Forest Services
Emergence of Mythos AI and Its Implications
In 2024, Anthropic unveiled Mythos, an advanced AI model capable of autonomously discovering zero-day vulnerabilities and exploiting them within 48 hours in simulated critical infrastructure environments (Anthropic Research Report 2024). This agentic AI operates with minimal human oversight, executing multi-stage cyberattacks with a 70% higher success rate than traditional automated tools (Cybersecurity Journal 2023). India, ranked 10th globally in cyberattack targets with over 1.5 million incidents reported in 2023 (CERT-In Annual Report 2023), faces heightened risks as only 35% of its critical infrastructure organizations have adopted AI-driven cybersecurity defenses (NASSCOM Survey 2023). The dual-use nature of Mythos—enhancing defenses while enabling sophisticated attacks—raises urgent governance challenges at national and international levels.
UPSC Relevance
- GS Paper 3: Science and Technology – AI and cybersecurity risks, legal frameworks
- GS Paper 2: International Relations – Cybersecurity norms, international cooperation
- Essay: Emerging technology risks and governance reforms
AI's Transformative Impact on Cybersecurity
AI has revolutionized cybersecurity by enabling real-time threat detection, predictive analytics, and automated defense mechanisms. However, agentic AI systems like Mythos can autonomously identify zero-day vulnerabilities and launch complex cyberattacks targeting sectors such as banking, energy, and telecom. The rise of such AI challenges traditional security frameworks, which are ill-equipped to manage self-learning, autonomous threat actors. Globally, AI-enabled cyberattacks surged 45% between 2021 and 2023 (ENISA Threat Landscape Report 2023), underscoring the escalating threat landscape.
- Real-time detection and response improved by AI-driven predictive analytics
- Agentic AI reduces human intervention, increasing attack speed and complexity
- Critical infrastructure increasingly vulnerable due to inadequate AI defenses
- Global increase in AI-enabled cyberattacks highlights systemic risks
Legal and Constitutional Frameworks in India
India’s existing legal framework for cybersecurity is anchored in the Information Technology Act, 2000, particularly Sections 43A (compensation for failure to protect data), 66 (hacking), and 72A (breach of confidentiality). The pending Personal Data Protection Bill, 2019 aims to address data privacy and AI implications but lacks explicit provisions on autonomous AI threat actors. Article 253 of the Constitution empowers Parliament to legislate for international treaties related to cybersecurity, enabling India to engage in global governance. The National Cyber Security Policy, 2013 provides a strategic framework but predates the AI-driven threat landscape. The Supreme Court’s landmark judgment in Justice K.S. Puttaswamy (2017) affirmed privacy as a fundamental right, influencing data protection and AI surveillance norms.
- IT Act 2000 Sections 43A, 66, 72A regulate data protection and hacking
- Personal Data Protection Bill 2019 pending; lacks AI-specific clauses
- Article 253 enables international treaty-based cybersecurity laws
- National Cyber Security Policy 2013 outdated for AI-driven threats
- Puttaswamy judgment (2017) impacts AI surveillance and privacy rights
Institutional Architecture for Cybersecurity Governance
India’s cybersecurity ecosystem includes CERT-In for incident response, NCIIPC for critical infrastructure protection, and MeitY for policy formulation. Industry body NASSCOM promotes cybersecurity innovation, while international cooperation involves Interpol Cybercrime Directorate and the UN Group of Governmental Experts (GGE). However, coordination gaps and limited AI-specific mandates constrain effective governance. The UN GGE 2023 report highlights the absence of binding international legal frameworks governing AI weaponization in cyberspace, complicating cross-border threat mitigation.
- CERT-In leads national incident response and coordination
- NCIIPC focuses on critical infrastructure cybersecurity
- MeitY formulates IT and cybersecurity policies
- NASSCOM drives industry innovation and adoption of AI defenses
- Interpol and UN GGE facilitate international cooperation but lack binding AI norms
Economic Stakes and Cybersecurity Market Dynamics
India’s cybersecurity market is projected to grow at a CAGR of 15.6%, reaching USD 35 billion by 2025 (NASSCOM 2023). The government allocated INR 1,500 crore under the Digital India initiative for cybersecurity infrastructure in FY 2023-24 (Union Budget 2023). Globally, the AI cybersecurity market is estimated at USD 30 billion in 2023, expected to double by 2027 (MarketsandMarkets 2023). The economic cost of cybercrime is projected to reach USD 10.5 trillion annually by 2025 (Cybersecurity Ventures 2023). Indian banking and telecom sectors saw cyberattack losses increase by 35% and 28% respectively in 2022 (RBI and TRAI reports 2023), reflecting the urgent need for robust AI-integrated defenses.
