Assessing India’s Cyber Security Infrastructure

According to recent reports (New York Times and Recorded Future), Chinese state-sponsored actors may have used malware to target India’s power grid system and seaports. The reports claimed that “Red Echo”, a group sponsored by the Chinese state, was behind the 12 October 2020 grid failure in Mumbai. 

• Cyberspace and physical space are increasingly becoming intertwined due to increased software control.
• The major security threat lies to the critical infrastructure of the nation wherein the attackers can gain control of vital systems such as nuclear power plants, financial, transportation or health systems that can lead to dire consequences.
• With the definitive Make in India initiatives announced by the Indian government and estimates reporting that over 5 billion devices would connect to the internet in the coming months and years, India needs to lay down solid cybersecurity plans and policies.
• The increasing cyber-attacks in the year 2020 have made organizations rethink their security measures, especially in terms of enterprise data security.
• As organizations expand work-from-home and remote working solutions for their employees, the number of vulnerable endpoints increases.

In this regard, a more comprehensive and objective assessment of India’s cyber ecosystem is in urgent need. 

The concept of cyber attack

• The concept of a cyber attack or a computer network attack is rooted in this description.
• It can be described as a “deliberate exploitation of computer systems, technology-dependent enterprises and networks.”
• Cyber attacks use “malicious code to alter computer code, logic or data, resulting in disruptive consequences that can compromise data and lead to cybercrimes, such as information and identity theft.”
• Cyberattacks give a country another option — less devastating than a nuclear attack, but capable of giving the country a strategic and psychological edge. China’s recent cyber aggression can be analyzed through this lens.
• Possible reasons for increased cyber attacks from China:
  • One major factor is the border clash between the two countries in June 2020
  • Chinese may be using cyber attacks as a means of deterrence against India
    • Until recent years, China’s focus had been on information theft
    • But Beijing has been increasingly active in placing code into infrastructure systems, knowing that when it is discovered, the fear of an attack can be as powerful a tool as an attack itself.
  • When vaccine companies are targeted, the motive could be competition

There are three major dimensions of cyber threats:

• Cyber Wars: A cyber war is a “No contact” war, where the idea is to attack the critical information (CI)architecture of another state. Israel used STUXNET malware to destroy the Iranian nuclear programme.
• Cyber Crimes: Involves use of cyberspace for criminal activity including identity thefts and financial frauds. Eg. Adhaar card data and other biometric information has been hacked
• Cyber Terrorism: It is the use of cyberspace by a terrorist group for propaganda and recruitment. Eg. fake videos to incite and radicalize the vulnerable target

Thus cyber security becomes important for the internal and well as external security of India.

• National Security Council: The National Security Council, chaired by National Security Adviser (NSA), plays a key role in shaping India’s Cyber Policy Ecosystem.
  • The NSA also chairs the National Information Board, which is the apex body for cross-ministry coordination on cybersecurity policymaking.
• Cyber Security Policy: The National Cyber Security Policy, 2013 was developed to build secure and resilient cyberspace for India’s citizens and businesses.
• IT Act, 2000: Currently, the Information Act, 2000 is the primary law for dealing with cybercrime and digital commerce in the country.
• NTRO: The National Technical Research Organisation (NTRO) is the main agency designed to protect national critical infrastructure and to handle all the cybersecurity incidents in critical sectors of the country.
• NCIIPC: The National Critical Information Infrastructure Protection Centre (NCIIPC) was established under NTRO in 2014 to facilitate the Protection of Critical Infrastructure.
• CERT-In: The Indian Computer Emergency Response Team (CERT-In) is responsible for incident responses including analysis, forecasts and alerts on cybersecurity issues and breaches.
• Indian Cyber Crime Coordination Centre (I4C): The Central Government has rolled out a scheme for the establishment of the Indian Cyber Crime Coordination Centre (I4C) to handle issues related to cybercrime in the country in a comprehensive and coordinated manner.

• Cyber Crime Volunteers: The Indian Cyber Crime Coordination Centre (I4C), under the Ministry of Home Affairs (MHA), recently launched the Cyber Crime Volunteers Program with the aim to allow citizens to register themselves as “Cyber Crime Volunteers’.
  • While the country had earlier used vertical surveillance (usually state observes the citizens), this new initiative is a case of Lateral surveillance (it is the case of social surveillance or peer-to-peer surveillance ).
• Cybercrime reporting portal: The Government has launched the online cybercrime reporting portal, cybercrime.gov.into enable complainants to report complaints pertaining to Child Pornography/Child Sexual Abuse Material, rape/gang rape imageries, or sexually explicit content.
• Cyber Swachhta Kendra: Cyber Swachhta Kendra (Botnet Cleaning and Malware Analysis Centre) has been launched for providing detection of malicious programs and free tools to remove such programs.

• The Institutional Framework has been plagued with concerns around
  • lack of effective coordination
  • overlapping responsibilities
  • lack of clear institutional boundaries and accountability
• Outdated strategies: India’s National Cyber Security Strategy, which has been drafted by the NSC — a much-needed update to the National Cyber Security Policy 2013 — is yet to be released.
• Inappropriate approach to deal with cyber conflict: India is also yet to clearly articulate a doctrine that holistically captures its approach to cyber conflict, either for conducting offensive cyber operations, or the extent and scope of countermeasures against cyber attacks.
• Absence of credible cyber deterrence strategy: The absence of a credible cyber deterrence strategy means that states and non-state actors alike remain incentivized to undertake low-scale cyber operations for a variety of purposes — espionage, cyber crime, and even the disruption of critical information infrastructure.

• Effective strategy and transparency: Clearer strategy and greater transparency are the need of the hour to improve India’s cybersecurity posture.
• Better coordination: Improved coordination is needed between the government and the private sector, as well as within the government itself — and at the national and state levels.
• Focus on creating secure cyber ecosystem: A clear public posture on cyber defence and warfare boosts citizen confidence, helps build trust among allies, and signals intent to potential adversaries, thus enabling a more stable and secure cyber ecosystem.
• Learning from expertise: A key opportunity herein is a precise articulation of how international law applies to cyberspace, which could mold the global governance debate to further India’s strategic interests and capabilities.
  • In particular, this should include positioning on not just non-binding norms but also legal obligations on ‘red lines’ with respect to cyberspace-targets that should be considered illegitimate due to their significance for human life, such as health-care systems, electricity grids, water supply, and financial systems.

As India is moving towards more and more digitalization in all spheres, cyberspace has become a serious concern of National Security. Thus, a comprehensive policy with a skilled workforce is needed to ensure that India’s people and its infrastructure are safe, so the country can move towards development peacefully.