The alleged intrusion into the networks of 10 assets of India’s power sector and two sea ports by Chinese state-sponsored threat actor ‘RedEcho’ has once again shifted the spotlight on India’s cybersecurity infrastructure and raised questions of its cyber resilience in mitigating such threats.
According to a report in the New York Times, Mumbai’s massive power outage, on 13 October 2020, could have been caused by an attack by a Chinese state-sponsored group. While the Maharashtra government has indicated it could be the result of a ‘cyber sabotage,’ the Union Power Minister has denied such claims.
Nonetheless, it is a fact that India and its civilian, nuclear and defence infrastructure have been subjected to attempted intrusions by state and non-state actors for espionage, information theft, show of strength and strategic posturing.
However, despite a fairly robust set-up on cyber intelligence and resilience, information around India’s cyber policies remain shrouded in secrecy. A holistic doctrine on India’s cyber strategy, particularly its stance on offensive cyber operations remains undefined.
The Quint looks at the history and nature of cyber threats India has faced, its institutional cybersecurity set up among the various ministries and the Prime Minister’s Office as well as issues of effective coordination among the various bodies.
Cyber Attacks on India
India has been at the receiving end of several cyber operations over the last decade. The targeting of India’s civilian and defence infrastructure is reported to have been carried out for espionage, strategic posturing, as a warning as well as for information theft. Following are some of the major reported attacks.
POWER PLANTS & SEA PORTS (2020)
Amid the Indo-China conflict along the Line of Actual Control (LAC) in 2020, China-based threat actor group, codenamed ‘Red Echo’, had targeted at least 10 assets of India’s critical power sector as well as two ports, a report by a US-based cybersecurity company has stated.
These include State Load Despatch Centres (SLDC) and four out of five of India’s Regional Load Despatch Centres (RLDC). They are responsible for ensuring real-time integrated operation of India’s power grid through balancing electricity supply and demand to maintain a stable grid frequency.
The targets also include the National Thermal Power Corporation Ltd (NTPC), Mumbai Port Trust, VO Chidambaranar port in Tamil Nadu.
KUDANKULAM NUCLEAR POWER PLANT (2019)
The Nuclear Power Corporation of India Limited (NPCIL), which runs the Kudankulam plant in Tamil Nadu, on 30 October, confirmed that the “identification of malware in NPCIL system is correct”. This confirmation came after a denial on 29 October that “any attack on the Nuclear Power Plant Control System is not possible.”
The cyber attack by suspected North Korea-based hackers on the Kudankulam Nuclear Power Plant in September 2019 was intended specifically for information theft and The Quint had learnt that the actors were able to steal technology-related data from the plant’s IT systems.
NATIONAL STOCK EXCHANGE (2015)
In 2015, a cyber espionage group attacked an Indian IT firm that provides support to India’s largest stock exchange – the National Stock Exchange (NSE). For 24 months, several Indian government and private organisations have been victims of highly-targeted and sustained cyber attacks by ‘Suckfly’.
Cybersecurity firm Symantec tracked Suckfly since April 2014 and believes it is a Chinese cyber-espionage group. According to Symantec, Suckfly uses stolen digital certificates to breach the internal networks of Indian organisations.
In 2015, between 22 April and 4 May, Suckfly conducted a multistage attack on an Indian e-commerce company. It first identified a user – an employee of the e-commerce company – to attempt its initial breach into the e-commerce company’s internal network.
SHADOW NETWORK (2009)
In 2009, a cyber espionage operation was reported to have targeted the Tibetan government in exile as well as multiple Indian embassies. Further research revealed this targeting to be a part of a vast espionage operation known as Shadow Network. It targeted Indian military establishments, news publications, and even the National Security Council Secretariat.
India’s Institutional Cybersecurity Set-Up
India has built an inter-ministerial ecosystem of cyber institutions since the dawn of the new millenium. While some function under and report to the Prime Minister’s Office (PMO), others fall under different ministries.
“The current legal framework dealing with cyber-security is not centralized. Different agencies are responsible for various aspects of cyber-security. These can broadly be classified into agencies focusing on civilian cybersecurity, and those focusing on the military cybersecurity,” writes Nidhi Singh, in a blog for National Law University’s Centre for Communication Governance.
