DETERMINING ACCOUNTABILITY FOR AI-GENERATED CYBER ATTACKS:

INTRODUCTION:

The rapid evolution of artificial intelligence (AI) has transformed cyberspace, enabling both defensive cybersecurity innovations and sophisticated cyberattacks. In India, AI-generated cyberattacks such as automated phishing, deep fake fraud, and intelligent malware pose significant challenges to traditional legal frameworks that are primarily designed around human intent and direct participation. Determining accountability for such attacks is therefore a complex and emerging issue in Indian jurisprudence.

At present, India does not have a dedicated legal framework specifically governing AI. Instead, accountability is derived from a combination of existing laws such as the Information Technology Act, 2000, the Digital Personal Data Protection Act, 2023, and general principles of criminal and tort law . These laws address cyber offences like identity theft, fraud, and data breaches, but they do not explicitly define liability in cases where AI systems act autonomously. This creates a significant regulatory gap, particularly when harmful outcomes result from machine learning systems operating with minimal human intervention.

A key issue lies in identifying the responsible party—whether it is the developer who designed the AI, the user who deployed it, or the intermediary that facilitated its operation. Indian legal principles traditionally require human agency for assigning liability, making it difficult to attribute responsibility directly to AI systems. Consequently, scholars and policymakers increasingly advocate for a “shared liability” or “accountability by design” approach, where responsibility is distributed among multiple stakeholders involved in the AI lifecycle.

In this context, determining accountability for AI-generated cyberattacks in India remains a developing area, requiring legal reform, clearer regulatory standards, and adaptive frameworks to address the unique challenges posed by autonomous technologies.

This study examines the legal framework in India, identifies gaps in attributing liability for AI-generated cyberattacks, analyses the roles of developers, users, and intermediaries, and proposes reforms to establish clear accountability mechanisms.

LEGAL FRAMEWORK:

The legal framework for determining accountability for AI-generated cyberattacks in India is primarily derived from existing cyber, criminal, and data protection laws, as the country does not yet have a dedicated statute specifically regulating artificial intelligence. The cornerstone of cyber law in India is the Information Technology Act, 2000 (IT Act), which governs offences such as hacking, identity theft, data breaches, and cyber fraud.

Provisions like Section 43 and Section 66 impose civil and criminal liability for unauthorized access, damage to computer systems, and related cyber offences. In the context of AI-generated attacks, these provisions can be applied to the individuals or entities who deploy or misuse AI systems, even if the attack is carried out autonomously by the technology.

Another important component is the Digital Personal Data Protection Act, 2023, which regulates the processing of personal data and imposes obligations on data fiduciaries to ensure data security. If an AI system is used to conduct cyberattacks involving personal data breaches or misuse, liability may arise for failure to implement reasonable safeguards. This law indirectly contributes to accountability by emphasizing data protection and organizational responsibility, even though it does not specifically address AI-driven offences.

The Bharatiya Nyaya Sanhita, 2023 (BNS), which replaces the Indian Penal Code, also plays a role in addressing cyber-enabled crimes such as cheating, fraud, and impersonation. AI-generated cyberattacks like deep fake scams or automated phishing can fall under these provisions, allowing courts to hold the human actors behind the deployment of such systems criminally liable. However, these laws are rooted in the principle of men’s rea (guilty mind), making it difficult to directly attribute liability when AI systems act with a degree of autonomy.

Intermediary liability is another key aspect governed by the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. These rules impose due diligence obligations on platforms such as social media companies and service providers. If AI-generated cyberattacks are facilitated through such platforms, intermediaries may be held liable if they fail to exercise due diligence or comply with takedown requirements. However, they may also claim safe harbour protection under Section 79 of the IT Act if they act promptly upon receiving notice.

A significant challenge in this framework is the absence of explicit provisions addressing AI-specific liability. Indian law does not recognize AI as a legal person, meaning liability cannot be assigned directly to the system. Instead, courts must identify responsible human actors, such as developers, deployers, or operators. This often leads to reliance on principles of negligence, vicarious liability, and product liability to determine accountability. For instance, developers could be held liable if an AI system is negligently designed, while users may be responsible for intentional misuse.

