Given the strong emphasis on the Digital India Initiative and the massive reliance on information technology (IT) to run key policy measures, such as the goods and services tax, and policy tools, such as Aadhaar, reliable cyber infrastructure is of critical importance. The defence and security establishments, too, rely heavily on digital platforms. However, a series of hacks and outages of government websites highlights the fact that cybersecurity is not taken as seriously as it should be. The latest major incident occurred on April 6 when at least 10 government websites, including those of the ministries of defence and home affairs, went down for several hours. Perhaps coincidentally, it was the day the defence ministry was releasing a Request for Information for 100 new fighter jets in a deal that will eventually cost well over Rs 1 trillion. This was initially believed to be a hack but was later clarified as being a technical glitch. However, the timing was suspicious and, whatever the causes of the outage, mission-critical infrastructure should not go offline for long periods. In a conflict situation, such outages could cause panic, and result in the breakdown of communications within government departments. For instance, a disrupted defence infrastructure could cripple the armed forces.
India has a very poor record with respect to keeping its cyber infrastructure and data safe, and it is regularly targeted by Pakistani and Chinese hackers. According to a submission in Parliament, over 700 Indian government websites, including state and central government websites, have been hacked and forced offline for varying periods in the past four years. The number of leaks of classified information is unknown but it is likely to be quite large. A major component of modern espionage consists of attempts to garner sensitive digital data. The stealthy penetration of cyber infrastructure in search of information and the knocking out of cyber infrastructure in order to disrupt government are standard tactics in 21st century conflicts. Such disruptions are relatively cheap, and highly deniable, and yet, they can be devastatingly effective. India is not alone in its vulnerability. Hackers acting on behalf of various governments have at various times attacked official websites in Georgia, Russia, Ukraine, North Korea and Iran. Iran’s nuclear research programme was crippled by such an attack and Ukraine has had much of its power grid knocked offline.
Given this constant game of cat and mouse, it is imperative to ensure that India’s cyber assets are adequately protected. Quite apart from spy vs spy scenarios, there is also a need for backup measures to ensure rapid recovery from natural disasters or technical glitches. India has a full-fledged cybersecurity establishment in theory, with agencies such as the Indian Computer Emergency Response Team. But the hack statistics suggest that it is not very effective. A comprehensive review of the cybersecurity establishment, an analysis of the incidents that have occurred, and an overhaul to prevent similar recurrences must be high priority for the government. Given that a lot of key digital initiatives are public-facing, it will be useful to carry out public outreach programmes and educate citizens about safe cyber practices.