← Internal Security
HomeInternal Security › Topic 09

Cyber Security

Cyberspace & the CIA Triad · Types of Cyber Attacks · Critical Information Infrastructure & NCIIPC · CERT-In, NCCC, I4C · IT Act 2000, DPDP Act 2023 · 5G & AI
📄 GS Paper 3🎯 Mains Focus⏱ 18 min read📅 Updated June 2026

Understanding Cyberspace and Cyber Security

Cyberspace is the borderless, man-made domain of interconnected digital networks — computers, servers, the internet, telecommunications, IoT devices and the data flowing through them. It is now recognised as the "fifth domain" of warfare alongside land, sea, air and space. As India digitises its economy and governance, cyberspace has become both an engine of growth and a vast attack surface. Cyber security is the practice of protecting systems, networks, data and programs from digital attacks aimed at accessing, altering, destroying or extorting information, or disrupting normal operations.

The foundational goal of cyber security is captured in the CIA triadConfidentiality (only authorised access), Integrity (data is accurate and untampered) and Availability (systems and data are accessible when needed). Every cyber attack is, at heart, an assault on one or more of these three pillars.

Key Terms You Must Know

  • Cyberspace: the global digital environment of interconnected IT infrastructure and data.
  • Cyber security: protection of cyberspace assets and the CIA triad against threats.
  • Malware: "malicious software" — viruses, worms, trojans, spyware designed to damage or infiltrate systems.
  • Ransomware: malware that encrypts a victim's data and demands payment (often in cryptocurrency) for the decryption key.
  • Phishing: fraudulent emails/messages impersonating trusted entities to steal credentials or money; spear-phishing targets specific individuals.
  • DDoS: Distributed Denial of Service — flooding a server with traffic from many sources to make it unavailable.
  • APT: Advanced Persistent Threat — a stealthy, prolonged, often state-sponsored intrusion to exfiltrate data.
  • Zero-day: an exploit of a software vulnerability unknown to the vendor, for which no patch yet exists.
  • Botnet: a network of compromised "zombie" devices controlled remotely to launch attacks (e.g., DDoS).
  • Dark web: encrypted, unindexed part of the internet (accessed via Tor) used for anonymous, often illicit, trade in data, malware and weapons.
  • CIA triad: Confidentiality, Integrity, Availability — the three core objectives of information security.
Key distinction: Cyber crime (financially or personally motivated, e.g., online fraud) differs from cyber warfare (state-on-state attacks on infrastructure) and cyber terrorism (politically motivated attacks to cause fear or harm). UPSC answers should locate each threat on this spectrum.

Importance of Cyberspace & Cyber Security in India

India is one of the world's largest and fastest-growing digital ecosystems, with over 900 million internet users by 2026. Cyberspace underpins the digital economy, public service delivery and national security alike, making its protection a strategic imperative.

  • Digital economy: e-commerce, fintech and the IT/ITeS sector contribute a rising share of GDP; a single breach can cascade across markets.
  • UPI & digital payments: India processes the world's largest volume of real-time payments through UPI — a high-value target for fraud and disruption.
  • Aadhaar & digital identity: the world's largest biometric database powers authentication and welfare delivery; its security is paramount to privacy and trust.
  • Digital India & e-governance: DigiLocker, e-services, CoWIN-style platforms and digitised land records expand convenience but also the attack surface.
  • Critical infrastructure: power grids, banking, telecom, railways, defence and health systems are increasingly networked and remotely controllable.
Exam angle: Always frame cyber security as the flip side of Digital India — digital empowerment without digital resilience is a strategic liability. Link UPI/Aadhaar scale → larger attack surface → need for robust CII protection and a data-protection law.
Types of Cyber Attacks ATTACK VECTORS Malware — virus, worm, trojan, spyware Ransomware — encrypt & extort Phishing / spear-phishing Man-in-the-Middle (MITM) SQL injection — database attacks DDoS — flood & deny service Social engineering — human hacking Supply-chain attacks TARGET: Confidentiality · Integrity · Availability every attack breaches one or more CIA pillars ADVANCED: APT · Zero-day · Botnet · Dark web stealthy, persistent, often state-sponsored
Figure 1: Classification of cyber attacks — common vectors converge on breaching the CIA triad, with advanced threats adding stealth and persistence.

Motives Behind Cyber Attacks

Understanding the "why" helps anticipate the "how." Cyber attacks are driven by a range of overlapping motives:

  • Espionage: stealing state secrets, defence data or intellectual property — typically by state-sponsored APT groups.
  • Financial gain: the largest category — ransomware, banking fraud, UPI scams, cryptojacking and data theft for sale.
  • Hacktivism: ideologically or politically motivated defacements, leaks and DDoS by groups seeking publicity.
  • Cyber warfare: state-on-state attacks to degrade an adversary's critical infrastructure or command systems.
  • Cyber terrorism: politically motivated attacks intended to cause fear, casualties or disruption of essential services.