- India’s cybersecurity market to reach USD 35 billion by 2025
- Government budgetary support of INR 1,500 crore for cybersecurity
- Global AI cybersecurity market doubling by 2027
- Cybercrime costs projected at USD 10.5 trillion annually by 2025
- Sectoral losses rising sharply in banking and telecom
Comparative Analysis: India vs European Union Cybersecurity Governance
| Aspect | European Union | India |
|---|---|---|
| Legal Framework | EU Cybersecurity Act (2019) establishes AI system certification for cybersecurity | Fragmented laws; IT Act 2000 and pending PDP Bill lack AI-specific regulation |
| Regulatory Impact | 25% reduction in AI-enabled cyber incidents in critical sectors since 2020 (ENISA 2023) | 35% of critical infrastructure organizations use AI defenses; rising cyber incidents |
| International Cooperation | Active participation in binding EU-wide cybersecurity norms and AI governance | Engagement in UN GGE; no binding international AI cybersecurity treaty |
| Certification and Trust | Mandatory AI cybersecurity certification enhances trust and resilience | Absence of certification framework; trust deficit in AI-driven cybersecurity |
Critical Governance Gaps and Challenges
India lacks a comprehensive legal framework explicitly regulating AI’s dual-use in cybersecurity. Existing laws are fragmented, insufficiently addressing autonomous AI threat actors and cross-border governance. The absence of binding international AI cybersecurity norms leaves critical infrastructure vulnerable to sophisticated AI-driven attacks. Institutional coordination is weak, and AI ethics remain disconnected from cybersecurity law. These gaps impede India’s ability to harness AI defensively while mitigating systemic risks.
- No explicit legal provisions regulating autonomous AI in cybersecurity
- Fragmented laws fail to address agentic AI and cross-border threats
- Lack of binding international AI cybersecurity governance frameworks
- Weak institutional coordination among national agencies
- Disconnection between AI ethics and cybersecurity law frameworks
Way Forward: Integrating AI Ethics, Law, and International Cooperation
- Enact AI-specific cybersecurity legislation incorporating dual-use risk mitigation
- Update the Personal Data Protection Bill to address autonomous AI threat actors
- Establish mandatory AI system certification frameworks modeled on the EU Cybersecurity Act
- Strengthen institutional coordination between CERT-In, NCIIPC, MeitY, and industry bodies
- Leverage Article 253 to ratify binding international treaties on AI weaponization in cyberspace
- Integrate AI ethics principles into cybersecurity law to balance innovation and risk
- Agentic AI operates with minimal human intervention and can autonomously execute multi-stage cyberattacks.
- Traditional cybersecurity laws like IT Act 2000 fully cover the regulation of agentic AI systems.
- Agentic AI increases the speed and complexity of cyberattacks compared to traditional automated tools.
Which of the above statements is/are correct?
- The Information Technology Act, 2000 includes provisions for compensation for failure to protect data.
- The Personal Data Protection Bill, 2019, currently includes explicit regulations for autonomous AI threat actors.
- Article 253 of the Indian Constitution enables Parliament to legislate for international cybersecurity treaties.
Which of the above statements is/are correct?
Jharkhand & JPSC Relevance
- JPSC Paper: Paper 2 (Governance and Technology), Paper 3 (Science & Technology)
- Jharkhand Angle: Increasing digitization in Jharkhand’s mining and power sectors requires robust AI-driven cybersecurity to protect critical infrastructure.
- Mains Pointer: Frame answers highlighting state-level cybersecurity challenges, need for AI regulation, and coordination with central policies.
What is the dual-use dilemma of AI in cybersecurity?
The dual-use dilemma refers to AI’s capability to both strengthen cybersecurity defenses and simultaneously enable sophisticated cyberattacks, as exemplified by Anthropic’s Mythos model which can autonomously discover and exploit vulnerabilities.
Which sections of the IT Act, 2000 are relevant to cybersecurity offenses?
Sections 43A (compensation for failure to protect data), 66 (hacking), and 72A (breach of confidentiality) are key provisions addressing cybersecurity offenses under the IT Act, 2000.
How does Article 253 of the Indian Constitution relate to cybersecurity?
Article 253 empowers Parliament to enact laws to implement international treaties and agreements, enabling India to legislate on cybersecurity issues arising from global cooperation.
What economic impact does cybercrime have on India?
India’s banking sector losses due to cyberattacks rose by 35% in 2022, and the telecom sector saw a 28% increase in cyber incidents, reflecting significant economic risks in critical sectors.
How does the EU Cybersecurity Act differ from India’s regulatory approach?
The EU Cybersecurity Act (2019) mandates AI system certification enhancing trust and resilience, resulting in a 25% reduction in AI-enabled cyber incidents, whereas India lacks a dedicated AI certification framework.