Fencing the Dragon Out: Cyber Security Challenges for India ; By Gp Capt (Dr) R Srinivasan VSM

Image Courtesy: ICT group

Article 09/2021

“They (Non-Traditional Security Threats) are defined as challenges to the survival and well-being of peoples and states that arise primarily out of nonmilitary sources.” – Professor Mely Caballero-Anthony (Secretary-General, Consortium on Non-Traditional Security Studies in Asia).

Non-Traditional threats to nations and societies have long been understood as emanating from sources that are outside the military frameworks. The advent and spread of information and communication technology, forming the backbone of the financial system, economic and industrial infrastructure make cyberspace especially vulnerable to interest groups as well as inimical groups. Social media riding on the IT highway has also demonstrated capabilities to affect the morale of large sections of society.

When the USA went to war with Iraq in 1991, the world witnessed the power of this technological prowess in full play. The subsequent US-led global engagements in Serbia, Kosovo, and the Estonian episode of 2007 indubitably established cyber space as an important element in the strategic calculus of any nation.

In the geopolitical scenario that has emerged in Indo-Pacific and SCS, the attention of scholars, as well as strategic analysts, has riveted itself to the capabilities that China has acquired or developed for itself over the past few decades. Such scholarly scrutiny has studied the cyber warfare capabilities too. Even before China began its ambitious engagement with the world through BRI, experts had begun to survey its cyber prowess. For example, Deepak Sharma (Sharma, 2011)[i] of IDSA who studied the cyber capabilities of China in 2011 summed it up in the following words.

China has made major progress in synergising, combining, and coordinating its signal intelligence, EW, information security, and computer network attack systems. These efforts have made the Chinese system more effective and secure.

In the same year, Desmond Ball (Ball, 2011)[ii] from the USA also studied these capabilities and came to the conclusion that “the extensive Chinese IW capabilities, and the possibilities for asymmetric strategies, are only potent if employed first”. Ball was hinting at the potential disruption that China could cause to its adversaries if it carries out a preemptive strike. In his assessment, China did not have the wherewithal to sustain or negate the counter capabilities of nations like the US.

Even though these assessments conveyed mixed and sometimes misleading judgements on Chinese capabilities, in the years preceding and succeeding these assessments there was an increasing number of attempts to deploy those capabilities to the detriment of India. The reasons are obvious.

Dragon’s footprints in Indian cyber sands

Below mentioned instances of Chinese cyber surveillance and attacks on Indian interests are not merely recent but are of considerable strategic importance:

1. In 2015, a report by “Fire Eye” – a US based cyber security firm reported that China had been spying on Indian government and businesses for more than a decade without India being aware of it. It would be safe to assume that a spate of intrusions and attempted intrusions like the ones on NIC (National Informatics Centre) in 2009, Websites of MHA (Ministry of Home affairs) and MEA (Ministry of External affairs) in 2012, Northern Power Grid in 2012, Websites of DRDO and PMO in 2013 etc do draw a high level of suspicion against China. In 2017, there was also talk of Chinese hackers attempting to intrude into systems that controlled and monitored Sukhoi 30 fighters of the India Air force in order to forcefully down them[iii]

2. In 2018, a report by Computer Emergency Response (CERT-In) documented that China carried out the highest number of attacks on the official websites of India. China was the host country for35% of all intrusion activities recorded from across the globe targeting Indian websites. The companies widely targeted government industries like ONGC and IRCTC and banks like SBI with a specific targeting of state data centres of banks across states[iv].

3. On 04th September 2019, India’s largest nuclear power plant at Kudangulam suffered a cyber-attack purportedly by North Korean hackers. While the Nuclear Power Corporation of India Ltd (NPCIL) initially denied any such incident, it later admitted that Computer Emergency Response Team (CERT-In), had noticed a malware attack that breached India’s largest nuclear power facility’s administrative network on September 4th[v].

4. On 12 October 2020, even as the stand-off in Eastern Ladakh continued, two thousand kilometers away, in Mumbai the financial capital of India, the stock market shut down, local trains stopped and the city of 20 million came to a grinding halt. Hospitals battling Covid 19 had to switch over to generators and pray that the outage would be restored soon. The Chief Minister ordered an inquiry and the central minister promised to send a special team to investigate[vi]. Tata Power that supplies electricity to Mumbai said that the outage was triggered due to the simultaneous tripping of power transmission lines[vii]. The political leaders started blaming each other for letting the financial capital ‘power-less’ for over 2 hours.

5. Fifteen weeks later, David E. Sanger and Emily Schmall (Schmall & Sanger, February 28, 2021)[viii] reported in the New York Times that Recorded Future, a Somerville, Mass., company that studies the use of the internet by state actors, had investigated the Mumbai outage and found that the Chinese state-sponsored group, which the firm named Red Echo, “has been seen to systematically utilize advanced cyber intrusion techniques to quietly gain a foothold in nearly a dozen critical nodes across the Indian power generation and transmission infrastructure.” Recorded Future reported the findings to Indian authorities for further investigation.