CASE LAW:

The landmark case of Shreya Singhal v. Union of India, though primarily focused on free speech and the constitutionality of Section 66A of the IT Act, clarified the scope of intermediary liability. The Supreme Court held that intermediaries are only liable when they fail to act upon receiving actual knowledge of unlawful content. This principle is significant in AI contexts, as it limits automatic liability but imposes responsibility once harm is identified.

Indian courts have also relied on broader principles of liability from landmark cases such as M. C. Mehta v. Union of India. Although this case relates to environmental law, it established the doctrine of absolute liability, holding enterprises strictly liable for harm caused by hazardous activities, regardless of fault. This doctrine is increasingly cited in academic discussions on AI accountability, suggesting that entities deploying high-risk AI systems (including those capable of cyberattacks) could be held strictly liable for resulting damage.

Another relevant area of case law arises from cyber fraud and negligence cases under the IT Act. For instance, in a recent adjudicatory decision involving a SIM-swap cyber fraud, authorities held both a bank and a telecom company liable for failing to implement adequate security measures. The decision imposed compensation and penalties, emphasizing that organizations handling digital systems must exercise reasonable care to prevent cyber harm. This reasoning is highly relevant to AI-based cyberattacks, as it supports the idea that liability can arise from negligence in deploying or maintaining digital technologies, even if the attack itself is automated.

Overall, Indian case law demonstrates three key approaches to determining accountability relevant to AI-generated cyberattacks:

1.Due diligence and intermediary responsibility (failure to remove harmful AI-generated content),

2.Negligence-based liability (failure to secure systems against cyber misuse), and

3.Strict or absolute liability principles (for inherently dangerous technologies).

However, because these cases were not decided in the context of AI, courts currently rely on analogical reasoning rather than explicit AI jurisprudence. This results in uncertainty regarding whether liability lies with developers, users, or platforms. Therefore, while existing case law provides a foundational framework, there remains a clear need for AI-specific judicial interpretation or legislation to address the unique challenges of autonomous cyberattacks in India.

CRITICAL ANALYSIS:

A critical analysis of determining accountability for AI-generated cyberattacks in India reveals significant doctrinal and practical gaps in the current legal framework. Existing laws such as the Information Technology Act, 2000 and the Bharatiya Nyaya Sanhita, 2023 are primarily designed around human intent and direct action, making them ill-suited to address autonomous or semi-autonomous AI systems. The requirement of men’s rea (guilty mind) becomes problematic when harmful outcomes are produced by machine learning models that evolve beyond their initial programming.

One major argument is that assigning sole liability to users or operators is inadequate, as it ignores the role of developers who design potentially risky AI systems. Conversely, imposing blanket liability on developers may stifle innovation and technological growth. This creates a tension between innovation and regulation, which Indian law has yet to balance effectively.

Another critical issue is the ambiguity surrounding intermediary liability. While the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 provide safe harbour protections, they may allow platforms to evade responsibility unless “actual knowledge” of harm is proven. In AI-driven attacks, where content can be generated and spread rapidly, this standard may be insufficient to ensure timely accountability.

Scholars argue for a shared liability model, distributing responsibility among developers, deployers, and intermediaries based on their level of control and foreseeability of harm. Others advocate for strict liability in high-risk AI systems, drawing parallels with hazardous activities. Ultimately, the absence of AI-specific legislation in India leads to inconsistent interpretations, highlighting the urgent need for a clear, adaptive, and technology-sensitive legal framework.

CONCLUSION:

Determining accountability for AI-generated cyberattacks in India remains complex due to gaps in laws like the Information Technology Act, 2000. A balanced approach involving shared liability, clearer regulations, and AI-specific legal reforms is essential to ensure effective enforcement, innovation, and protection against evolving cyber threats.