Patching the gaps in India’s cybersecurity

Context: Increasing threat of cyber-attacks calls for patching gaps in India’s cybersecurity architecture.

Threats of cyber attacks

• State-sponsored attacks: Report by US-based cybersecurity firm raised possibility that a power outage in Mumbai could have been Chinese state-sponsored. Similar events: -
  • GhostNet: In 2009, targeting the Tibetan government in exile in India and Indian embassies.
  • Stuxnet: Taken down, nuclear reactors in Iran.
  • Suckfly: Targeted firm that provided tech support to National Stock Exchange.
  • Dtrack: Targeted Indian banks and later Kudankulam nuclear power plant in 2019.
• Risk of false fly attacks: WikiLeaks documents show that groups such as Central Intelligence Agency’s UMBRAGE project have advanced capabilities of misdirecting attribution to another nation-state.

India’s Institutional architecture

• The Prime Minister’s Office: Includes within it several cyber portfolios.
• National Security Council: Chaired by National Security Adviser (NSA), plays a key role in shaping India’s cyber policy ecosystem.
• National Information Board: Apex body for cross-ministry policy coordination on cybersecurity.
• National Critical Information Infrastructure Protection Centre: established under National Technical Research Organisation, mandated to facilitate the protection of critical information infrastructure.
• National Cyber Security Coordinator: Advises Prime Minister on strategic cybersecurity issues.
• Computer Emergency Response Team (CERT-In): Nodal entity responding to various cybersecurity threats to non-critical infrastructure.
• Defence Cyber Agency: Tri-service command of the Indian armed forces to coordinate and control joint cyber operations and craft India’s cyber doctrine.
• Coordination centres: Under Ministry of Home Affairs, focuses on law enforcement efforts to address cybercrime, espionage and terrorism

Gaps in India’s institutional architecture

• All of the Government approach: Concerns around effective coordination, overlapping responsibilities and lack of clear institutional boundaries and accountability.
• Absence of a credible cyber deterrence strategy: India’s National Cyber Security Strategy, a much-needed update to National Cyber Security Policy 2013, is yet to be released.
• Lack of Doctrine of Cyber Conflict: India is yet to clearly articulate the doctrine that holistically captures its approach to cyber conflicts. (Reports indicate that India too engages in targeted cyber-attacks)
  • Secrecy and ambiguity surrounding a nation’s doctrine don’t provide a tactical advantage when engaging in cyber operations because of the existing asymmetry in capabilities.
    • E.g. Both States and non­state actors remain incentivised to undertake low­scale cyber operations like espionage, cyber-crime, and even the disruption of critical information

Way Forward

• Bring in Responsible Cyber Doctrine: In lines with ‘No First Use’ nuclear doctrine, that is clearer and transparent.
• Role in articulating international law for cyberspace: To mould global governance debate to further India’s strategic interests and capabilities.
  • Focus not just on non-binding norms but also legal obligations on ‘red lines’ with respect to cyberspace-targets.
• Ensuring coherence and coordination between different actors: Between government and private sector, as well as within government itself, at national and State levels.