Cyber sabotage of critical infrastructure is a new-age threat that has exploded majorly in the last decade. As outlandish as it may sound, it is a reality that has become so intrusive that even the common-man has started feeling its heat. Unauthorised transactions from one’s bank account to lengthy cyber-attack induced power outages bringing an entire metropolis to a standstill, such incidents have become common across all nations of the world. But how are our lawmakers dealing with this threat? By relying on a vastly scattered legal framework and policies that still require direction correction. This article explores a three-pronged policy framework involving the ‘prevention, detection and reaction’ approach. An effort has been made to examine the current legal framework and identify the markers making it inefficient. The article calls for a scientific, evidence-based reaction to the problem instead of knee-jerk reactions based on political surmises. Towards the end, a case is made for doing away with the scattered legal framework and establishing a comprehensive, all-encompassing cybersecurity law supported by a single nodal agency that ensures equal protection and promises uniform expertise dissemination across all sectors and industries.
An Underestimated Problem
First and foremost, it needs to be stated that the threat of cyber-sabotage is often underestimated by the common folk. But what is cyber sabotage? As per the accepted meaning of the term, cyber-sabotage is a catch-all term that involves state and non-state actors targeting the computing systems, often those controlling the critical infrastructure of a nation. The sabotage can be for a variety of purposes ranging from mere disruption in public services to create chaos to demands of ransom and reconnaissance by enemy nations. The Government’s silence and lack of transparency in reporting incidents of cyber-sabotage on the country’s critical infrastructure is the primary reason for the underestimation of this 21st Century threat. In order to elucidate the enormity of the situation, a few statistics must be brought to light. As per the information presented by the Union Home Ministry based on data reported by the Indian Computer Emergency Response Team (hereinafter, “CERT-In”), India’s nodal cyber-security agency to the Parliament, in March 2021, the country saw a whopping 1.15 million cyber-attacks in 2020. This is a twenty-fold increase from the numbers reported in 2016. According to another report published by Subex, a Bengaluru based Internet-of-Things and cybersecurity firm, India is one of the top five most cyber-attacked nations in the world with attacks originating mostly from Slovenia, Ukraine, the Czech Republic, China, and Mexico. Most of the attacks are aimed at critical infrastructure followed by banking, defence and then manufacturing sectors. In critical infrastructure, oil and natural gas facilities are targeted the most.
Now since light has been shed on a number of incidents, let’s glance at the qualitative aspects of some of these attacks. In 2018, hackers targeted Pune’s Cosmos bank and successfully siphoned off Rs. 94.42 crore. From this, Rs. 14 crores were transferred to a Hong Kong based bank account while Rs. 80 crores were withdrawn from ATMs in 28 countries. In another incident in 2018, hackers were able to gain access to the government’s UIDAI data of 1.1 billion users and the same was openly offered for sale to willing buyers. In 2019, CERT-In identified certain malwares directed towards senior officials of ISRO by a North-Korean hacker group known as ‘Lazarus’ around the launch of the Chandrayan-2 mission. During the same year, hackers were able to steal information from India’s Kudankulam Nuclear Power Plant (KKNPP) in Tamil Nadu by breaching its administrative systems. As per experts, the stolen data can make it easier for hackers to target the operational systems of the nuclear reactor in future and cause large scale physical damage.
Recently in October 2020, another group of Chinese hackers known as ‘Red Echo’ disrupted Mumbai’s power supply by attacking the grid and bringing the city to a standstill. While Maharashtra’s power minister informed the state assembly on the same day that the Mumbai Cyber Police investigation had suggested a possible cyberattack, the Union Power Minister denied such an occurrence. The CERT-In later detected a malware in the supply chain a month after the event. In March 2021, CERT-In averted a major cyber sabotage attempt in Telangana’s power supply by alerting the Telangana State Load Dispatch Centre and Transmission Corporation of Telangana by intercepting the attempt in advance. The agencies were able to detect and remove certain malwares and isolate the suspected equipment well in time. During the pandemic, a significant increase in attacks on India’s critical healthcare infrastructure and pharma companies as big as Lupin and Dr. Reddy’s aimed at stealing sensitive research and patient data has been observed. Ransomware attacks on the pharma sector have increased the most.
It has been suggested that the quality of the cyber-attacks on India’s critical infrastructure is improving by the day, thus calling for a more robust prevention, detection and reaction policy.