Types of Cyber Attacks — In Detail

AttackHow it worksImpact
MalwareMalicious code (viruses, worms, trojans, spyware) installed covertlyData theft, system corruption, surveillance
RansomwareEncrypts files, demands crypto-ransom for the keyService shutdown, financial loss (e.g., AIIMS Delhi 2022)
PhishingSpoofed emails/SMS lure users to reveal credentialsAccount takeover, fraud, malware delivery
MITMAttacker intercepts communication between two partiesEavesdropping, data & credential theft
SQL injectionMalicious queries exploit input fields to access databasesData breach, record manipulation
DDoSBotnets flood a server with trafficWebsite/service outage, availability loss
Social engineeringManipulating people (not systems) into giving accessBypasses technical controls; insider risk
Supply-chainCompromising a trusted vendor/software to reach targetsWide, stealthy compromise (e.g., SolarWinds-type)
Note: The "human layer" is the weakest link — social engineering and phishing remain the most common entry points, which is why end-user awareness is a core component of cyber security.

Components of Cyber Security

Cyber security is layered ("defence-in-depth"). The 2022 UPSC Mains question explicitly asked for the "different elements of cyber security," so these components must be memorised:

  • Network security: protecting the integrity and usability of networks via firewalls, intrusion-detection systems and segmentation.
  • Application security: securing software through secure coding, patching and testing against exploits like SQL injection.
  • Information / data security: protecting data at rest and in transit using encryption, access controls and the CIA triad.
  • Operational security: processes and decisions for handling and protecting data assets — permissions, procedures, disaster recovery.
  • End-user education: training people to recognise phishing, use strong passwords and avoid risky behaviour — the human firewall.
India's Cyber Security Institutional Architecture NSCS / PMO National Cyber Security Coordinator CERT-In national incident response (MeitY) NCIIPC protects CII (under NTRO) NCCC threat awareness & coordination I4C cyber crime (MHA) helpline 1930 Cyber Swachhta Kendra — botnet cleaning Defence Cyber Agency — military cyber ops MeitY · NTRO · MHA · MoD — multi-ministry framework
Figure 2: India's layered cyber security architecture — strategic coordination at the top, operational agencies for incident response, CII protection and cyber crime below.

Need for Cyber Security & Critical Information Infrastructure (CII)

As essential services migrate online, a successful cyber attack can paralyse a nation without firing a shot. This makes Critical Information Infrastructure (CII) the highest-priority asset to defend.

Under Section 70 of the IT Act 2000, CII is defined as a computer resource whose incapacitation or destruction would have a debilitating impact on national security, economy, public health or safety. The National Critical Information Infrastructure Protection Centre (NCIIPC), operating under the NTRO, is the nodal agency for CII protection.

Critical Sectors Identified by NCIIPC

  • Power & energy — grids, generation, distribution (e.g., probing of Mumbai grid, 2020).
  • Banking, financial services & insurance (BFSI) — payment systems, stock exchanges.
  • Telecom — networks, data centres, undersea cables.
  • Transport — railways, aviation, ports, traffic systems.
  • Government — strategic and public enterprise systems.
  • Health — hospitals and medical records (e.g., AIIMS Delhi ransomware, 2022).
Why it matters: Attacks on CII blur the line between cyber crime and cyber warfare. A grid blackout or a banking-system freeze can have strategic, cascading effects — making CII protection central to national security, not merely IT hygiene.

Cyber Terrorism

Cyber terrorism is the use of cyberspace by terrorist groups or their sponsors to conduct politically or ideologically motivated attacks that cause death, large-scale disruption or widespread fear. It also includes the use of the internet for recruitment, radicalisation, propaganda, financing and coordination.

Threats to CII from Cyber Terrorism

  • Disabling power grids or water systems to cause mass disruption.
  • Attacking financial systems to fund operations or destabilise the economy.
  • Targeting transport/aviation control systems to endanger lives.
  • Hacking communication networks to spread panic or coordinate physical attacks.
  • Defacing or hijacking government platforms for propaganda.
Convergence threat: Cyber terrorism amplifies physical terrorism — a coordinated cyber-physical attack (e.g., disabling emergency response during a bombing) is the worst-case scenario for security planners.

