Navigating the

Intersection of AI and
Cybersecurity in India
Introduction

• In 1949, John von Neumann conceptualized a self-replicating computer program,

laying the groundwork for what would later be known as "computer viruses."
• The "Morris-worm" of 1988, exploiting weak passwords, is considered the first major
deployment of a computer virus on the internet, leading to the conviction of its
creator under the Computer Fraud and Abuse Act in the USA.
• Since then, catalyzed by the internet boom, cyber threats have evolved significantly,
including trojans, malware, ransomware, DDoS attacks, data breaches, botnets, spam,
phishing, SQL injection, crypto-jacking, and man-in-the-middle attacks.
• India faces significant cyber threats, ranking as one of the most attacked countries globally,
with a sharp increase in reported incidents tracked by CERT-In from 2018 to 2022, highlighting
the vulnerability of its extensive internet and mobile phone user base.
• Major institutions like AIIMS have experienced cyber-attacks, prompting the Indian
government to develop a National Cybersecurity Response Framework, particularly focusing
on critical sectors like power and health, while the e-retail sector and fintech landscape,
including UPI payments, are also prime targets for cyber-attacks.
• The intersection of Generative AI (GenAI) and cybersecurity presents both challenges and
opportunities, as GenAI's advancements can amplify cyber threats, but its defensive
capabilities also offer potential solutions, necessitating a nuanced understanding of the legal
implications in this evolving landscape.
Basics of AI

1.In cybersecurity, AI is utilized by cybercriminals to create sophisticated

phishing emails and social engineering attacks, posing a significant threat to
organizations.
2.Conversely, AI can also be employed in cybersecurity strategies, such as
through Generative Adversarial Networks (GANs) and Variational
Autoencoders (VAEs), to predict user behavior patterns and identify
anomalies, aiding in threat detection and response.
AI as a Cyber threat
1. Deepfakes, created by sophisticated AI algorithms, pose significant threats by spreading misinformation,
influencing elections, conducting phishing scams, and eroding trust in authentic media, leading to socio-
political concerns and potential national security risks.
2. Data poisoning involves deliberately introducing malicious data into AI training datasets, corrupting AI
models and leading to biased or incorrect information, discrimination, and wrongful classifications, with
examples including attempts to manipulate Gmail's spam filters and the unintended consequences of
tainted datasets on AI chatbots like Microsoft's Twitter chatbot.
3. AI's ability to autonomously create malware and bypass security measures without human input poses a
unique threat, exemplified by the existence of tools like FraudGPT, a subscription-based GenAI chatbot used
to generate deceptive content for malicious purposes such as writing malicious code, creating phishing
pages, and crafting scam letters.
Legal and Regulatory Framework in India

1. The Indian government aims to fuel economic growth in the upcoming decade, termed as India's "techade,"
with a focus on technology-driven development. Efforts include revising legal frameworks to address privacy
and cybersecurity concerns, although explicit definitions for "GenAI" or "AI" are currently lacking in Indian
statutes.
2. The Information Technology Act, 2000, supplemented by various rules and regulations, serves as the primary
legal framework for cybersecurity in India. Sector-specific regulations and initiatives like the CERT-In Rules and
Directions mandate reporting of cybersecurity incidents, but there is a gap in addressing emerging
technologies like AI/ML and GenAI within the current legislative framework.
3. Sectoral regulators, such as SEBI, RBI, and IRDAI, have released frameworks for cybersecurity, emphasizing
reporting requirements and compliance obligations for regulated entities. However, these frameworks do not
specifically address risks related to AI/ML or GenAI, leaving a gap in addressing emerging technological threats
within sectoral regulations.
Approach of Indian Court
1. Indian courts have addressed emerging technological challenges, such as deepfakes and AI, within existing legal frameworks,
recognizing the limitations and risks associated with relying solely on AI-generated data for legal adjudication.
2. The proposed Digital India Act (DIA) aims to address regulatory gaps by introducing a legislative framework to regulate high-risk AI
systems and emerging technologies, potentially replacing the outdated Information Technology Act (IT Act) as the primary
legislation for cybersecurity threats.
3. The Digital Personal Data Protection Act (DPDPA) focuses on governing personal data (PD) protection, including stringent
requirements for data fiduciaries and penalties for non-compliance, although it does not specifically address risks related to AI or
GenAI.
4. While the DPDPA covers incidents involving PD breaches, such as those involving GenAI, it does not address broader cybersecurity
issues related to anonymized or aggregated data, which may require consideration under other laws.
5. The DIA is expected to regulate AI and emerging technologies through the lens of "user harm," potentially aligning with
international efforts such as the EU's Artificial Intelligence Act (EU AI Act) while filling regulatory gaps in India's legal framework.
Recommendations for Policy Makers and
Stakeholders
Urgent need for AI-specific legislation to address the growing use of AI and associated harms, with
principles outlined by NITI Aayog emphasizing reliability, equality, privacy-by-design, transparency,
and positive human values.

Importance of enhancing AI literacy among judiciary and law enforcement agencies to effectively
balance innovation with individual rights, ensuring considerations of data privacy, transparency, and
fundamental rights in legal rulings.

Promotion of incentives for AI research through industry standards and self-regulation, guided by
clear, comprehensive principles aligned with national AI strategy, encompassing ethical
considerations, safety standards, and accountability measures, with oversight by an independent
governing body to ensure adherence and accountability.
Conclusion

1.AI's unique ability to autonomously produce data sets distinguishes it from other
forms of AI, presenting both opportunities and risks in cyber-attacks and defensive
cybersecurity capabilities.
2.Technological innovations like GenAI are neutral and can be used for both beneficial
and harmful purposes, emphasizing the importance of a principles-based approach
to law-making to address present and future scenarios.
3.The legislative vacuum around AI and cybersecurity in India hampers proactive
measures to curb harm and protect user rights, highlighting the need for a
farsighted law to balance risks and innovation.
THANK YOU