The Three Quintessential Steps
For dealing with the ever-looming threat of cyber sabotage, the policy framework is required to be broken into three key elements, namely: (i) detection of cyber-attacks; (ii) quick reaction for limiting further damage; and (iii) prevention mechanism involving robust system strengthening and hunting for vulnerable software and hardware used in critical infrastructure.
Issue of Delayed ‘Reaction Time’
While there is not much of a lax in detecting an active or concluded cyber-attack, India suffers a great deal due to delayed reaction time. This is primarily because of the lack of a strong comprehensive policy in this regard. When cyber-attacks target different facilities in the country, authorities are often confused as to who should be approached to prevent further damage. Concerned ministries are often contacted but red-tapism and relaxed bureaucratic attitudes often lead to the flowing of much water before the dam’s gates can be shut. All of this occurs despite India having two nodal agencies to deal with the same issues in respect of critical infrastructure. The Indian Computer Emergency Response Team is a nodal agency established under the Information Technology Act, 2000 and administered by the Ministry of Electronics and Information Technology (hereinafter, “MeitY”). Another nodal agency, the National Critical Information Infrastructure Protection Centre (hereinafter, “NCIIPC”) is also established under the Information Technology Act, 2000 but administered by the National Technical Research Organisation, which in turn is an agency under the National Security Advisor in the Prime Minister’s Office.
What often transpires is that this multiplicity of agencies and lack of clear procedural guidelines leads to delayed reaction time which often has implications at par with no reaction at all. Be that as it may, the true remedy lies in prevention. And that is where the policy development needs to focus.
A Robust Prevention policy: The Key to Deal with Cyber Sabotage
In an era where India is facing almost 3,173 cyber-attacks a day, the modus of detection and reaction to each of these attacks is almost impossible to follow due to the colossal resources required to implement such an approach. The best way forward is to strengthen the prevention policy. An efficient prevention policy in this regard should primarily have two components. The first component should deal with vigorous testing and certification of the software and hardware used in critical infrastructure like energy, telecommunications, healthcare, defence, etc. The second component should then aim at inculcating sturdy safety practices amongst the stakeholders involved.
The First Component
Currently, despite experiencing a legion of serious cyber-attacks on its critical infrastructure, India only has a scattered and inadequate policy as far as testing of software and hardware is concerned. This aspect has been discussed in detail later in this article. The decisions allowing or disallowing the use of software and hardware from certain regions of the world are based mostly on knee jerk political reactions rather than any form of scientific enquiry. For instance, in 2020, the MeitY banned more than 100 Chinese mobile applications as being prejudicial to India’s sovereignty, integrity and national security, without any scientific enquiry whatsoever. Similarly, in March 2021, the Department of Telecommunication (hereinafter, “DoT”) under the Ministry of Communications announced that after June 15, 2021, telecom carriers can buy certain types of equipment only from government-approved trusted sources and also declared that it could create a blacklist of companies thereby banning their telecom equipment.
The bans and restrictions appear to be premised on the apprehension that these software and hardware equipment might contain backdoor entries and logic bombs. This is also reflected in the Guidelines for Protection of Critical Information Infrastructure issued by the NCIIP where vulnerabilities in the shape of flaws, loopholes and backdoors used by attackers to manipulate or take control of the system, to access and steal the information or to degrade/ deny the functioning of the system have been specifically pointed out. Logic bombs are pieces of often-malicious code that are intentionally coded into software and activated when certain conditions are met. Backdoor entries allow unauthorized users to get around the normal security measures and gain high-level access to the computer systems. Hardware can intentionally be manufactured with pre-incorporated backdoor capabilities. All of these methods serve as gateways for state and non-state hackers to directly sabotage the target nation’s critical infrastructure in adverse times.
