Current Affairs Topics Archive
International Relations Economics Polity & Governance Environment & Ecology Science & Technology Internal Security Geography Social Issues Art & Culture Modern History

Cyber fraud on the rise but nodal agency CERT-In grappling with acute staff crunch—House panel report

March 16, 2026 4 min read Internal Security Science & Technology Polity & Governance GS3
On This Page

What Happened

  • A parliamentary standing committee report on MeitY's functioning found that CERT-In (Indian Computer Emergency Response Team) — India's nodal agency for cybersecurity incident response — has 192 scientific and technical posts and 22 non-technical posts sanctioned, but recruitment has not been completed for these positions.
  • The ministry assured the committee that recruitment would be completed but provided no specific timeline.
  • The committee flagged this as a critical governance failure given the sharp rise in cyber fraud incidents across India, placing institutional capacity-building at the heart of its recommendations.
  • The report connects staff shortages to broader digital infrastructure gaps and calls for increased funding for cybersecurity, data protection, and CERT-In's operational build-up.

Static Topic Bridges

CERT-In — Statutory Mandate Under Section 70B, IT Act 2000

CERT-In (Indian Computer Emergency Response Team) was established as a statutory body under Section 70B of the Information Technology Act, 2000. It serves as the national nodal agency for cybersecurity incident response.

  • Statutory basis: Section 70B, IT Act 2000, as amended in 2008.
  • Parent ministry: Ministry of Electronics and Information Technology (MeitY).
  • Core functions: Collection, analysis and dissemination of information on cyber incidents; forecasting and issuing cyber security alerts; coordinating incident response; issuing guidelines, advisories, and vulnerability notes; emergency measures for handling cyber incidents.
  • The April 2022 CERT-In Directions (under Section 70B(6)) introduced landmark mandatory obligations:
  • Reporting of cybersecurity incidents to CERT-In within 6 hours.
  • Mandatory maintenance of ICT system logs for 180 days.
  • VPN, cloud, and data centre service providers must retain subscriber logs for 5 years.
  • Synchronisation of all ICT system clocks with NTP servers.

Connection to this news: CERT-In's 2022 Directions significantly expanded its regulatory role — requiring rapid, 6-hour incident reporting — yet the agency lacks the staffed capacity to process and respond to these reports effectively.

India's Cybersecurity Architecture — Institutional Framework

India's cybersecurity governance involves multiple overlapping bodies, each with distinct mandates. Understanding the framework is important for Mains questions on India's internal security preparedness.

  • CERT-In (MeitY): Cybersecurity incident response for the general digital ecosystem; issues guidelines; mandatory reporting.
  • NCIIPC (National Critical Information Infrastructure Protection Centre): Under National Technical Research Organisation (NTRO); protects Critical Information Infrastructure (power, banking, telecom, transport, etc.) under Section 70A, IT Act.
  • DSCI (Data Security Council of India): NASSCOM body; promotes data protection best practices (non-governmental).
  • Cyber Surakshit Bharat Initiative: Awareness and capacity building.
  • National Cyber Security Policy 2013: India's overarching policy document (new policy is being developed).
  • PM-led National Security Council (NSC) oversees strategic cyber threats; NSA coordinates inter-agency responses.

Connection to this news: The CERT-In staff crunch represents a structural weakness in the civilian tier of India's cybersecurity architecture — the body that handles incident reporting from private sector, government, and public utilities is under-staffed even as cyber incidents rise.

Cyber Fraud in India — Scale and Trend

The parliamentary panel's concern about CERT-In's capacity is backed by a documented rise in cybercrime and financial fraud.

  • India received over 15.92 lakh cyber fraud complaints on the National Cybercrime Reporting Portal (NCRP) in 2023 alone, according to the Annual Report on Cyber Crime (2023).
  • Financial losses from cyber fraud run into thousands of crores annually.
  • Common vectors: Online financial fraud, SIM swap, OTP theft, investment scam apps, digital arrest scams.
  • The Indian Cyber Crime Coordination Centre (I4C) under MHA coordinates law enforcement response to cybercrime — distinct from CERT-In's technical incident response role.
  • India has faced high-profile cyber attacks on critical infrastructure including AIIMS Delhi (2022) ransomware attack and multiple state power grid intrusions.

Connection to this news: As cyber fraud volumes grow, the inability to fill sanctioned posts at CERT-In directly translates to slower threat intelligence, delayed advisories, and reduced institutional capacity to protect India's expanding digital economy.

Key Facts & Data

  • CERT-In sanctioned posts: 192 scientific and technical + 22 non-technical.
  • Recruitment status: Incomplete as of 2026; no timeline given by Ministry.
  • Statutory basis: Section 70B, IT Act 2000.
  • April 2022 CERT-In Directions: 6-hour incident reporting mandate; 180-day log retention; 5-year VPN subscriber data retention.
  • India's cybercrime complaints (NCRP 2023): 15.92 lakh complaints.
  • I4C (Indian Cyber Crime Coordination Centre): Under MHA; law enforcement coordination.
  • NCIIPC: Protects Critical Information Infrastructure under Section 70A, IT Act.
  • Budget 2026-27: Cybersecurity budgetary allocation remains a concern flagged by the parliamentary panel.