Dealing with cyber-attacks

India needs a carefully calibrated strategy

The revelation that Chinese hackers knocked out Mumbai’s power supply on October 23 last year should not have come as a surprise. Sino-Indian tensions had escalated, and cyber-attacks with tacit state sponsorship were a hi-tech dimension of power-projection. A cyber-security organisation, Recorded Future, released a report earlier this week claiming Mumbai’s power supply was knocked out by a Chinese hacker group, “RedEcho”, which also targeted and penetrated many other nodes on India’s national power grid and other organisations. In addition, other important Indian institutions, such as banks and ports were targeted. At least 40,300 attempts to hack into India’s infrastructure occurred after the Galwan clash. Reported Future claims it contacted CERT-in with its findings and received an acknowledgement. This is one example of how malware inserted into electric grids or other critical infrastructure has become the newest form of both aggression and deterrence. It is a warning that millions could be made to suffer. While it is possible to “harden” specific institutions against attacks, there will always be soft targets. This is especially true in a large nation like India, with many public-facing portals, offering various services. Also, while India has a huge cyber population and is the world’s largest data-consumer, most Indians are unaware of the need to take basic security measures. This can be deduced from the fact that there are repeated huge security breaches, exploited by hackers to steal valuable data.

Dealing with such cyber-attacks requires the technical capacity to implement sophisticated defensive and retaliatory measures. India will have to build this technical capacity, and demonstrate it in a calibrated fashion. More importantly, it will have to work through the possible strategic consequences of cyber-sparring, by meticulously gaming escalatory scenarios. The 21st century dependence on “smart assets” increases cyber-vulnerability. Attacks don’t directly cause loss of life while potentially crippling anything from power supply, to communications, transport, banking and other services. Thus, an effective cyber-attack can bring normal life to a halt and, of course, impede military response. Moreover, it carries a degree of deniability, which makes it very useful in geopolitics. Hackers operating out of Russia, for instance, have twice taken down the Ukrainian power grid, and jammed Georgia’s Internet during the Ossetia War. A sophisticated worm, Stuxnet, crippled Iran’s nuclear centrifuges. This is said to have been created and deployed via Israeli-US cooperation. Russian hackers recently targeted the US power grid, and multiple US government agencies, and the US claimed retaliatory measures.

The only real defence against attacks of this nature is the ability to credibly counter-attack. This leads to a mutual standoff, albeit one less devastating than nuclear posturing. The US, for example, has stated it seeded malicious code into Russia’s grid as a warning, after the SolarWind attacks targeting multiple US institutions was discovered. Creating offensive and defensive capacity would mean a massive expansion of CERT-in and other agencies tasked to respond. The ability to retaliate has to be backed up by careful calibration, and the strategic courage to indulge in brinkmanship. This last quality may be difficult to acquire. But until it exists and is seen to exist, India’s cyberspace will remain vulnerable.