The Long Slog for Cybersecurity in India

Cherian Samuel
Research Fellow, Institute for Defence Studies and Analyses

As connectivity increases, India is beginning to put in motion efforts to secure its government and private networks. Like other countries, India is experiencing the an abundance of cybercrime, hacktivism, and cyber espionage. The Cipher Brief spoke with Cherian Samuel, Research Fellow in the Strategic Technologies Centre at the Institute for Defence Studies and Analyses in New Delhi, about the threats facing a digital India and the state of cybersecurity policies to harden the country’s networks .

The Cipher Brief: What is the current state of cybersecurity in India? Where is the country’s national security most vulnerable?

Cherian Samuel: The current state of cybersecurity in India swings between hope and despair. On the one hand, awareness about cybersecurity issues at the policy level has never been better. On the other, this awareness is yet to translate into actions with consequences, by virtue of the fact that cybersecurity is a long slog, requiring sustained cross-sectoral efforts and international cooperation. Enabling mechanisms are yet to develop, both domestically and internationally, even as connectivity scales up exponentially, leaving a larger mass of the population at risk.

That said, enterprises and citizens are currently most vulnerable in the financial sector, largely because there has been a sudden surge in online financial activities following the decision to remove 85 percent of cash out of circulation. This has brought a large number of cyber neo-literates into the banking system with over 20 million new bank accounts being created in the last two months alone. The move has also put increased strain on financial infrastructure that was already under assault by cybercriminals who see the country as easy pickings. As the investigations into recent cybercrimes show, the criminals are getting increasingly sophisticated while law enforcement is yet to acquire the skill sets to deal with cybercrime. The recent breach of Hitachi payment systems further serve to underline the seriousness of the problem.

With much of the infrastructure in private hands, the government has been largely focused on strengthening the ability of critical information infrastructure to withstand and recover from attacks, getting the private sector to share information, and building up agencies such as Indian Computer Emergency Response Team (CERT-In) and the National Critical Information Infrastructure Protection Centre to serve as nodal agencies to build up capabilities and respond to the threats in cyberspace.

TCB: What government efforts and private sector initiatives are being undertaken to better secure these industries?

CS: Security has been built up through executive fiat and public-private partnerships, since much of the infrastructure rests in the hands of the private sector. Crucial sectors of the economy such as energy, and finance have been the subject of successive reviews and attempts to build up models of information sharing and real-time response to attacks. Preventive efforts have included creation of tools to identify and clean botnet-infected computers, regular advisories from CERT-In on vulnerabilities, as well as courses for network administrators. However, these efforts are inadequate to counter the rising trend in the sophistication and frequency of attacks. The government is handicapped by its dependence on foreign vendors for most software products since domestic companies have been found wanting when it comes to scaling up products and services. Even when security solutions contracts have been awarded to Indian companies, they have been known to outsource execution to foreign companies. This brings up the issue of insider threat, with  third parties, or own employees, leaking data, inadvertently or otherwise.

TCB: Who are the major malicious actors that Indian security experts are worried about in cyberspace?

CS: India has faced attacks from nonstate actors, cybercriminals, and hacktivists. Nonstate actors, backed by the usual suspects, have largely engaged in cyber espionage by hacking into government networks while cybercriminals have been feeding off the ever-expanding landscape of Digital India. Hacktivists identifying themselves as part of the larger Anonymous collective and so-called patriotic hackers have also targeted Indian networks and systems, but there has been no means of verifying whether they are acting independently or under the direction of unseen hands. Many of their threats and claims have largely turned out to be exaggerated. On the other hand, since companies are reluctant to publicize breaches, it is difficult to get an accurate measure of the problem. Smaller and medum-sized companies have also been hit by ransomware attacks, and by all accounts have paid up in the absence of any other recourse. So far, cyber has been a weapon of mass disruption, but if one can disrupt, one can destruct, and there’s no saying when that line will be crossed, and by whom.

TCB: What kinds of offensive cyber tools is India developing and deploying themselves, particularly for cyber espionage?

CS: The Indian government has taken the stance that offensive cyber activities are destabilizing and therefore should not be a part of official policy or doctrine. Even the Armed Forces are primarily concerned with defending their networks from intrusions. However, incessant cyberattacks and intrusions have meant that organizations have, willy nilly, taken it upon themselves to develop countermeasures which could also include active or aggressive defense measures. This has been partly done through developing in-house capabilities as well as through recruiting technically qualified youngsters and private companies. This approach, however, suffers from several deficiencies and inconsistencies and is not sustainable in the long run. The arms-length relationship ends in diminished oversight, which can result in rogue actions. It also makes it difficult to have a reliable assessment of capabilities, since they cannot be benchmarked .

TCB: How is India involved in forming international norms surrounding conduct in cyberspace? What kind of cooperation is taking place between the United States and India in the realm of cybersecurity?

CS: India has participated in many of the norm-making mechanisms related to cyber-security though it has largely been an outlier, taking positions that it sees as central to its interests but which have not found traction with other countries. This has been the case with its proposals before the International Telecommunication Union  the United Nations agency for information and communication technologies. As a consequence to formally signing upto the multi-stakeholder process, India has begun to more actively participate in organizations such as the Internet Corporation for Assigned Names and Numbers (ICANN), the de facto global internet governing body, and is also holding the next iteration of the Global Conference on Cyberspace under the aegis of the London Process, a state-sponsored summit originally initiated to propogate the values and ideals of a global and open cyberspace. While the United States and India have had a history of sustained consultations on cybersecurity, with a number of agreements being signed between relevant agencies of the two countries, including an overarching Framework Agreement in 2016, these developments are yet to make a visible difference to India’s cybersecurity.

These are personal views and do not reflect the views of the Institute or the Government of India

The Author is Cherian Samuel

Cherian Samuel is Research Fellow in the Strategic Technologies Centre at the Institute for Defence Studies and Analyses. He has written on various cyber security issues, including critical infrastructure protection, cyber resilience, cybercrime, and Internet governance. 

Learn more about The Cipher's Network here