Patching the gaps in India’s cybersecurity

Context: Increasing threat of cyber-attacks calls for patching gaps in India’s cybersecurity architecture.

Threats of cyber attacks

  • State-sponsored attacks: Report by US-based cybersecurity firm raised possibility that a power outage in Mumbai could have been Chinese state-sponsored. Similar events: -
    • GhostNet: In 2009, targeting the Tibetan government in exile in India and Indian embassies.
    • Stuxnet: Taken down, nuclear reactors in Iran.
    • Suckfly: Targeted firm that provided tech support to National Stock Exchange.
    • Dtrack: Targeted Indian banks and later Kudankulam nuclear power plant in 2019.
  • Risk of false fly attacks: WikiLeaks documents show that groups such as Central Intelligence Agency’s UMBRAGE project have advanced capabilities of misdirecting attribution to another nation-state.

India’s Institutional architecture

  • The Prime Minister’s Office: Includes within it several cyber portfolios.
  • National Security Council: Chaired by National Security Adviser (NSA), plays a key role in shaping India’s cyber policy ecosystem.
  • National Information Board: Apex body for cross-ministry policy coordination on cybersecurity.
  • National Critical Information Infrastructure Protection Centre: established under National Technical Research Organisation, mandated to facilitate the protection of critical information infrastructure.
  • National Cyber Security Coordinator: Advises Prime Minister on strategic cybersecurity issues.
  • Computer Emergency Response Team (CERT-In): Nodal entity responding to various cybersecurity threats to non-critical infrastructure.
  • Defence Cyber Agency: Tri-service command of the Indian armed forces to coordinate and control joint cyber operations and craft India’s cyber doctrine.
  • Coordination centres: Under Ministry of Home Affairs, focuses on law enforcement efforts to address cybercrime, espionage and terrorism

Gaps in India’s institutional architecture

  • All of the Government approach: Concerns around effective coordination, overlapping responsibilities and lack of clear institutional boundaries and accountability.
  • Absence of a credible cyber deterrence strategy: India’s National Cyber Security Strategy, a much-needed update to National Cyber Security Policy 2013, is yet to be released.
  • Lack of Doctrine of Cyber Conflict: India is yet to clearly articulate the doctrine that holistically captures its approach to cyber conflicts. (Reports indicate that India too engages in targeted cyber-attacks)
    • Secrecy and ambiguity surrounding a nation’s doctrine don’t provide a tactical advantage when engaging in cyber operations because of the existing asymmetry in capabilities.
      • E.g. Both States and non­state actors remain incentivised to undertake low­scale cyber operations like espionage, cyber-crime, and even the disruption of critical information

Way Forward

  • Bring in Responsible Cyber Doctrine: In lines with ‘No First Use’ nuclear doctrine, that is clearer and transparent.
  • Role in articulating international law for cyberspace: To mould global governance debate to further India’s strategic interests and capabilities.
    • Focus not just on non-binding norms but also legal obligations on ‘red lines’ with respect to cyberspace-targets.
  • Ensuring coherence and coordination between different actors: Between government and private sector, as well as within government itself, at national and State levels.