BACK TO IT ACT
IT Act 2000AMENDED 2008

Section 66F

Punishment for Cyber Terrorism

THE STATUTE

Original Text

Whoever, — (A) with intent to threaten the unity, integrity, sovereignty or security of India or to strike terror in the people or any section of the people by — (i) denying or cause the denial of access to any person authorised to access computer resource; (ii) attempting to penetrate or access a computer resource without authorisation or exceeding authorised access; (iii) introducing or causing to introduce any computer contaminant, and by means of such conduct causes or is likely to cause death or injuries to persons or damage or destruction of property or disrupts or knowing that it is likely to cause damage or disruption of supplies or services essential to the life of the community or adversely affect the critical information infrastructure specified under section 70, or (B) knowingly or intentionally penetrates or accesses a computer resource without authorisation or exceeding authorised access, and by means of such conduct obtains access to information, data or computer database that is restricted for reasons of the security of the State or foreign relations; or any restricted information, data or computer database, with reasons to believe that such information, data or computer database so obtained may be used to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism.

Simplified

Section 66F is the most severe criminal provision in the IT Act, carrying life imprisonment — comparable to murder and terrorism provisions in BNS and UAPA. It creates the offence of 'cyber terrorism' in two distinct forms: (A) attacks on critical infrastructure intended to threaten national security or cause public panic, and (B) unauthorised access to state secrets or foreign relations data. The first limb (A) captures scenarios like state-sponsored attacks on power grids, hospital networks, or financial systems — the kind of attack that could cause mass casualties or social breakdown. The second limb (B) captures espionage — breaking into defence databases, diplomatic communications, or classified government systems. 'Critical Information Infrastructure' is defined and notified under Section 70 and includes power generation systems, banking and financial sector networks, transport infrastructure, and emergency services. CERT-In (the national Computer Emergency Response Team under Section 70B) plays a key role in identifying attacks on these systems. The provision operates alongside UAPA (Unlawful Activities Prevention Act) for terrorist organisations that use cyber means.

Common Queries

Section 66F prescribes imprisonment for life — the most severe punishment in the IT Act. There is no fine provision; the court may impose life imprisonment.
Section 66F covers acts with intent to threaten national unity, sovereignty, or security: unauthorised access to restricted government or protected systems, introducing malware with intent to cause mass disruption, and accessing restricted information with intent to cause terror.
Yes. Section 66F is the IT Act's cyber-specific terrorism provision. The Unlawful Activities (Prevention) Act (UAPA) covers terrorism more broadly and may apply simultaneously. In serious cyber terrorism cases, charges are typically filed under both Acts.

Legal Evolution

Section 66F was inserted by the 2008 Amendment in the immediate aftermath of the 26/11 Mumbai attacks, which exposed how extensively terror networks used digital communications. Parliament recognised that attacks via cyberspace on critical infrastructure could cause casualties comparable to physical attacks. The provision mirrors the Council of Europe Convention on Cybercrime (Budapest Convention) Article 5 (system interference) and the US Computer Fraud and Abuse Act's critical infrastructure provisions.

Key Amendments

Inserted by IT (Amendment) Act 2008 — no provision for cyber terrorism in original Act.

Highest punishment in the IT Act — life imprisonment, exceeding even Section 67B (child pornography) which is 5-7 years.

Closely linked to Section 70 (Protected Systems) and Section 70B (CERT-In mandate).

Landmark Precedents

In re: Power Grid Cyberattack (2022)

Ongoing investigation, Maharashtra
RELEVANCE

CERT-In and Maharashtra Cyber Cell investigated suspected state-sponsored attacks on Mumbai's power grid; Section 66F cited as the applicable provision for prosecution.