recommended creation of Data Protection Authority (DPA).
• Digital Personal Data Protection Act, 2023 – Replaced 2019 Bill, received Presidential assent in August 2023, not yet fully operational.
• DPDPA 2023 – Applies to digital personal data processing in India and outside if related to offering goods/services to Indian data principals.
• DPDPA 2023 – Introduces concept of "consent manager" as a data fiduciary to enable data principal to manage consent through an independent interface.
• DPDPA 2023 – Exempts government agencies from compliance during public emergencies, with oversight by a Review Committee under Union Cabinet Secretary.
• Critical Information Infrastructure (CII) – Defined under Section 70 of IT Act; includes power grids, banking systems, and transport networks; unauthorized access punishable under Section 70A.
• CERT-In directives (April 2022) – Mandated virtual private server providers, data centers, and cryptocurrency exchanges to store user logs for 5 years.
• Cyber Swachhta Kendra – Launched by MeitY in 2017 under National Cyber Security Policy 2013 to detect botnet infections and provide mitigation tools.
• National Cyber Security Coordinator (NCSC) – Coordinates cybersecurity strategy across ministries; housed under National Security Council Secretariat (NSCS).
• Cyber Surakshit Bharat – Initiative launched in 2018 by MeitY and PwC to train state governments on cybersecurity best practices.
• Ransomware attacks on AIIMS Delhi (2022) – Disrupted hospital services for weeks, attributed to Chinese hacker group "APT41".
• Stuxnet – First known cyberweapon (2010), targeted Iran’s nuclear centrifuges, demonstrated use of zero-day exploits.
• WannaCry (2017) – Global ransomware attack exploiting EternalBlue vulnerability in unpatched Windows systems, affected 200,000+ computers in 150 countries, including Indian telecom and hospitals.
• Pegasus spyware – Developed by NSO Group (Israel), used zero-click exploits to infect smartphones, found on Indian journalists, politicians, and judges in 2021 Pegasus Project investigation.
• MITRE ATT&CK Framework – Globally used knowledge base of adversary tactics and techniques, adopted by CERT-In for threat modeling.
• Cyberattacks on Kudankulam Nuclear Plant (2019) – Confirmed by NPCIL; malware (Dtrack) linked to North Korean group Lazarus, accessed administrative network but not control systems.
• India’s rank in ITU Global Cybersecurity Index 2020 – 10th globally, up from 47th in 2018, due to improvements in legal, technical, and organizational frameworks.
• Cybercrime incidents in India (NCRB 2022) – 52,974 reported cases, highest in Uttar Pradesh (11,596), 63.5% under IT Act, 36.5% under IPC.

Difficulty Level

Intermediate – Requires integration of legal provisions, evolving policy, and current cyber threats with judicial precedents.

Common UPSC Traps

Trap: Section 66A of IT Act is still valid – Fact: It was struck down in Shreya Singhal v. Union of India (2015) by the Supreme Court for being overly broad and violating free speech under Article 19(1)(a).
Trap: Data Protection Bill, 2019 is currently in force – Fact: It was replaced by the Digital Personal Data Protection Act, 2023, which has received assent but is not yet fully implemented.
Trap: CERT-In is a statutory body created by the Constitution – Fact: It was established under Section 70B of the IT Act, 2000, as an attached office of MeitY, not a constitutional or statutory body with independent status.
Trap: Pegasus spyware can only infect phones via malicious links – Fact: It uses zero-click exploits (e.g., iMessage vulnerability) requiring no user interaction, as confirmed by Amnesty International’s forensic analysis.

Practice MCQs

Question: Which of the following provisions was introduced in the Information Technology Act, 2000 through the 2008 amendment?
A) Section 66 – Computer-related offenses
B) Section 66A – Sending offensive messages
C) Section 69A – Blocking public access to information
D) Section 70 – Protected systems
Answer: C
Explanation: Section 69A was inserted by the IT (Amendment) Act, 2008, empowering the government to block public access to information online.
Why others fail: B is tempting because Section 66A was also added in 2008, but it has been struck down; however, the question asks for a provision introduced in 2008, so both B and C were, but C remains valid and is the better answer as per UPSC’s preference for operational provisions.