While these apprehensions might possibly have some weight, government decisions cannot rest on political surmises like considering certain nations and their products as safe while certain nations and their products as unsafe. International affiliations are always dynamic. Hence, such decisions should be based solely on an objective analysis after adequate testing of the individual software and hardware equipment. The meagre policy that exists in this regard is gravely incomplete. For example, MeitY’s Electronics and Information Technology Goods (Requirement of Compulsory Registration) Order, 2021 mandates the testing of products ranging from mobile phones to ATM machines. However, there is no talk of testing the software components at all. Similarly, the Indian Telegraph Rules, 1951 (as amended in 2017) require mandatory testing and certification of telecom equipment prior to its sale or import in India. In pursuance of these rules, the DoT has published a list (available as “MTCTE procedure (ver 2.1/ Rel. May 2021)”) of all telecom equipment that is required to be tested. The problem here is that not all telecom equipment is required to be tested and there is no mention of testing the software component at all. In electronics, a range of equipment works together in a chain for the technology to run. The equipment which is not required to be tested might be in fact harbouring the cracks which can be exploited by hackers. Software is a vulnerability that is currently overlooked under the Indian policy. The legal framework is thus incomplete and leaves plenty of room for cyber-attacks on critical infrastructure.
The Second Component
The second component of an effective policy to deal with cyber sabotage should involve inculcating strong safety practices amongst the stakeholders. The legal framework and policy cannot be blamed as being incomplete but definitely scattered and uneven. Different ministries/ regulators have formulated different rules and regulations to regulate the cybersecurity framework in one area or the other.
The Reserve Bank of India (hereinafter, ‘RBI’) in 2011 formulated the Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds and in 2016 issued a follow-up circular on Cyber Security Framework in Banks. The framework provides for cybersecurity related guidance to the banks and sets up a mechanism for reporting cyber incidents to the RBI. Despite this, many banks continue to be targeted by advanced hackers leading to the loss of hard-earned money of the depositors. While no single reason for this continuous failure can be pointed out, it appears to be the combined effect of scattered guidelines and lack of actual technical oversight by a body expert in the field of cybersecurity. The Ministry of Finance is even considering formulating a sectoral computer emergency response team for the finance sector. In 2017, the Insurance Regulatory and Development Authority of India issued the Guidelines on Information and Cyber Security for Insurers in order to secure the sensitive data of policyholders. Similarly, in 2018, the Securities and Exchange Board of India issued the Guidelines on Cyber Security and Cyber Resilience Framework of Stock Exchanges, Clearing Corporations and Depositories in order to secure the Indian Financial Markets against incidents of cyber sabotage. Further, the Ministry of Power in 2019 created five of its own Computer Emergency Response Teams to deal with the snowballing cyber sabotage incidents in thermal, hydro, transmission, distribution and grid operation areas. We have already talked about MeitY’s and DoT’s cybersecurity framework for the electronics and telecommunications space in the previous section. Similarly, the Intermediaries under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 are required to follow reasonable security practices and procedures in order to protect the user data and report incidents of cyber sabotage to the CERT-In.
All being said, there is a conspicuous multiplicity of regulations, rules, guidelines, etc., on cybersecurity in India. Instead of having such a scattered framework, there needs to be a comprehensive cybersecurity legislation. Just like an effort is being made to bring all the personal data related aspects of technology under a single legislation in form of the Personal Data Protection Bill, 2019, there is a strong need for an all-encompassing, comprehensive and extensive cybersecurity legislation as well.
The challenge of maintaining strong cybersecurity is not distinct for different industries just as the hackers are not distinct for different industries. The threat is also not restricted by geographical boundaries. This field of cybersecurity legislation and policy requires quick updation to keep up with the novel ways of disruption that the hackers swiftly evolve. A scattered legal framework leads to scattered updation in knowledge and operations, thus putting some industries at a serious disadvantage over others. A comprehensive policy and legislation will obliterate this discrimination and ensure a more robust mechanism to tackle the 21st-Century plague of cyber-attacks on critical infrastructure. Similarly, a single grand nodal agency well-equipped in detecting and neutralising attempts of cyber-sabotage will be much more efficient than multiple nodal agencies carrying different degrees of knowledge.
As pointed out in the previous section, the policy must also focus on inculcating a scientific, evidence-based approach towards the vulnerabilities in the software and hardware used in critical infrastructure. Blanket political knee jerk reactions will lead nowhere. There is also a need to set-up a far greater number of cyber labs in the country for adequate testing of software and hardware. Only a few cyber labs exist in the nation today and they lack the latest technology that is required to tackle the novel challenges. It must be kept in mind that modern wars do not take place in open fields but behind puny computer screens. Strengthening cybersecurity is as important as securing the national borders.
Views expressed above are solely of the author.