The Cybersecurity Budget Brief provides a detailed overview of trends in cybersecurity budgeting, from publicly available data in the Union Budget, from financial year 2012-13 to 2022-23. As a guide to cybersecurity budgeting for parliamentarians and policy researchers, this brief covers basic concepts on cybersecurity and presents findings from an analysis of budget data to inform debates in the upcoming 2023 Budget Session of Parliament, as well as serve as a foundation for future analysis. With the increasing relevance of cybersecurity in both domestic and international contexts, this brief reflects on past trends to enable informed discussions for future fiscal and policy decisions on cybersecurity in India.
Part I introduces the components of cybersecurity and its relevance in today’s digital landscape. Our increasing dependence on Information and Communications Technologies (ICT’s) for economic activities and governance runs parallel to increasingly sophisticated cyberattacks and evolving threats that call for renewed emphasis on cybersecurity practices. As such, all relevant government ministries and departments that are currently driving cybersecurity policies and programmes in India are presented to advance a whole-of-government approach to cybersecurity.
Part II delves into the importance of budgeting for, and tracking the allocated and actual expenditures undertaken by the central government for cybersecurity. It also provides an introduction to the research methodology and analytical framework developed by the Centre for Communication Governance (CCG) to analyse budgeting and expenditure on cybersecurity. An overview of the trends in cybersecurity budgeting over the last ten financial years (FY 2012-13 to FY 2022-23) is also presented.
In Part III, we present trends in budgeted, revised and actual expenditures towards departments and schemes relevant for cybersecurity and identify discrete budget heads that are significant in this regard under the Ministry of Electronics and Information Technology (MeitY), Ministry of Home Affairs (MHA), Department of Telecommunication (DoT) and other relevant departments. A total of 47 budget heads have been examined in this analysis. Under the three ministries examined in this brief, four additional budget heads were introduced in the Union Budget 2022, and although relevant to cybersecurity generally, have not been included in this iteration of the report in order to maintain consistency in the budget heads being tracked. These are, namely, allocations under the Production Linked Incentive schemes under MeitY andDoT, the Digital Intelligence Unit under DoT, and Modernisation of Forensic Capabilities under MHA.
Part IV presents findings from analysis of a framework developed by CCG to track budgeting for cybersecurity. Budget heads under those government ministries that are relevant for cybersecurity are classified under six activities: (1) Cyber Incident Preparedness and Response (2) Technical Research and Capacity Development (3) Human Resource Development (4) International Cooperation and Investment Promotion (5) Standardisation, Testing and Quality Certification and (6) Digital Identity. Each of these activities form pillars of development for the country’s cybersecurity resilience and this framework provides a systematic approach to assess the quantum of financial resources directed towards them over the last decade.
In conclusion, Part V presents the following key findings from our analysis:
• First, there have been overall positively increasing allocations towards cybersecurity in the Union Budget over the last decade. Since FY 2012-13 there has been a Compound Annual Growth Rate (CAGR) of 8.1% in the budgeted expenditure for cybersecurity over eleven years, from ₹6,612 crores in FY 2012-13 to ₹15,575 crores in FY 2022-23. Yet, variations in the exact quantum of resources being directed towards cybersecurity exist due to the lack of a standardised framework and identified metrics that enable tracking of the cybersecurity budget.
• Second, approximately 0.1% of the total government budget has been dedicated to budgeted expenditures for cybersecurity annually since FY 2012-13. We observe fluctuating trendlines in budgeted expenditures (BE) across ministries through the years.. Nevertheless, we observe that the underutilisation of the cumulative cybersecurity budget in the earlier years diminishes and in FY 2018-19, actual spending exceeds the allocated budget. Consistent positive increases in budgeted allocations for cybersecurity post FY 2017-18 are also evident.
There is an 8% decrease in FY 2019-20 and a 7% increase in FY 2020-21 in total actual expenditures for cybersecurity.
• Third, despite inconsistencies and underutilisation of allocations, the introduction of specialised programs such as the Digital India scheme under MeitY and Cyber Crime Prevention against Women and Children under MHA spur allocations towards cybersecurity. Budget heads under each ministry that have received consistent and/ or increasing allocations make it possible to identify key priorities for cybersecurity budgeting.
