Experts: India's Cybersecurity System Lacks Policy, Accountability, and Consequences
Experts highlight significant shortcomings in India's cybersecurity framework, including an outdated policy, an unaccountable regulatory body, and a lack of repercussions for security breaches and auditors.

India's cybersecurity ecosystem faces critical deficiencies, including a national policy unchanged since 2013, an unaccountable national cybersecurity agency (CERT-In), and a lack of consequences for security auditors and companies that fail to adequately protect data. These issues, identified through expert consultations, undermine the nation's defense against cyber threats.
Key concerns center on CERT-In's lack of accountability. Experts such as Srikanth L and Kiran Jonnalagadda state that the agency has no legal obligation to act on reported vulnerabilities or answer for inaction. "Everything with CERT-In is like it’s a privilege," Jonnalagadda explained. "If they feel like it, they will do something. If you cannot hold them responsible for delivering the service, then it’s not a service. It’s a privilege."
Compounding the issue is a lack of transparency. CERT-In collects reports on security vulnerabilities but does not disclose the outcomes, creating a "black hole" where companies have little incentive to report issues. Security researcher Karan Saini shared an experience where CERT-In claimed a vulnerability was fixed when it remained exposed, illustrating the agency's ineffective response mechanism.
Proposed solutions include legislative reforms to make CERT-In statutorily accountable, similar to India's Right to Information Act. Alternatively, adopting a model like the US CVE (Common Vulnerabilities and Exposures) system, which ensures a confidential disclosure period followed by mandatory publication, could improve the handling of vulnerabilities.
Ultimately, experts argue that a fundamental restructuring of India's cybersecurity approach is essential to safeguard its digital infrastructure and build trust among citizens and businesses.