India’s Cyber Space Security Requires an Urgent Booster Shot

Introduction

With the growing advances in technology, cyberspace has become a vital part of human lives. It has enabled a variety of tasks, from the booking of a cab online to deploying missiles that can hit targets with extreme precision. The 2007 cyber-attack on Estonia was a wake-up call for many countries, making them realize the importance of cyberspace and its security. In the light of the breach of customer data in a number of corporate firms, the Mumbai power outage on October 12, 2020, and the malware attack at Kudankulam Power Plant in 2019, India’s cyber defence capabilities have become a matter of serious concern.

With the launch of the Digital India campaign in 2015, the introduction of Goods and Services Tax in 2017 and in the pursuit of e-governance, many government services were digitalised. Digitalisation seems to have happened at a rapid pace without developing its backend infrastructure adequately, and this increased the vulnerability of data stored in it. Above all with demonetisation in 2016 and the introduction of JIO, a private telecommunications company, which provided Internet at cheap price with high speed, the number of internet users increased from nearly 302 million in 2015 to 696 million in 2020.^[1] As a result, many people were introduced to digital payments. With the increase in digitalisation, India’s cyberspace vulnerabilities have also grown.

Defence Capabilities  

It is essential to integrate cyber capabilities with conventional military operations for a better defence posture. Cyberspace has emerged as the fifth domain of warfare after land, sea, air and outer space. Hence it has become important for a state to develop its cyber capabilities. The Belfer Nation Cyber Power Index has measured the cyber capabilities of 30 countries, in which India ranks 21. Also by analysing the cyber policies, the cyber power of India is categorised under lower capability and lower intent. Hence India has a long way to go, especially in the context of its growing threat perceptions from state and non-state actors.

The Indian Computer Emergency Response Team (CERT-In) is the nodal agency under the Ministry of Electronics and Information Technology responsible for responding to cybersecurity-related incidents in India. The three wings of India’s armed forces- the Indian Army, Navy and Air force, have their own cyber facilities to network their operations. In addition, Defence Cyber Agency was established in 2018 as a tri-service command to deal with cybersecurity threats. To protect the critical infrastructures like banking, financial services, insurance, power, energy, telecom, transport, government, strategic public enterprises, e-governance, defence and law enforcement, the National Critical Information Infrastructure Protection Centre (NCIIPC) was established in 2014. It is a unit of the National Technical Research Organization under the Prime Minister’s Office.  Nevertheless, India continues to confront challenges in cyberspace since it is a very dynamic battlefield.

Challenges

In 2020, the number of cyber-attacks in India was about 1.16 million. ^[2] This was due to the rapid digitalisation due to the Covid-19 induced lockdown. These numbers might increase in future since the majority of the services are moving towards the digital platform, making it more vulnerable. India’s cyberspace faces many threats that include using overseas equipment, Advanced Persistent threats, growing cyber capabilities of China and lack of awareness among the general public.

Most of the hardware and software used by the government and private enterprises in India are procured from overseas. While updating the existing capabilities, the risk of installing a new malware or data theft with the help of already installed malware is very high. There is a need for public-private partnerships to overcome these challenges and build necessary critical infrastructure in India.

The Advanced Persistent Threat is one very important threat, where an intruder or group of intruders hack the system and extract the data for a long time by remaining undetected. These intruders are sometimes backed by a state to fulfil a specific goal. This poses a serious challenge since the nexus between state and non-state actors is difficult to determine in some scenarios. Lazarus of North Korea, Red Echo of China and Cozy Bear of Russia are some the state-backed hacking groups that are responsible for various cyber-attacks and cyber-crimes around the world. The National Security Agency of the US has recently accused Cozy Bear of an attempt to steal vaccine-related information ^[3] from universities and health care organizations in the US, British and Canada.

The People’s Liberation Army Strategic Support Force was established in 2015 with an aim to create synergies between space, cyberspace and electronic warfare. In the past two decades, China has invested greatly in Information, Communication Technologies and focused on integrating them with conventional warfare. They have superior C4ISR capabilities when compared to India and has developed a strategy for information warfare. Over the last few years, China’s assertiveness is felt in various spaces and its steady growth in cyberspace is alarming since it may pose a serious threat to India in future.

