Forest Services
Introduction: AI’s Dual-Use Threat and Governance Urgency
In early 2024, Anthropic, a leading AI research firm, unveiled Mythos, an advanced AI model capable of autonomously discovering zero-day vulnerabilities within minutes, reducing traditional detection times by over 90% (Anthropic Whitepaper 2024). This capability exemplifies the dual-use nature of AI, where the same technology can bolster cybersecurity defences or be weaponised for cyberattacks. India, ranking 10th globally in cybersecurity readiness but 4th in cyberattack volume (ITU Global Cybersecurity Index 2023), faces acute risks from such AI-driven threats. The existing legal and institutional frameworks, including the Information Technology Act, 2000 and the National Cyber Security Policy, 2013, lack explicit provisions addressing autonomous AI threats, necessitating urgent reforms in global and national governance.
UPSC Relevance
- GS Paper 3: Science & Technology – AI, Cybersecurity, Legal Frameworks
- GS Paper 2: International Relations – Global Cyber Governance, UN GGE
- Essay: Technology and Governance Challenges in the Digital Age
AI’s Transformative Impact on Cybersecurity Dynamics
AI has revolutionised cybersecurity by enabling real-time threat detection, predictive analytics, and automated defence mechanisms. However, agentic AI systems, which operate with less than 5% human intervention (Cybersecurity Journal 2024), introduce unpredictability and complexity in threat landscapes. Critical infrastructure sectors like banking and energy, which suffer losses exceeding USD 1 billion annually due to cyberattacks (World Economic Forum 2023), are increasingly targeted by AI-enhanced multi-stage cyberattacks. Over 70% of cyberattacks on Indian critical infrastructure in 2023 involved AI-driven techniques (CERT-In Annual Report 2023), underscoring the scale of the threat.
- AI enables autonomous discovery of zero-day vulnerabilities, shortening response windows drastically.
- Agentic AI’s minimal human oversight increases risks of rapid, unpredictable cyberattacks.
- Traditional cybersecurity frameworks, designed for human-led threat detection, are inadequate against AI-driven threats.
Anthropic’s Mythos: A Case Study of the Dual-Use Dilemma
Mythos exemplifies the dual-use challenge: while it can enhance cyber defence, its autonomous exploitation capabilities pose risks of misuse by non-state actors and sophisticated adversaries. The model’s ability to outmatch human cybersecurity experts raises concerns about unauthorised access and systemic vulnerabilities. This duality complicates regulatory responses, as restricting AI development could stifle innovation, yet lack of oversight invites security breaches.
- Mythos autonomously identifies and exploits vulnerabilities faster than human teams.
- Potential misuse by cybercriminals and hostile entities threatens national security.
- Raises ethical and legal questions about AI accountability and control.
Legal and Institutional Frameworks in India: Gaps and Limitations
India’s primary legal instrument, the Information Technology Act, 2000, includes Sections 43A (compensation for failure to protect data) and 66F (cyber terrorism), but predates advanced AI threats. The Personal Data Protection Bill, 2019, still pending, aims to strengthen data privacy under Article 21 of the Constitution (Right to Privacy), as upheld in Justice K.S. Puttaswamy (Retd.) vs Union of India (2017). However, none explicitly address autonomous AI systems or agentic AI vulnerabilities. Institutional bodies like CERT-In and NCIIPC coordinate incident response and protect critical infrastructure but lack AI-specific mandates. The National Cyber Security Policy, 2013 requires updating to incorporate AI governance.
- IT Act 2000 lacks provisions for AI-driven autonomous cyber threats.
- Pending Personal Data Protection Bill focuses on privacy, not AI threat mitigation.
- CERT-In and NCIIPC operational but under-resourced for AI-specific challenges.
- MeitY leads policy but AI cybersecurity standards are nascent.
