This article has been authored by Richa Jain, a second year student at Dr. Ram Manohar Lohiya National Law University, Lucknow.
A sudden boom in hyperactivity, malicious breaks, and cyber-espionage in Indian cyberspace calls for a profound screening of the critical infrastructure of India.
The recent attacks of Pegasus spyware in India licensed by an Israeli company NSO by hacking smartphones of government officials, journalists, and human rights activists has been outlandish cyber sabotage. In May 2021, a major ransomware attack shut down the operations of the US Colonial Pipeline Company. The key pipeline transports about 45% of diesel and petrol consumed on the east coast of the US. During the pandemic, cybersecurity became a USD one trillion problem issuing global concerns on the twenty-fold increase of such attacks worldwide since 2017.
A nation’s dependence on cyberspace for most of its critical functions is also its vulnerability. Such attacks are the new-age threats with the intrusiveness of attacking the vulnerability of those with weaker cyber defence mechanisms. This article indulges into a structural policy framework involving the need for critical infrastructure, the associated challenges examining the current legal framework and the way forward.
The IBM analysis in ‘X Force Threat Intelligence Index 2021’ exposed India’s debilitated state of critical infrastructure. In 2020 India was the second most targeted country in the Asia-Pacific region with concern to cybercrimes, contributing a 7% share globally in such incidents. According to a Bengaluru based cybersecurity firm Subex, India is one of the top five most cyber-attacked nations in the world.
The onset of coronavirus resulted in the digitalisation of many sectors. Banking sectors gained popularity with both front-end and back-end operations going digital which increased cashless transactions letting hackers perform frequent data breaches and increased the act of stealing. In the cyber realm, the pandemic provided leverage to cyber-attacks majorly in military interventions, manufacturing, financial, and insurance sectors, and organizations involved in the covid-19 vaccine supply chain. Given the increasing number of cyber-attacks, countries like India have to build a robust system for cyber security of businesses and governmental organizations.
Need For Critical Infrastructure
Critical Infrastructure is the body of systems, networks, and assets including a vast network of highways, connecting bridges, railways, buildings, and utilities to maintain normalcy in daily life, security of the nation, its economy, and the public’s health/safety. India has 3rd largest Internet users worldwide yet the defensive measures for the cyber system are still at a nascent stage. In 2020, cyber-attacks increased by almost 300% linking it to an enormous increase in digital activities.
Continued targeted attacks by Chinese state-sponsored actors have been reported by the statutory organization Computer Emergency Response Team (CERT-In).
Most recently, in 2020, the RedEcho group linked to China targeted India’s power sector and railway grids that hit Mumbai and nearby areas. States launch cybercrimes to have geopolitical gains. Nations such as Russia, Iran, China, North Korea are reportedly using such techniques for propaganda attacks, espionage, to target critical infrastructure systems, and to support political and military objectives. These include the massive 2017 WannaCry and NotPetya ransom ware attacks which resulted in the shut-down of 80 NHS organisations in England alone.
India’s policies regarding cybersecurity are haphazardly scattered with ignorant ramifications. The first component involves testing the software and hardware in which MeitY’s Electronics and Information Technology Goods (Requirement of Compulsory Registration) Order, 2021 and Indian Telegraph Rule, 1951 mandates the testing of telecom equipment and hardware prior to their sale or import. The issue here is that not all equipment is tested rigorously and there is no mention of software testing which hampers the concept of a protected ecosystem.
The second component involves having strong safety walls for stakeholders. In this aspect, the RBI formulated the Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds in 2011 for cybersecurity related guidance to banks and SEBI formulated the Guidelines on Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing Corporations and Depositories in 2018 to secure Indian financial markets. Despite all these efforts the continuous failure of safeguarding such matters reflects the extreme lack of expertise, oversight, outdated laws, and the scattered legal framework.