One of the major problems with cyber-attacks is the lack of awareness among the general public regarding the data breach. This awareness is important because they become frequent targets and unwitting instruments of attacks themselves. Moreover, social media being a huge repository of data, valuable information is mined from it and this can be a serious threat to national security. Many are first-time internet users and hence they are easily targeted to extract money and data. Therefore, there is a huge challenge in front of the government to educate the masses about cyber vulnerabilities.

The Urgent Need

India is one of the major players in the global IT sourcing market and it continues to grow. The IT industry contributed about 8% of the country’s GDP in 2020. Due to the Covid-19 pandemic, there is rapid digitalisation due to work from home culture and the number of digital payments is also rising. Hence, there is an urgent need to secure the critical infrastructure, mainly telecommunication which is the backbone of all other services. The communication infrastructure in India is largely procured from outside, and if that is compromised all other services which are based on it will come down along with it.

The Chinese companies ZTE and Huawei are some of the major equipment providers to telecommunication companies like Vodafone, Bharti Airtel, BSNL and MNTL operating in India. ^[4] This equipment might have backchannels to send the critical information back to China and hence they pose a major threat. Huawei and ZTE together account for about 55% of telecommunication equipment share in India. The Indian government has left out Huawei and ZTE for participating in network equipment suppliers. ^[5] Banning Huawei and ZTE immediately might not be a viable option despite national security concerns, since it might put additional stress on the telecommunication sector, which is already running on loss. Keeping these concerns in mind India should focus on building indigenous infrastructure for the 5^th generation wireless technologies, and must be ready for sixth-generation as well.

The National Cyber Security Strategy 2020 aims at creating safe, secure and resilient cyberspace. Nevertheless, there rises an important question of whether the Government should treat the breach in cyberspace as a violation of sovereignty on par with land and sea. If not all, certain fields like classified documents, defence communication and operation networks, critical information infrastructure should be under sovereign protected cyberspace. This will enhance India’s national security.

Recommendations:

• Indigenously developing and manufacturing the critical infrastructures is necessary, this aligns with India’s vision of ‘Atmanirbhar’. In order to achieve this investments have to be made in research and development. Since the private sector also has a huge stake, public-private partnerships should be encouraged.
• Need to come up with a strategy to counter growing China’s cyber capabilities. Combined use of conventional weapons with cyber weapons should be explored along with the cooperation from tri-services and their proper utilisation in the battlefield.
• The general public should be made aware of the cyber-crimes and promoting digital literacy is the need of the hour due to the increasing number of users at a rapid rate.

Data is the new gold and hence protecting the critical information infrastructure has become vital to prevent data espionage. Most of India’s critical infrastructure is linked to information networks and are interdependent. Protecting these is vital to India’s national security since it has a drastic impact on the economic and social wellbeing of the people. Therefore the threat to cyberspace is a threat to national security. Protecting cyberspace has become important now more than ever.

End-Notes:

1. https://www.statista.com/statistics/255146/number-of-internet-users-in-india/
2. Prashant K. Nanda, Cyber-attacks surged 3-fold to 1.16 million last year in India, Live Mint, Available at: https://www.livemint.com/news/india/as-tech-adoption-grew-india-faced-11-58-lakh-cyberattacks-in-2020-11616492755651.html
3. Julian E. Barnes, Russia Is Trying to Steal Virus Vaccine Data, Western Nations Say, New York Times, Available at: https://www.nytimes.com/2020/07/16/us/politics/vaccine-hacking-russia.html
4. Niharika Sharma, Banning Huawei won’t be a viable choice for India despite national security interests, Available at: https://qz.com/india/1895866/india-banning-huawei-will-hurt-airtel-vodafone-idea-help-jio/
5. Live Mint, India doesn’t name Huawei participant in 5G trials, Available at: https://www.livemint.com/industry/telecom/india-doesn-t-name-huawei-among-participants-in-5g-trials-11620135603266.html