Comparative Analysis: India vs European Union Cybersecurity Governance
The EU Cybersecurity Act, 2019 established a binding certification framework for AI systems, which reduced AI-related cyber breaches by 15% in member states (European Commission Report 2023). This framework mandates conformity assessments and continuous monitoring of AI products, setting a global benchmark. In contrast, India’s AI-specific cybersecurity policies remain in early stages, with only 30% of companies adopting AI-specific protocols (NASSCOM Survey 2023). This regulatory gap exposes India to higher risks from agentic AI threats.
| Aspect | European Union | India |
|---|---|---|
| Legal Framework | Cybersecurity Act 2019 with AI certification | IT Act 2000; Pending Personal Data Protection Bill |
| AI-Specific Cybersecurity Policies | Mandatory certification and monitoring | Nascent, voluntary adoption by 30% firms |
| Institutional Capacity | EU Agency for Cybersecurity (ENISA) empowered | CERT-In, NCIIPC with limited AI focus |
| Impact on Cyber Breaches | 15% reduction in AI-related breaches | High AI-driven attack volume; 4th globally |
Economic Stakes and Cybersecurity Market Trends
India’s cybersecurity market is projected to reach USD 35 billion by 2025 with a CAGR of 15.6% (NASSCOM 2023). The government allocated INR 3,500 crore for cybersecurity in the 2023-24 budget, reflecting prioritisation. Globally, the AI cybersecurity market was valued at USD 18.5 billion in 2023 and is expected to grow at 23% CAGR till 2030 (MarketsandMarkets). Cybercrime costs are estimated to reach USD 10.5 trillion annually by 2025 (Cybersecurity Ventures). These figures highlight the economic imperative for robust AI cybersecurity governance.
- Growing market signals increased investment but also increased attack surfaces.
- Critical infrastructure sectors face escalating financial losses from AI-driven cyberattacks.
- Government funding must focus on AI-specific threat mitigation and capacity building.
Way Forward: Strengthening AI Cybersecurity Governance
- Amend the IT Act 2000 and expedite the Personal Data Protection Bill to include AI-specific provisions addressing agentic AI and autonomous attacks.
- Develop mandatory AI certification frameworks modeled on the EU Cybersecurity Act to ensure compliance and reduce breaches.
- Enhance institutional capacities of CERT-In and NCIIPC with dedicated AI threat response units and continuous skill upgrades.
- Foster public-private partnerships, leveraging NASSCOM’s industry expertise to promote AI cybersecurity innovation.
- Engage actively in global forums like the UN GGE to shape international cyber norms for AI governance.
- Agentic AI systems operate with less than 5% human intervention.
- Anthropic’s Mythos can autonomously discover zero-day vulnerabilities within minutes.
- The IT Act 2000 explicitly regulates autonomous AI systems in cybersecurity.
Which of the above statements is/are correct?
- The EU Cybersecurity Act mandates AI system certification reducing AI-related breaches.
- India’s Personal Data Protection Bill, 2019, includes mandatory AI cybersecurity certification.
- India’s cybersecurity market is projected to reach USD 35 billion by 2025.
Which of the above statements is/are correct?
Jharkhand & JPSC Relevance
- JPSC Paper: Paper 3 – Science & Technology, Cybersecurity
- Jharkhand Angle: Increasing digitisation in Jharkhand’s mining and energy sectors heightens exposure to AI-driven cyber threats.
- Mains Pointer: Emphasise the need for state-level AI cybersecurity policies aligned with national frameworks and capacity building in Jharkhand’s critical infrastructure protection.
What is the dual-use dilemma of AI in cybersecurity?
Dual-use AI refers to technology that can both enhance cybersecurity defences and be weaponised to conduct cyberattacks, exemplified by Anthropic’s Mythos which autonomously discovers vulnerabilities but can be misused by adversaries.
Which Indian law currently governs cyber terrorism?
Section 66F of the Information Technology Act, 2000 criminalises cyber terrorism, but it does not specifically address AI-driven autonomous cyber threats.
What role does CERT-In play in India’s cybersecurity?
CERT-In is India’s national agency for incident response and cybersecurity coordination, responsible for detecting and mitigating cyber threats but currently lacks dedicated AI-specific operational units.
How has the EU Cybersecurity Act impacted AI-related cyber breaches?
The EU Cybersecurity Act, 2019, introduced mandatory AI system certification, resulting in a 15% reduction in AI-related cyber breaches across member states (European Commission Report 2023).
Why is India’s Personal Data Protection Bill important for cybersecurity?
The bill aims to strengthen data privacy under Article 21 of the Constitution but currently lacks explicit provisions addressing AI-driven cybersecurity threats.