Government's Initiatives — Institutional Framework

BodyRole
CERT-In (Indian Computer Emergency Response Team)National nodal agency for cyber incident response, alerts, forecasts and coordination; under MeitY. 2022 directions mandate 6-hour breach reporting.
NCIIPC (National Critical Information Infrastructure Protection Centre)Nodal agency to protect Critical Information Infrastructure; operates under NTRO; designates & secures critical sectors.
NCCC (National Cyber Coordination Centre)Generates real-time situational awareness of cyber threats; screens metadata and coordinates among agencies.
Cyber Swachhta Kendra (Botnet Cleaning & Malware Analysis Centre)Detects botnet infections and provides free tools to clean infected devices; operated by CERT-In.
I4C (Indian Cyber Crime Coordination Centre)MHA's framework to tackle cyber crime; runs the National Cyber Crime Reporting Portal and the 1930 financial-fraud helpline.
Defence Cyber Agency (DCyA)Tri-services agency under the Integrated Defence Staff for military cyber operations and defence of armed-forces networks.

Government's Initiatives — Legislative & Policy Framework

Law / PolicyYearPurpose
Information Technology (IT) Act2000 (amended 2008)Primary cyber law; legal recognition of e-records & e-signatures; offences (Sec 66, 70 CII, 72 privacy); 2008 amendment added cyber-terrorism & data-protection provisions.
National Cyber Security Policy2013First national framework to build a secure cyber ecosystem; aimed to create a workforce of 5 lakh cyber professionals; now largely outdated.
National Cyber Security Strategy2020 draft (pending)Proposed updated strategy by Data Security Council; awaiting formal release as of 2026 — a recurring exam & policy gap.
IT (Intermediary Guidelines) Rules2021 (amended 2022/23)Due-diligence and grievance-redressal obligations for intermediaries; traceability, content takedown timelines, Grievance Appellate Committees.
Digital Personal Data Protection (DPDP) Act2023India's first dedicated data-protection law; governs processing of digital personal data; rights of "Data Principals," duties of "Data Fiduciaries," Data Protection Board.
Privacy journey: Justice K.S. Puttaswamy v. Union of India (2017) declared privacy a fundamental right → Justice B.N. Srikrishna Committee (2018) → PDP Bill 2019 (withdrawn 2022) → Digital Personal Data Protection Act, 2023. Trace this chain in answers on data protection.
CIA Triad & Layered Defence-in-Depth C I A Confidentiality Integrity Availability CIA Defence Layers 1. End-user awareness 2. Application security 3. Network security 4. Data / information 5. Operational security Defence-in-Depth Principle Multiple, overlapping layers — if one fails, others contain the breach. No single control is sufficient; the human layer is the weakest link. Prevent → Detect → Respond → Recover
Figure 3: The CIA triad sits at the core; defence-in-depth wraps it in overlapping layers so that the failure of one control does not compromise the whole system.

International Initiatives & Governance

Cyberspace is borderless, so no nation can secure it alone. Several global bodies and instruments shape cyber norms:

  • Budapest Convention on Cybercrime (2001): the first international treaty on cyber crime, framed by the Council of Europe, enabling cross-border investigation and evidence sharing. India is not a signatory — it objects that (a) it was drafted without participation of non-European/developing states, and (b) provisions allowing foreign agencies to access data stored in India (trans-border access without consent) infringe national sovereignty. India favours a new treaty under the UN umbrella.
  • ITU (International Telecommunication Union): UN agency setting telecom/ICT standards and the Global Cybersecurity Index.
  • ICANN: manages the internet's domain name system (DNS) and IP address allocation — central to internet governance.
  • Internet Governance Forum (IGF): UN multi-stakeholder platform for policy dialogue on internet governance.
  • UN GGE & OEWG: the Group of Governmental Experts and the Open-Ended Working Group develop norms for responsible state behaviour in cyberspace; India participates actively and backs a UN Convention on Cybercrime (adopted 2024).
Exam tip: The "India is not a signatory to the Budapest Convention" point is high-yield — always pair it with India's sovereignty and data-access objections and its preference for a UN-led framework.

Challenges in Cyber Security

  • Shortage of skilled manpower: a large deficit of trained cyber-security professionals against a vast and growing attack surface.
  • Attribution problem: attackers spoof identities, route through botnets/proxies and use the dark web — making it hard to prove who is responsible, especially for state-sponsored APTs.
  • Jurisdiction: attacks cross borders instantly, but laws and enforcement stop at national boundaries; mutual legal assistance is slow.
  • Rapidly evolving threats: zero-days, AI-driven malware and ransomware-as-a-service outpace static defences and outdated laws.
  • Low public awareness: weak password hygiene, susceptibility to phishing and the human layer remain the easiest entry points.
  • Imported hardware/software dependency: reliance on foreign tech and telecom equipment raises supply-chain and trust concerns.
  • Policy lag: the National Cyber Security Strategy is still pending; the 2013 policy is outdated.

