Context: Increasing threat of cyber-attacks calls for patching gaps in India’s cybersecurity architecture.
Threats of cyber attacks
State-sponsored attacks: Report by US-based cybersecurity firm raised possibility that a power outage in Mumbai could have been Chinese state-sponsored. Similar events: -
GhostNet: In 2009, targeting the Tibetan government in exile in India and Indian embassies.
Stuxnet: Taken down, nuclear reactors in Iran.
Suckfly: Targeted firm that provided tech support to National Stock Exchange.
Dtrack: Targeted Indian banks and later Kudankulam nuclear power plant in 2019.
Risk of false fly attacks: WikiLeaks documents show that groups such as Central Intelligence Agency’s UMBRAGE project have advanced capabilities of misdirecting attribution to another nation-state.
India’s Institutional architecture
The Prime Minister’s Office: Includes within it several cyber portfolios.
National Security Council: Chaired by National Security Adviser (NSA), plays a key role in shaping India’s cyber policy ecosystem.
National Information Board: Apex body for cross-ministry policy coordination on cybersecurity.
National Critical Information Infrastructure Protection Centre: established under National Technical Research Organisation, mandated to facilitate the protection of critical information infrastructure.
National Cyber Security Coordinator: Advises Prime Minister on strategic cybersecurity issues.
Computer Emergency Response Team (CERT-In): Nodal entity responding to various cybersecurity threats to non-critical infrastructure.
Defence Cyber Agency: Tri-service command of the Indian armed forces to coordinate and control joint cyber operations and craft India’s cyber doctrine.
Coordination centres: Under Ministry of Home Affairs, focuses on law enforcement efforts to address cybercrime, espionage and terrorism
Gaps in India’s institutional architecture
All of the Government approach: Concerns around effective coordination, overlapping responsibilities and lack of clear institutional boundaries and accountability.
Absence of a credible cyber deterrence strategy: India’s National Cyber Security Strategy, a much-needed update to National Cyber Security Policy 2013, is yet to be released.
Lack of Doctrine of Cyber Conflict: India is yet to clearly articulate the doctrine that holistically captures its approach to cyber conflicts. (Reports indicate that India too engages in targeted cyber-attacks)
Secrecy and ambiguity surrounding a nation’s doctrine don’t provide a tactical advantage when engaging in cyber operations because of the existing asymmetry in capabilities.
E.g. Both States and nonstate actors remain incentivised to undertake lowscale cyber operations like espionage, cyber-crime, and even the disruption of critical information
Way Forward
Bring in Responsible Cyber Doctrine: In lines with ‘No First Use’ nuclear doctrine, that is clearer and transparent.
Role in articulating international law for cyberspace: To mould global governance debate to further India’s strategic interests and capabilities.
Focus not just on non-binding norms but also legal obligations on ‘red lines’ with respect to cyberspace-targets.
Ensuring coherence and coordination between different actors: Between government and private sector, as well as within government itself, at national and State levels.