6. Exploring further into the Mumbai outage case, Rezaul Laskar and Tanushree Venkatraman (Laskar & Venkatraman, 01 March 2021)[ix] further report that the Red Echo had targeted 12 organizations viz., Power System Operation Corporation Limited, NTPC Limited, NTPC’s Kudgi power plant, Western Regional Load Dispatch Centre, Southern Regional Load Dispatch Centre, North Eastern Regional Load Dispatch Centre, Eastern Regional Load Dispatch Centre, Telangana State Load Dispatch Centre, Delhi State Load Dispatch Centre, the DTL Tikri Kalan (Mundka) sub-station of Delhi Transco Ltd, VO Chidambaranar Port, and Mumbai Port Trust. All these groups use ShadowPad, a modular backdoor tool that has been utilised by China-backed groups in network intrusion campaigns since 2017.

Cyber Security Framework in India

The Indian government has also been aggressively addressing the rising prevalence of cyber threats.  National Cyber Security Policy 2013 has been framed to create a secure cyber ecosystem, ensure compliance with global security systems and strengthen the regulatory framework. The union budget for 2017 included the formation of the Computer Emergency Response Team (CERT) for the financial sector.

The government has also sought data security protocol details from several smartphone manufacturers insisting that mobile manufacturing units be security-compliant. The Technology Development Board and Data Security Council of India (DSCI) have jointly decided to promote cybersecurity startups in India.

NASSCOM and DSCI Cyber security Task Force have also launched a roadmap to develop the cyber security ecosystem to $35 USD billion by 2025.

Information Technology Act, 2000

1. The act regulates use of computers, computer systems, computer networks and also data and information in electronic format. It lists down among other things, following as offences:

2. Tampering with computer source documents.

3. Hacking with computer system

4. Act of cyber terrorism i.e. accessing a protected system with the intention of threatening the unity, integrity, sovereignty or security of country.

5. Cheating using computer resource etc.

Strategies under National Cyber Policy, 2013

1. Creating a secure cyber ecosystem.

2. Creating mechanisms for security threats and responses to the same through national systems and processes.

3. National Computer Emergency Response Team (CERT-in) functions as the nodal agency for coordination of all cyber security efforts, emergency responses, and crisis management.

4. Securing e-governance by implementing global best practices, and wider use of Public Key Infrastructure.

5. Protection and resilience of critical information infrastructure with the National Critical Information Infrastructure Protection Centre (NCIIPC) operating as the nodal agency.

6. NCIIPC has been created under Information Technology Act, 2000 to secure India’s critical information infrastructure. It is based in New Delhi.

7. Promoting cutting edge research and development of cyber security technology.

8. Human Resource Development through education and training programs to build capacity.

Recent Steps by Government of India

1. National Cyber security Coordination Centre (NCCC): Created in 2017, its mandate is to scan internet traffic and communication metadata (which are little snippets of information hidden inside each communication) coming into the country to detect real-time cyber threats.

2. Cyber Swachhta Kendra: Launched in 2017, this platform is meant for internet users to clean their computers and devices by wiping out viruses and malware.

3. Cyber Surakshit Bharat Initiative: It was launched in 2018 with an aim to spread awareness about cybercrime and building capacity for safety measures for Chief Information Security Officers (CISOs) and frontline IT staff across all government departments.

4. Training of 1.14 Lakh persons through 52 institutions under the Information Security Education and Awareness Project (ISEA) – a project to raise awareness and to provide research, education and training in the field of Information Security.

5. International cooperation: Looking forward to becoming a secure cyber ecosystem, India has joined hands with several developed countries like the United States, Singapore, Japan, etc, towards establishing a secure cyber ecosystem. Agreements with these countries will help India to challenge even more sophisticated cyber threats.

Understanding China’s Cyber Policy

Cyber capabilities are difficult to compare vis-a-vis normal military hardware capabilities. In any case, both depend on the strategic framework or operational philosophy of the employer. Commencing from 1991, China seems to have studied the Desert Storm and Desert Shield operations by the USA with great interest. The use of social media as a powerful tool during Arab Spring also appears to have given substantial lessons in managing social media to the Chinese Communist Party and PLA. China’s actions to curtail Hong Kong’s pro-democracy movement provide adequate emphasis as to the ‘conceptual’ policy clarity that China has arrived at in this dimension. The importance given to cyberspace in Chinese strategic thinking is highlighted in a White paper published by the Ministry of National Defence of PRC dated 24th July 2019[x]:

1. Cyberspace is a key area for national security, economic growth, and social development. Cyber security remains a global challenge and poses a severe threat to China. China’s armed forces accelerate the building of their cyberspace capabilities, develop cyber security and defense means, and build cyber defense capabilities consistent with China’s international standing and its status as a major cyber country. They reinforce national cyber border defense, and promptly detect and counter network intrusions. They safeguard information and cyber security, and resolutely maintain national cyber sovereignty, information security and social stability.