Data Protection — DPDP Act 2023 & Data Localisation

Data is the "new oil," and protecting personal data is now inseparable from cyber security. The Digital Personal Data Protection (DPDP) Act, 2023 is India's first comprehensive data-protection statute, operationalised through draft DPDP Rules (2025).

Key Features of the DPDP Act 2023

  • Data Principal & Data Fiduciary: the individual whose data is processed vs. the entity deciding the purpose/means of processing.
  • Consent-based processing: personal data may be processed only with free, informed consent (or for certain "legitimate uses").
  • Rights of individuals: right to access, correction, erasure and grievance redressal; right to nominate.
  • Significant Data Fiduciaries: additional obligations (Data Protection Officer, audits, impact assessments) for high-volume/high-risk processors.
  • Data Protection Board of India: adjudicates breaches and imposes penalties (up to ₹250 crore).
  • Cross-border transfer: allowed except to countries restricted by the government ("blacklist" model) — a relaxation from earlier localisation-heavy drafts.
  • Children's data: verifiable parental consent required; bar on targeted advertising to children.

The Data Localisation Debate

For localisation: easier law-enforcement access, protection from foreign surveillance, data sovereignty and domestic data-centre growth. Against: higher compliance costs, fragmentation of the global internet, possible trade friction, and limited security benefit if cyber hygiene is poor. The DPDP Act adopted a lighter "negative list" approach rather than mandatory localisation.

5G, AI and the Future of Cyber Security (to 2026)

5G and Cyber Security

  • 5G's massive device density (IoT) and software-defined, virtualised networks vastly expand the attack surface.
  • Supply-chain and trust concerns over network equipment drove India's "trusted source/trusted product" telecom security directive.
  • Critical sectors riding on 5G (autonomous transport, smart grids, telemedicine) raise the stakes of any breach.

AI and Cyber Security — A Double-Edged Sword

  • Offence: AI enables sophisticated, automated phishing, deepfakes, polymorphic malware and faster vulnerability discovery.
  • Defence: AI/ML powers anomaly detection, real-time threat hunting, automated response and predictive security.
  • Deepfakes: AI-generated fake audio/video pose threats to elections, identity verification and financial fraud — a top 2026 concern.
Way forward: Operationalise a National Cyber Security Strategy, scale the cyber-skilled workforce, fully implement the DPDP Act, harden CII, deepen public-private and international cooperation, and build "security-by-design" and AI-resilience into critical systems.

Current Affairs Snapshot (up to June 2026)

  • AIIMS Delhi ransomware attack (Nov–Dec 2022): crippled hospital systems for days, exposing CII vulnerability in the health sector — a flagship case study for answers.
  • DPDP Act 2023 & Draft Rules (2025): India's data-protection regime moving toward implementation; Data Protection Board being operationalised.
  • I4C & the 1930 helpline: the citizen financial-cyber-fraud helpline and the National Cyber Crime Reporting Portal have enabled large-scale freezing of defrauded funds; I4C declared a national agency.
  • Deepfake threat: rising AI-generated impersonation prompted advisories and proposed labelling rules for synthetic content.
  • AI in cyber: both attackers and defenders rapidly adopting AI; focus on AI safety and security guidelines.
  • National Cyber Security Strategy: still awaited as of 2026 — a persistent policy gap repeatedly flagged.
  • Rising ransomware & cyber fraud: India among the most targeted nations; "digital arrest" scams a major fraud trend addressed by I4C.

Previous Year Questions — Mains with Model Answer Structures MAINS

Mains-only — PYQs up to UPSC Mains 2025. Each model answer is a structured outline. Flesh out each point into 2–3 sentences in the exam. Attribute year/paper accurately.
UPSC GS3 2022 15 marks · 250 words

Q. "What are the different elements of cyber security? Keeping in view the challenges in cyber security, examine the extent to which India has successfully developed a comprehensive National Cyber Security Strategy."

