Our digital assets under serious threat. We need a comprehensive cybersecurity policy and a dedicated cybersecurity crack commando team
Keep the early September Uri attacks in mind. Now, there are three questions. First question: Are we a nation of nice guys, a bunch of softies who will hold our punches no matter what the provocation? Second question: Will we keep twiddling our thumbs as our national assets and people are attacked mercilessly day in and day out? Third question: Are we so weak that we cannot teach the mischief makers a ‘propah’ lesson?
With the exception of sundry yeas here and there, most of us would shout out an unqualified and a resounding no to the three questions. There is a long and credible track record to prove that while the Indian State is patient, as one would expect from a system infused with a democratic DNA, it can hit hard, fast, with precision and decisiveness when pushed over a tipping point. The late September surgical strikes proved that. It took just about three weeks for India to hit back.
Keep the October cyber attacks on banks in mind. “What attacks?” would be a common response. Sometime in the middle of October, about three weeks after the surgical strikes, State Bank of India and Axis Bank were over-run by cyber attackers. Ostensibly it was a malware attack, but people in the know saw in the attack patterns that could only be organised by a determined group of hackers backed by a State entity. Over 1 million accounts were compromised, and SBI had to reissue debit cards to more than 600,000 Indians. To project the magnitude of the attack in the real world, it’s akin to groups of fidayeen terrorists overrunning hundreds of SBI and Axis Bank branches, guns blazing and taking down vault after vault.
Now, I want to ask the same three questions. Are we a bunch of softies? Do we allow ourselves to be attacked day in and day out? Are we weak? Exceptions aside, most of us would tick mark an unqualified yes to the three questions. After the October big blitz, within ten days, there were over 50 attacks on Indian IT companies and other institutions originating directly from Pakistan. One example should suffice: A Pakistani hacker group calling itself ‘D4RK 4NG31’ waltzed into the National Green Tribunal (NGT) website and posted this: “We are unbeatable. You… kill innocent people in Kashmir and call yourself defenders of your country. You…violate the ceasefire on border and call it ‘surgical strikes’. Now kiss the burn of cyber war.”
They are right. We are at cyber war. Do you still doubt it? Here’s a poser for you then: How do you think the top secret blueprints of Scorpene submarines meant for Indian Navy found its way to the Australian press? Legion hack attack is just one blimp in a long raging series of bloodless attrition. What’s it about this war that does not get our adrenaline pumping? Is it because it’s a battle that doesn’t claim lives visibly? Or is it because we don’t see our digital and cyber assets as national property, as something needs to be protected as well as our borders, lands and people?
India is transforming itself from an analogue society to a digital nation: everything from financial, utilities, governance and civic services, home security to entertainment and, why, even one’s own identity is digital. In such a scenario, national security cannot be divorced from cyber security, cyber attacks and cyber warfare. It should perforce include the security of digital assets, networks and smart systems. A cyber attack consists of a broad range of activities: a virus or worm taking over an operating system of a computer is an attack, so is if it brings down an entire power grid or the process infrastructure, as the American-Israeli Stuxnet worm did to the Iranian nuclear power plants.
For long, we have looked at cyber security as simply an issue of protection of specific digital devices against a malware or a virus. It is to an extent, but it is also much beyond that. Again, for long, we have also been fed a narrative that sees cyber security as a part of a conspiratorial state-corporate elite meta-strategy to take control of society and polity. Again, it could be to an extent, but the narrative needs to be applied with more rigour and intellectual honesty to see if it is appropriate in all contexts.
Clearly, a lot more needs to be done to secure India’s national digital assets. Even though India set up the National Technical Research Organisation (NTRO) with a specific mandate to ‘develop technology capabilities in aviation, remote sensing, data gathering and processing, cyber security, cryptology systems, strategic hardware and software development and strategic monitoring’, it has been dogged by a lack of direction and several controversies.
It’s under the Research and Analysis Wing (R&AW), but its autonomy is patchy. Several other organisations with overlapping functions have been making life difficult for NTRO. Despite recognising the threat of Chinese and Pakistani hackers, and setting its own team of ethical hackers, the NTRO still doesn’t have a comprehensive and integrated policy to secure India’s digital assets. India is a growing economy, and it’s only a matter of time before India starts leaving its digital footprints on the global stage. The time is also right that India recognises cybersecurity as the fifth dimension of warfare and accord cybersecurity the priority it deserves. It’s time India declares its public and private digital infrastructure as a strategic national asset.