2. The PLASSF is a new type of combat force for safeguarding national security and an important driver for the growth of new combat capabilities. It comprises supporting forces for battlefield environment, information, communications, information security, and new technology testing. In line with the strategic requirements of integrating existing systems and aligning civil and military endeavors, the PLASSF is seeking to achieve big development strides in key areas and accelerate the integrated development of new-type combat forces, so as to build a strong and modernized strategic support force.

3. Promoting innovation in defense S&T and military theory. China’s armed forces are accelerating the implementation of the strategy to develop the military through S&T in a bid to maintain and enhance the strength of the areas where they lead, and intensify innovation in emerging areas. They have made great progress in independent innovation in some strategic, cutting-edge, and disruptive technologies, and succeeded in developing strategic hi-tech products such as the Tianhe-2 supercomputer. Focusing on war and fighting wars, China’s armed forces have innovated in military doctrines and delivered outcomes in military strategy, joint operations and informationization, which have provided a theoretical support to defense and military development.

Concluding Thoughts

It is evident that China has understood the importance of cyber space and laid out its policies and programs in tune with its national and international aspirations. Use of the term consistent with China’s international standing and its status as a major cyber country in its ministerial policy document is ample evidence of such an understanding as well as its aspirations. Even though the cited studies and an appreciation by Carnegie as recently in 2019 (Jinghua, 2019)[xi] point to critical technological insufficiencies that China still suffers from, especially the language handicap, Jinghua’s recommendation that “a more comprehensive and objective assessment of China’s cyber power is in urgent need” should serve as a warning to policy and strategic planners in India.

ICT Development Index which rates a country’s cyber capabilities on an 11 point technology/capacity scale, places China at world no. 80, much behind United States (16), UK (5) and Germany (12). Interestingly, it places Hong Kong (China) at No. 06!! The common understanding that we derive from earlier studies and these assessments could be seen as though China has miles to catch up, provided we close our eyes on the capacity available to it at Hong Kong. The demonstrated behavior the world has evidenced from China thus far, duly underlined by the cyber-attack incidents on critical infrastructure in India should actually provide substantial impetus for India to revamp its cyber policy, duly integrating armed forces into its national counter cyber-attack grid. It may also be worthwhile to note that in spite of the policy frameworks brought about by India, it is ranked at No.134 by ICT.

It would be fruitful to visit and contemplate over some of the insightful and ‘doctrinal’ precepts that Martin Libicki spelt out in the Rand Air Force Project study on Cyberdeterrence and Cyber War[xii]:

1. The basic message is simple: Cyberspace is its own medium with its own rules. Cyberattacks, for instance, are enabled not through the generation of force but by the exploitation of the enemy’s vulnerabilities. (p-iii)

2. Deterrence and warfighting tenets established in other media do not necessarily translate reliably into cyberspace. Such tenets must be rethought. (P-iii)

3. The establishment of the 24th Air Force and U.S. Cyber Command marks the ascent of cyberspace as a military domain. As such, it joins the historic domains of land, sea, air, and space. All this might lead to a belief that the historic constructs of war—force, offense, defense, deterrence—can be applied to cyberspace with little modification. Not so. Instead, cyberspace must be understood in its own terms, and policy decisions being made for these and other new commands must reflect such understanding. Attempts to transfer policy constructs from other forms of warfare will not only fail but also hinder policy and planning. (P-xiii)

4. Cyberattacks Are Possible Only Because Systems Have Flaws (P-xiii)

5. It is only a modest exaggeration to say that organizations are vulnerable to cyberattack only to the extent they want to be. In no other domain of warfare can such a statement be made. (P-xiv)

While evaluating the recent Nagrono-Karabakh conflict, it was observed that the extensive use of unmanned platforms could have been the test-bed for such a strategy envisaged in Taiwan’s revised ODC (Srinivasan, February 11, 2021)[xiii]. In eastern Ladakh stand-off, the probability of China employing unmanned platforms remained at the core of many strategic discourses. Instead, Chinese successful attempt to disrupt power supply in the financial capital of India yet again appears to be a testing-bed for their cyber warfare theories, particularly when read with the Ministerial statement that, “They have made great progress in independent innovation in some strategic, cutting-edge and disruptive technologies, and succeeded in developing strategic hi-tech products such as the Tianhe-2 supercomputer”.