Model Answer Structure
  1. Intro: Define cyber security and the CIA triad; note its centrality to Digital India.
  2. Elements: network, application, information/data, operational and end-user security (defence-in-depth).
  3. Challenges: skilled-manpower shortage, attribution, jurisdiction, evolving threats (ransomware, zero-days), low awareness, hardware dependence.
  4. India's efforts: National Cyber Security Policy 2013, CERT-In, NCIIPC, NCCC, I4C, IT Act 2000, DPDP Act 2023.
  5. Critical gap: the National Cyber Security Strategy (2020 draft) remains unreleased — fragmentation across ministries, no unified strategy.
  6. Way forward: finalise the Strategy, scale workforce, harden CII, implement DPDP, security-by-design, international cooperation.
  7. Conclusion: India has built institutions but lacks a single, comprehensive strategy — the framework is robust in parts yet incomplete.
UPSC GS3 2021 15 marks · 250 words

Q. "Keeping in view India's internal security, analyse the impact of cross-border cyber attacks. Also discuss defensive measures against these sophisticated attacks."

Model Answer Structure
  1. Intro: Cyberspace as the fifth domain of warfare; cross-border attacks blur cyber crime and cyber warfare.
  2. Nature: state-sponsored APTs, espionage, attacks on CII (power, banking, defence), disinformation.
  3. Impact on internal security: CII disruption (grid, health — AIIMS 2022), data theft, financial destabilisation, radicalisation, attribution difficulty.
  4. Why sophisticated: zero-days, supply-chain attacks, deniability, anonymity via dark web/botnets.
  5. Defensive measures — institutional: CERT-In, NCIIPC, NCCC, I4C, Defence Cyber Agency.
  6. Defensive measures — technical & legal: CII hardening, threat intelligence, IT Act, DPDP Act, trusted-source telecom, capacity building.
  7. Conclusion: need a comprehensive strategy, deterrence, resilience and international cooperation.
UPSC GS3 2017 15 marks · 250 words

Q. "Discuss the potential threats of Cyber attack and the security framework to prevent it."

Model Answer Structure
  1. Intro: Define cyber attack and the rising digital attack surface in India.
  2. Potential threats: malware, ransomware, phishing, DDoS, attacks on CII, espionage, cyber terrorism, data theft.
  3. Consequences: economic loss, CII paralysis, national-security risk, privacy breach, loss of trust.
  4. Security framework — institutional: CERT-In, NCIIPC, NCCC, Cyber Swachhta Kendra.
  5. Security framework — legal/policy: IT Act 2000, National Cyber Security Policy 2013, IT Rules.
  6. Framework — preventive: defence-in-depth, audits, awareness, encryption, international cooperation.
  7. Conclusion: a multi-layered, whole-of-nation framework balancing security with digital growth.
UPSC GS3 2013 10 marks · 200 words

Q. "What is digital signature? What does its authentication mean? Give various salient built-in features of a digital signature."

Model Answer Structure
  1. Intro: Define digital signature — a cryptographic technique (public-key/PKI) to authenticate the origin and integrity of an electronic document; legally recognised under the IT Act 2000.
  2. Authentication meaning: verifies the signer's identity and that the message has not been altered (non-repudiation + integrity).
  3. How it works: private key signs, public key verifies; uses hash functions and digital certificates issued by a Certifying Authority.
  4. Salient features: authentication, integrity, non-repudiation, confidentiality (with encryption), time-stamping, tamper-evidence.
  5. Relevance: underpins e-governance, e-commerce, secure transactions and the CIA triad.
  6. Conclusion: digital signatures are foundational to trust in cyberspace and India's digital economy.

Frequently Asked Questions

Why is Cyber Security important for UPSC 2027?
Cyber Security is part of Internal Security (GS Paper 3). It carries high weightage in Prelims (4/15 relevance) and Mains (4/10). Topic 09: CIA triad, cyber attacks, CERT-In, NCIIPC, DPDP Act 2023
How should I prepare Cyber Security for UPSC Prelims?
Focus on factual clarity, PYQs, and CERT-In, NCIIPC, DPDP Act. Read this note once for structure, then revise with MCQ practice and current-affairs linkages for UPSC Prelims 2027.
How is Cyber Security asked in UPSC Mains?
Mains questions on Cyber Security often need analytical answers linking constitutional/statutory framework with examples. Use headings, diagrams, and recent developments while staying within GS Paper 3 syllabus scope.
What are the most important topics within Cyber Security?
Key areas include: Topic 09: CIA triad, cyber attacks, CERT-In, NCIIPC, DPDP Act 2023. Tags to prioritise: CERT-In, NCIIPC, DPDP Act, Cyber Attacks, CII.
How long does it take to complete Cyber Security notes?
Estimated reading time is 18 minutes. Allow 2–3 revision cycles and PYQ practice for exam-ready retention before UPSC 2027.
Which books should I refer along with these Cyber Security notes?
Pair these notes with standard references for Internal Security (NCERT/Laxmikanth/RS Sharma as applicable), previous year papers, and Mentors Daily test series for integrated Prelims + Mains preparation.