Under PMO
1. National Security Council
Established in 1998 by former PM Atal Bihari Vajpayee, the National Security Council serves as a coordinating body for cybersecurity and internet governance.
“The National Security Council, usually chaired by the National Security Adviser (NSA), and plays a key role in shaping India’s cyber policy ecosystem. The NSA also chairs the National Information Board, which is meant to be the apex body for cross-ministry coordination on cybersecurity policymaking,” state Pranesh Prakash and Arindrajit Basu, in an analysis in The Hindu.
2. National Critical Information Infrastructure Protection Centre (NCIIPC)
Established in 2014, NCIIPC is the National nodal agency for all measures to protect nation's critical information infrastructure. It is a unit of National Technical Research Organisation (NTRO) under the National Security Advisor (NSA) in the Prime Minister’s Office.
According to the organisation, its function is to “protect and deliver advice that aims to reduce the vulnerabilities of critical information infrastructure, against cyber terrorism, cyber warfare and other threats.”
3. National Cyber Coordination Centre
The National Cyber Security Coordinator (NCSC) under National Security Council Secretariat coordinates with different agencies at the national level for cybersecurity matters. It is a classified project of Indian government, which works as an operational cybersecurity and e-surveillance agency in India. The Centre coordinates cybersecurity intelligence, mitigating online threats and handles National security.
CERT-In (Ministry of Electronics & IT -MeitY)
CERT-In (Computer Emergency Response Team India) is the national nodal agency for responding to computer security incidents as and when they occur. An organisation within MeitY, CERT-In’s primary role is to raise security awareness in the country, provide technical assistance and help in recovery from cybersecurity incidents.
According to its charter, CERT-In’s functions include both proactive and reactive measures. It is tasked with collection, analysis and dissemination of information on cyber incidents as well as to issue forecasts and alerts regarding cyber threats.
Defence Cyber Agency (Ministry of Defence)
Established in 2019, the Defence Cyber Agency has been set up as a tri-service agency to work in conjunction with the National Cyber Security Advisor.
Its focus will reportedly be limited to military cyber-issues and not civilian ones. Its Tri-service nature means that it would include as many as 1,000 personnel from all three branches – the army, navy and the air force. Rear Admiral Mohit Gupta has been appointed as the first head of the DCA.
Cyber & Information Security Division (Ministry of Home Affairs)
This division, under the union Home Ministry, deals with matters relating to Cyber Security, Cyber Crime, National Information Security Policy & Guidelines (NISPG) and implementation of NISPG, NATGRID. It comprises a Cyber Crime Wing, Cyber Security Wing, Information Security Wing, and a Monitoring Unit.
Need for a Clear Doctrine & Transparency on Cyber Strategy
India has been a high-risk country when it comes to malicious cyber attacks as well as attacks from state and non-state actors on India’s critical infrastructure.
Despite the presence of a wide-ranging spectrum of cyber entities, issues of coordination and clarity on operations as well overlapping of roles have remained major concerns.
India is yet to clearly outline a cyber doctrine that encapsulates India’s strategy regarding offensive cyber operations as well as counter measures against cyber attacks.
“This institutional framework, while seeking to create an ‘all of government’ approach to countering and mitigating cybersecurity threats at the national level, has also resulted in concerns around effective coordination, overlapping responsibilities and lack of clear institutional boundaries and accountability,” Prakash & Basu highlight in The Hindu.
They point out that this needs to be clarified in India’s National Cyber Security Strategy, which has been drafted by the NSC. It is an update to the National Cyber Security Policy 2013 – but is yet to be released.
“Ensuring coherence and coordination between these different actors should be its primary goal,” they further add.
In light of the recent alleged targeting of India’s critical infrastructure in 2020 by China-linked RedEcho group – at a time when border hostilities between India and China were simmering along the LAC – a clear articulation of how international law applies to cyberspace could further India’s strategic interests globally.
According to Prakash & Basu, this articulation should also include “legal obligations on ‘red lines’ with respect to cyberspace-targets that should be considered illegitimate due to their significance for human life, such as health-care systems, electricity grids, water supply, and financial systems.”