• Fourth, ‘Technical Research and Capacity Development’ and ‘Cyber Incident Preparedness and Response’ have received most importance via consistent and/or increasing allocations across ministries. Relatively, ‘Human Resource Development’ has been a low priority area and renewed attention can increase skilled technical capacity that is currently lacking.
• Finally, we note that gaps in the publicly available data, that tracks utilisation of allocations, limits and skews analysis for cybersecurity budgeting. Incomplete datasets further blur the lines between cases of underutilisation of funds, challenges of financial data management and presentation of data in the Union Budget.
The Cybersecurity Budget Brief presents trends in cybersecurity expenditures over the last decade and highlights various aspects about the landscape of cybersecurity for parliamentarians to consider and debate. It also offers avenues for further research and analysis on cybersecurity, towards the growth and development of a secure and resilient cyber ecosystem in India.
Limitations of Analysis in the Cybersecurity Budget Brief
1. Expenditure figures in this brief are estimations of the total cybersecurity budget that are indicative of the entire pool of resources available for cybersecurity. These figures must be viewed as the pool of financial resources available to the government to strengthen the state of cyber security and various aspects of internet governance related thereto at the national level, including the security of e-governance initiatives to facilitate the online delivery of public services to citizens, and not actual direct spending on cybersecurity. This is due to the fact that entire budgeted allocations for all the programmes and schemes in our analysis are not utilised exclusively for cybersecurity and its related activities. The current format of the Demand for Grants does not allow for inference of the precise share of budgeted allocations that are actually used for activities directly related to cybersecurity. All budget heads included in our analysis therefore fall on a spectrum of high significance to low significance with respect to percentage share of their budgeted allocations being utilised for cybersecurity. For certain budget heads, it is likely that a greater share of the allocation is directed towards cybersecurity related activities. For example, it is likely that for ‘Cybersecurity projects’ under the Digital India scheme and CERT-In, both under MeitY, the entire allocation is directly relevant for cybersecurity. On the other hand, for budget heads such as the Prime Minister’s Office under MHA, only a specific percentage of the total allocated budget is likely to be directed towards cybersecurity activities. However, there exist no relevant mechanisms to establish what percentage of these allocations can be taken as relevant for cybersecurity activities, and thus the entire allocation has been included for such budget heads in our analysis.
2. This analysis does not include certain ministries, schemes and programmes that are of relevance to cybersecurity. There are budget heads under the Ministry of Defense, Ministry of External Affairs, Department of Telecommunication and Ministry of Home Affairs that can possibly be utilised for cybersecurity-related activities. However, their expenditure values are at best an estimate of the total funds available which may be utilised for cybersecurity-related functions. It is not possible to infer from the current format of the Demand for Grants the precise share of these allocations that are actually used for activities directly related to cybersecurity. While it is important to highlight these areas of potential for cybersecurity – as supporting allocations – including them in our analysis would inflate allocations for cybersecurity and skew findings.
3. Incomplete expenditure data under certain ministries' Demand for Grants limits the scope and applicability of the analysis in this brief. There are instances of unavailable expenditure data for budget heads under MeitY and DoT over the last decade. In some cases, budget heads have allocated expenditures but budget data on revised and actual expenditures remains unavailable without articulations of the reasons for such gaps. Incomplete budget datasets limit the veracity of analysis due to the ambiguity between cases of underutilisation of funds and bottlenecks in presentation of data in the Union Budget.
4. Four new budget heads that were introduced in the Union Budget 2022 have not been included in our analysis. These have been identified under their relevant ministries and include, (1) Production Linked Incentive (PLI) for Large Scale Electronics and IT Hardware under Ministry of Electronics and Information Technology (2) Digital Intelligence Unit Project under Department of Telecommunications (3) Production Linked Incentive (PLI) Scheme to Promote Telecom and Networking Products under Department of Telecommunications and (4) Modernisation of Forensic Capacities under Ministry of Home Affairs. These budget heads have not been included in our analysis of trends in Part III and Part IV in order to maintain consistency in budget heads tracked over the last decade. However, any future analysis of India’s cybersecurity budget should include these budget heads as well, subject to continued allocations towards the same.
To read the Cybersecurity Budget Brief, click here.