India’s cyber-security strategy needs a credible deterrence capacity
Cyber-attacks during the Russia-Ukraine war may lead to the North Atlantic Treaty Organization reviewing and updating the key Article 5 in the Treaty. This says an armed attack against one of the signatories “shall be considered an attack against them all”. Drafted in the 1940s, the treaty does not include cyber-assaults in the category of armed attacks. It is likely to be amended to reflect 21st century reality, as cyber-attacks are now routinely used in conflicts.
The war also indicates how urgently India needs to review its cyber-defence policies, and, equally important, build deterrent cyber-offensive capability. It also needs to get private citizens and the corporate sector onboard with better information security practices. Cyber-warfare is deniable — states can distance themselves from actions performed by hackers at their behest. The term is also broad. It covers propaganda and the “firehosing” of misinformation using social media platforms to, for example, influence elections or referendums. It covers defrauding or blackmail of individuals using sensitive personal data. It covers military and industrial espionage.
It can also consist of hacks, and denial of service attacks to knock out websites, kill cloud services, and shut down telecom systems. Cyber-attacks can also cripple power and water supplies, shut down airports, banks, stock exchanges, ports, nuclear plants, railways, etc. It can directly impact military equipment. Every modern nation is vulnerable to cyber-assault and India is especially vulnerable. There’s a growing base of roughly 600 million smartphone users, which means many “soft targets”. An array of government services are delivered online, and digital cash transactions are commonplace — these require direct interfaces with citizens, which means these can be probed at leisure for weaknesses.
The power grids are increasingly “smart”. The railways, ports, customs data exchanges, stock exchanges, national highway tolling systems, metros, hydropower dams, and airports are all dependent on digital processes, and so is much other infrastructure. In addition, the government and private corporations hold troves of sensitive personal data. Going by the evidence, many databases are insecure, since many large leaks have occurred.
India regularly experiences cyber-attacks, ranging from the defacing of websites to a couple that targeted urban power supplies and the stock exchange. These latter outages were attributed as due to likely hacking by actors on behalf of a northern neighbour, with which India has ongoing territorial disputes.
The Indian cyber-defence setup includes a nodal agency, Indian Computer Emergency Response Team, which forecasts and alerts cyber security incidents, and tries to prevent such incidents, as well as issuing guidelines, advisories, and vulnerability notes. The Defence Cyber Agency coordinates and mitigates cyber-threats to defence assets. The government has been finalising a National Cyber Security Strategy for the last two years — this is far too long.
The current policy has a narrow-focus and is defensive. It “hardens” perceived vulnerabilities only in military and civil government assets. It tries to limit damage and hasten disaster recovery in cases of successful attacks. But very large chunks of critical Indian infrastructure is built and managed by private enterprises. The new strategy must ensure the private sector has adequate cyber-security, and also address the need to educate citizens about basic cyber-hygiene.
There’s also a deep strategic need to build credible cyber-offensive capacity. In cyber-war, the capacity to counter-attack is truly the best defence. There will always be soft targets in a nation with a large smartphone user-base. There is less likelihood of state-sponsored attacks targeting that nation if adversaries think it can retaliate effectively. India needs to update its cyber-security strategy to incorporate this aspect as well.