A significant issue in protecting critical infrastructure lies in the abstinence of sharing about the vulnerability of infrastructural fallacies. Businesses feel exposing themselves will lead to the drowning of their competitive edge over rivals. In the 2018 cyber attack in Cosmos Bank of Pune, hackers siphoned off Rs. 94.42 crores with a simple tactic of hacking into the bank’s ATM server and collecting credit card details. In 2018, 1.1 billion Indian Aadhar Card details were leaked which was one of the massive data breaches.
The documents by WikiLeaks in 2017 state that the Central Investigation Agency’s UMBRAGE group may have catalogued hacking methods allowing agencies to mask their identities during espionage. With this, the CIA can not only increase the number of attacks but also misdirect attribution by leaving behind false ‘fingerprints’ of different groups or locations.
Another issue is with a nationwide approach and implementing a preventive system centrally. While seeking to maintain an all of government approach to mitigate and counter cyber security threats, it has elicited concerns such as lack of systematic coordination, overlapping of responsibilities, and lack of accountability and institutional boundaries. India lacks proper training and indigenization in hardware and software cyber security tools pushing it to a more vulnerable position.
Israel’s $82 billion cyber security mechanism and expertise lead the world and the government plays a crucial role in sustaining this aspect. They respect human capital and invest a lot into their people, defense organisations, and their powerful military. It is the first country to provide a Ph.D. Cyber security program. Like Israel’s National Cyber Directorate or the US’s Cyber security and Infrastructure Security Agency Act (CISA), India doesn’t have any active mechanism for cyber defence.
Further, India lacks a credible cyber defence strategy that provides easy access to state and non-state actors to incentivize them to undertake low-scale operations such as espionage, cybercrime, and disruption of critical infrastructure. India lacks manpower in cybersecurity professionals especially in the Indian military, police forces, and law enforcement agencies.
Way Forward: Expedition In Fortification
Since the pandemic has put nations into a state of be-wilderness, countries have resorted to creating awareness about digital warfare and hackers targeting critical infrastructure. Nobody is immune to such indulgences. Not only the government and corporate system but also the civic society has to bring in their awareness programs. India has sufficient organizations and projects but the need is to strengthen the framework of these projects such as the National Cyber Coordination Centre (NCCC), National Critical Information Infrastructure Protection Centre (NCIIPC), and the Computer Emergency Response Team (CERT). Recently the National Security Council of India formulated a National Cyber Security Strategy 2020.
The Indian education system needs to incorporate courses on cyber security including central universities, private institutions, and also a separate course in high schools will be a great investment. The dominance of digital gadgets is on a manifold increase, the National Cyber Security Policy will have to effectively ponder upon it to make a comprehensive policy for the next decade since in the current framework of 2013 “It is important for the corporates or the respective government departments to find the gaps in their organisations and address those gaps with the help of next generation security solutions. It is essential that there is a layered security system, wherein security threat intelligence sharing is happening between different layers,” said Sunil Sharma, managing director – sales (India & SAARC), at cybersecurity firm Sophos. Also, the government should focus on promoting indigenization and training programs at remote levels. The cyber security architecture could be included in the Make in India program.
The National Cyber Security Policy should include positioning on ‘red lines’ such as health-care systems, financial systems, water supply, and electricity grids. India has mostly a reactive approach to these attacks, in many instances, authorities remain oblivious to the nature of attacks for prolonged periods. Policymakers should embed cyber security into every organization without compromising on quality. Many authorities have talked about carving out a separate budget allocation for cyber security. This could bootstrap awareness and capability programs in states via central funding.
In tandem, India has to rapidly strategize a mechanism to maintain cyber security and peace. A transparent data allocation will help build trust in the public and will set a clear stance for India internationally. The increase of newer trends of block chain activities containing crypto currency makes India more susceptible to such attacks and thus it calls for a renewed design of cyber security architecture. Our cyber doctrine should manifest objectives of development and deterrence. India should reach for international collaboration, under the aegis of the UN which could keep check on western dominance. Global and responsive governance will enhance people’s participation in the cyber world and will make them responsible citizens of the cyber state as well.