Question: The Digital Personal Data Protection Act, 2023 applies to:
A) Only data processing within India
B) Only government agencies processing data
C) Processing of digital personal data in India and outside if related to offering goods/services to data principals in India
D) Only private sector entities handling sensitive personal data
Answer: C
Explanation: The Act applies extraterritorially to processing outside India if it is in connection with offering goods or services to individuals in India.
Why others fail: A is incorrect because the law has extra-territorial application, a key feature of modern data laws like GDPR.

Question: Which committee was responsible for drafting the Personal Data Protection Bill, 2019?
A) Justice Malimath Committee
B) B.N. Srikrishna Committee
C) Usha Mehra Commission
D) Kargil Review Committee
Answer: B
Explanation: The Srikrishna Committee, constituted in 2017, submitted the draft PDP Bill in 2018, forming the basis of the 2019 Bill.
Why others fail: A dealt with criminal justice reform; C investigated the 2012 Delhi gang rape; D reviewed Kargil War lessons.

Question: Which of the following best describes the role of CERT-In?
A) Investigates cybercrimes under IPC
B) Acts as the national nodal agency for responding to cybersecurity incidents
C) Adjudicates disputes related to data protection
D) Regulates internet service providers under licensing norms
Answer: B
Explanation: CERT-In, established under Section 70B of the IT Act, is the national agency for incident response, vulnerability management, and threat dissemination.
Why others fail: A is done by police cyber cells; C falls under proposed DPA; D is regulated by TRAI and DoT.

Question: The Cyber Swachhta Kendra is operational under which policy framework?
A) Digital India Programme
B) National Cyber Security Policy, 2013
C) Smart Cities Mission
D) National e-Governance Plan
Answer: B
Explanation: Cyber Swachhta Kendra was launched in 2017 under the National Cyber Security Policy, 2013 to enhance botnet detection and clean-up.
Why others fail: A is broader and includes it indirectly, but the direct policy linkage is with 2013 cybersecurity policy.

Last?Minute Revision

• Section 66A IT Act – struck down in Shreya Singhal v. Union of India (2015).
• Digital Personal Data Protection Act – passed in 2023, not yet fully implemented.
• B.N. Srikrishna Committee – submitted draft data protection bill in 2018.
• UNCITRAL Model Law – basis for IT Act, 2000.
• Section 69 – government powers to intercept, monitor, decrypt.
• Section 69A – blocking public access, used in social media takedowns.
• Section 70B – establishes CERT-In.
• CERT-In – national nodal agency for cybersecurity incidents.
• IT Rules, 2021 – require significant social media intermediaries to appoint compliance officers.
• Critical Information Infrastructure (CII) – defined under Section 70 of IT Act.
• Pegasus spyware – developed by NSO Group, uses zero-click exploits.
• AIIMS Delhi cyberattack – 2022, attributed to APT41.
• Kudankulam cyberattack – 2019, Dtrack malware linked to Lazarus Group.
• Stuxnet – 2010, targeted Iranian nuclear program.
• WannaCry – 2017, exploited EternalBlue vulnerability.
• MITRE ATT&CK – framework for adversary tactics, used by CERT-In.
• Cyber Swachhta Kendra – launched 2017 under National Cyber Security Policy.
• National Cyber Security Coordinator – under NSCS.
• India ranked 10th in ITU Global Cybersecurity Index 2020.
• NCRB 2022 – 52,974 cybercrime cases reported.
• DPDPA 2023 – allows government exemption during public emergencies.
• Consent manager – introduced under DPDPA 2023 as independent interface.
• CERT-In (2022) directive – mandates 5-year log retention for VPS/data centers.
• State of Tamil Nadu v. Suhas Katti – first conviction under IT Act (2004).
• Data Protection Authority – proposed under DPDPA 2023, not yet constituted.