NEWS  Recently, there was a sensational report in The New York Times , “China appears to warn India- push too hard and the lights could go out”, based on investigations by a United States-based cybersecurity firm.

CONTEXT  The investigations by the firm have raised the possibility that the power outage in Mumbai, on October 13, 2020, could have been the result of an attack by a Chinese state-sponsored group.

Also, Maharashtra’s Cyber Cell report showed that the grid failure was potentially the result of “cyber sabotage”. Meanwhile, the Union Power Ministry has denied the linkage of the grid failure with any cybersecurity incident, and blamed human error for it.

ISSUES- INDIA HAS BEEN A TARGET EARLIER

• India has been attacked by suspected Chinese state-sponsored groups multiple times in the past.
• In 2009, a suspected cyber espionage network dubbed GhostNet was found to be targeting, amongst others, the Tibetan government in exile in India, and many Indian embassies.
• Later researchers found the Shadow Network, a vast cyber espionage operation which extensively targeted Indian entities, including military establishments, news publications, and even the National Security Council Secretariat itself. There was evidence that confidential documents had been accessed by the attackers.
• Subsequently, there were a number of attacks that targeted India, including Stuxnet, which had also taken down nuclear reactors in Iran; Suckfly, which targeted not just government but also private entities; and Dtrack which first targeted Indian banks, and later the Kudankulam nuclear power plant (Tamil Nadu) in 2019.

PERFUNCTORY RESPONSE BY GOVERNMENT

Despite the serious questions being raised by the parliamentarians, neither the report from the Shadow Network investigation, nor any other, has ever been tabled in Parliament, nor even a redacted version made public.

MURKY SITUATION

• It is to be noted that, while there is much evidence to show that Chinese state sponsored groups were responsible for many of these attacks, Chinese cybersecurity agencies have also helped the security community in dismantling the infrastructure behind some of these attacks.
• Also, the documents released by WikiLeaks show that groups such as the Central Intelligence Agency’s UMBRAGE project have advanced capabilities of misdirecting attribution to another nation­state (“false flag attacks”) by leaving behind false “fingerprints” for investigators to find.

WAYFORWARD

• There needs to be a robust institutional posture and political acumen in publicly dealing with these issues.
• Appraising lawmakers of the scale and depth of the damage wrought is critical to enabling meaningful public discussions and crafting a robust response.

INDIA’S INSTITUTIONAL SECURITY

• Over the past two decades, India has made a significant effort at crafting institutional machinery.
• It has focussed on cyber resilience spanning several government entities.
• the National Security Council, usually chaired by the National Security Adviser (NSA), and plays a key role in shaping India’s cyber policy ecosystem.
• The NSA also chairs the National Information Board, which is meant to be the apex body for cross ministry coordination on cybersecurity policymaking.
• The National Critical Information Infrastructure Protection Centre established under the National Technical Research Organisation in January 2014 was mandated to facilitate the protection of critical information infrastructure.
• In 2015, the Prime Minister established the office of the National Cyber Security Coordinator who advises the Prime Minister on strategic cyber security issues.
• India’s Computer Emergency Response Team (CERT­In), which is the nodal entity responding to various cybersecurity threats to non­critical infrastructure comes under the Ministry of Electronics and Information Technology (MEITY).
• The Ministry of Defence has recently upgraded the Defence Information Assurance and Research Agency to establish the Defence Cyber Agency.
• DCA is a tri service command of the Indian armed forces to coordinate and control joint cyber operations, and craft India’s cyber doctrine.
• Finally, the Ministry of Home Affairs oversees multiple similarly­named “coordination centres” that focus on law enforcement efforts to address cybercrime, espionage and terrorism, while the Ministry of External Affairs coordinates India’s cyber diplomacy push — both bilaterally with other countries, and at international fora like the United Nations.

ISSUE- WITH INSTITUTIONAL FRAMEWORK AND WAYFORWARD

• This framework is inflicted with concerns around effective coordination, overlapping responsibilities and lack of clear institutional boundaries and accountability.
• This needs to be clarified in India’s upcoming National Cyber Security Strategy yet to be released.
• Ensuring coherence and coordination between these different actors should be the primary goal of the new strategy.

ISSUE- UNCLEAR DOCTRINE ON CYBER CONFLICTS

• India is yet to clearly articulate a doctrine that holistically captures its approach to cyber conflict, either for conducting offensive cyber operations, or the extent and scope of countermeasures against cyber attacks.
• While reports indicate that India too engages in targeted cyber-attacks, the rules of engagement for that too are unclear.
• This is unlike India’s approach to other global security regimes such as the ‘No First Use’ nuclear power.

WAYFORWARD

• India has been an active participant in processes within the First Committee of the United Nations General Assembly dealing with issues of disarmament and international security.
• While the Indian delegation has made public some of their intervention, India’s long-term strategic thinking on core issues of debate at these fora remains relatively unknown.
• India needs to make a precise articulation of how international law applies to cyberspace. This could mould the global governance debate to further India’s strategic interests and capabilities.
• In particular, this should include:

1. Positioning on non-binding norms
2. Positioning on legal obligations on red lines with respect to cyberspace-targets that should be considered illegitimate due to their significance for human life, such as health-care systems, electricity grids, water supply, and financial systems

Reference:

1. https://www.thehindu.com/opinion/lead/patching-the-gaps-in-indias-cybersecurity/article34000336.ece