With Sagarmala, Bharatmala, dedicated initiative for expanding indigenized capacity for defence production through Atmanirbhar philosophy, India’s reliance on cyber space to run its economic and strategic enterprises will only increase. Therefore, a credible counter cyber-attack capability is critical for India. Having started with well-conceived cyber policies in the preceding decade and having experienced the increasingly belligerent Chinese footprints in South Asia and Indian Ocean Region, a concerted attempt to re-define cyber policies and frameworks for safeguarding national assets appears to be need of the hour. Towards this, the following measures are suggested:

1. India has the largest pool of skilled manpower in information technology domain which is acknowledged across the world. Suitable number of brilliant young minds from credible backgrounds could be pooled to work with CERT-In with a preventive task envelope.

2. Create an interface between civilian entities and military institutional frameworks for preventing and combating cyber intrusions that could affect dual use infrastrucre like airports, railways, ports and ordinance/military hardware manufacturing hubs.

3. The ability to restore normalcy and full functional capacity in the shortest possible time frame after an attack is the fundamental principle that defines operational readiness of armed forces. The same principle needs to be incorporated, tested and evaluated in so for as the agencies responsible for preventing and countering cyber attacks in civilian and military dimensions.

4. The above would be of extreme criticality to the Air Force and the Navy since they are critically dependent on technology.

What India therefore needs is the recalibration of its strategic thinking that duly recognizes emerging trends in cyber security space with particular emphasis on its growing infrastructure.

(Dr R Srinivasan is an independent researcher and the Managing Editor of Electronic Journal of Social and Strategic Studies (www.ejsss.net.in) He can be contacted at srinivasan.r961@gmail.com. The views expressed are personal.)

References:

[i] Sharma, Deepak (2011). China’s Cyber Warfare Capability and India’s Concerns, Journal of Defence Studies, Vol 5. No 2. April 2011, IDSA: New Delhi, P 73

[ii] Ball, D. (2011). China’s Cyber Warfare Capabilities. Security Challenges, 7(2), 81-103. Retrieved March 1, 2021, from https://www.jstor.org/stable/26461991

[iii] Kannan, Saikiran and Bhalla, Abhishek (August 06, 2020). Inside China’s cyber war room: How PLA is plotting global attacks, India Today (online). Retrieved from: https://www.indiatoday.in/world/story/inside-china-s-cyber-war-room-how-pla-is-plotting-global-attacks-1708292-2020-08-06

[iv] ibid

[v] Madhavan, N (November 07, 2019). Is India cyber security ready?, The Hindu Businessline (online). Retrieved from:  https://www.thehindubusinessline.com/opinion/columns/is-india-cyber-security-ready/article29911679.ece

[vi] ET Bureau (October 13, 2020). Rare power outage throws Mumbai out of gear for hours, Economic Times. Retrieved from: https://economictimes.indiatimes.com/news/politics-and-nation/rare-power-outage-throws-mumbai-out-of-gear-for-hours/articleshow/78630968.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst

[vii] Prasad, Rachita (October 12, 2020).  Tata Power says tripping of state transmission line led to Mumbai power outage, Economic Times. Retrieved from: https://economictimes.indiatimes.com/industry/energy/power/tata-power-says-tripping-of-state-transmission-line-led-to-mumbai-power-outage/articleshow/78622922.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst

[viii] David E. Sanger and Emily Schmall (February 28, 2021). China Appears to Warn India: Push Too Hard and the Lights Could Go Out, The New York Times. Retrieved from: https://www.nytimes.com/2021/02/28/us/politics/china-india-hacking-electricity.html

[ix] Laskar, Rezaul H and Venkatraman, Tanushree (01 March 2021). Chinese hacker groups target at least dozen Indian organisations, Hindustan Times (online). Retrieved from: https://www.hindustantimes.com/india-news/chinese-hacker-groups-target-at-least-dozen-indian-organisations-101614572360610.html

[x] China’s National Defense in the New Era. Retrieved from: http://eng.mod.gov.cn/publications/2019-07/24/content_4846452.htm

[xi] Jinghua, Lyu (April 01, 2019). What Are China’s Cyber Capabilities and Intentions?, Carnegie Endowment papers. Retrieved from:  https://carnegieendowment.org/2019/04/01/what-are-china-s-cyber-capabilities-and-intentions-pub-78734

[xii] Libicki, Martin C (2009). Cyberdeterrence and Cyber War, Rand Project Air Force, Rand Corporation: Santa Monica.

[xiii] Srinivasan, Gp Capt (Dr) R (Feb 11, 2021). Lessons from Nagrono-Karabakh and Taiwan ODC, Defence Research and Studies (online). Retrieved from: https://dras.in/lessons-from-nagrono-karabakh-and-taiwan-odc/