A fledgling issue of a miscalculated measure but of critical pertinence, the complication of “Cyber-sabotage” is an all-encompassing phrase that refers to state and non-state actors targeting computing systems, often those that govern a nation’s vital infrastructure of critical and strategic importance. Such disruption-tactics can range from causing minimal impediments of public utilities to designing absolute mayhem by subjecting a Nation to incessant surveillance, or by hindering the access of a Nation to its assets of paramount importance – with the only way the affected Nation could retain the control of such assets back is by acceding to the demand of a ransom. Surprising and saddening as it is, the foremost cause for concern in these digitally sensitive times is the executive machinery’s discomforting quietness & furtiveness, as well as its disinterest towards openness, in disclosing the occurrences of cyber-sabotage on the country’s key infrastructure & critical assets. In order to fully grasp the magnitude of the problem, a look closer back home in India would be of particular interest to gain an intuitive insight into the magnitude of the predicament we are looking at.
The nodal national cyber-security agency of India has reported a colossal 1.15 million cyber-attacks in March 2021, according to the statistics provided by the Union Ministry of Home Affairs of the Government of India. This is an alarming twenty-fold hike in the reported instances of infractions over the 2016 figures. These disturbing stats are also buttressed by reports from independent and non-governmental firms & companies that India has now become one of the five most cyber-attacked nations. The majority of such cyber-attacks are aimed at dismantling vital assets of pivotal importance, with the banking sector, the defence infrastructure, and the oil & natural gas installations being the most recurrent targets amongst the lot – not to mention the pervasive magnification of the instances of ransomware attacks on the medicare and the pharma sector, especially at a time when the medical infrastructure of India was infirmly decrepit under the bludgeoning blows of the Second Wave.
Hence, taking into account the skyrocketing of the cases of cyber-attacks on India’s critical assets and strategic infrastructure of vital importance – a robust and rugged policy of Interception, Espial, and Response is the need of the hour. To better appreciate where the deficiencies of India’s cyber-security bulwark lies, let us understand first how the chassis of the Indian cyber-security framework looks like. Essentially, this framework functions on three central facets, i.e. – One, the identification of any attempts or attacks of cyber-sabotage; Two, a swift & speedy response system to a cyber-attack, thereby curtailing the attacker from inducing any additional harm, and; Three, interception of any incoming cyber-attack or an attempt of cyber-sabotage before it is able to penetrate a pregnable software or hardware component of a critical asset.
STURDY CHAINS AND WEAK LINKS
As much as India possesses an enviably fortified cyber-security defence set-up, however an ineffectual & callous response system acts as a fly in the ointment to its efficaciousness – perhaps, this weak link in an otherwise formidable framework can be attributable to the success of most of the cyber-attacks that India has witnessed in the past decade or so.
Woeful as it may seem, even in the face of frequent infractions of its cyberspace and in the tall claims of being a “cyber superpower”, the administrative setup of India often functions in a disorganized and disoriented fashion whenever pitted up against a cyber-attack – in the lack of specific organizational mandate, there lies chaotic confusion amongst its agencies and authorities, as who should finally have the jurisdiction over a particular instance of transgression. To add to the despondent state of affairs, the lackadaisical approach of the Indian bureaucracy to issues of grave & pressing concerns, coupled with its primordially deep-rooted affliction of “red-tapism”, often generates a response which is far too little, far too late – and, all of this ineffectuality in the response-system occurs even after the presence of two highly modernized & sophisticated nodal agencies which are tasked exclusively with providing cover on the cyber-front to the critical assets & vital infrastructures of India.
The nodal agencies that are being referred to here are,
One, the Indian Computer Emergency Response Team (“CERT-In”) – established in the year 2004 under the Information Technology Act, 200 (“IT Act”), with the Ministry of Electronics & Information Technology (“MEITY”) being in charge of its affairs and functioning.
Two, the National Critical Information Infrastructure Protection Centre (“NCIIPC”) – established in the year 2014 under the IT Act as well, with the National Security Advisor of India administering over the NCIIPC via the National Technical Research Organization (“NTRO”).
In the dearth of a clear course of action and a coherent & comprehensible line of communication between the agencies & authorities concerned, the end result is a dawdling & dilly-dallying response to a cyber-attack – and even if we were to pin our hopes on a diligent administrative revamp & restructuring aimed at a more streamlined functioning of the cyber-agencies and authorities in the near future, it would be a pipe-dream to expect an immediate change in the state-of-affairs immediately after such an overhaul. And for this very reason, our attention should be concentrated less on the response-system, and more on the development and advancement of prevention mechanisms – for, that is where the true panacea lies to the maladies of the disconcerting concerns of cyber-sabotage.
THE REAL ‘TROJAN HORSE’ IN INDIA’S CYBERSPACE FRAMEWORK
It is practically unworkable to detect and respond to each and every cyber-attack or attempt at cyber-sabotage aimed at India – let us not kid ourselves here, India faces thousands of such transgressions on a daily basis (perhaps far more, considering that not all cases are reported), and owing to a dearth of resources at the disposal of the concerned agencies and authorities, it is impracticable to put to effect the “detection-response” modus operandi.
Without question, our best bet then to tackle the virulence of violations on the virtual front is to bolster the strategies which can aid in preventing such cyber-attacks from happening in the first place – and such a “prevention” policy should ideally peruse a two-pronged approach:
Prong One: A robust and rigorous evaluation and certification of the components (both of software and hardware) that is being put to operation in critical assets and vital infrastructure (like, in the defence and security of the nation, for health & medicare, in communications & information technology, to name a few)
Prong Two: To instill and engender reasonable and practical standard operating procedures (“SOP”) amongst all the relevant stakeholders, with the view of increasing the awareness on the importance of observing protective security practices in the cyberspace
In recent times, many of the administrative decisions that have been taken with respect to acquiring software or hardware components made, manufactured, or assembled outside the territory of India escape reason in toto, and reek a lot of knee-jerk backlash riding high on the horse name nationalism. To buttress this assertion, let us go back to the abrupt ban foisted on over 100 Chinese mobile applications last year on the grounds of such apps being deleterious to the interests of sovereignty, integrity, and national security of India – and, I don’t wish to insinuate a challenge to the Governmental wisdom here. However, what is suspect is that such a disruptive decision was taken without any due factual or technical investigation of a scientific nature to scrutinize the dangers of such apps – however, if there was an inspection of this kind that was undertaken, it begs the question: why were the results of the same never made public?
Please read concluding on thedailyguardian.com
Let us consider yet another example – the Department of Telecommunication (“DoT”) proclaimed an official pronouncement, whereby it amended the licenses of telecom carriers to mandate the use of equipment only from “trusted sources” with effect from the mid of June of this year – simply put, no telecom carrier can buy a software or hardware component from a seller post-June 15 of 2021 which isn’t approved by the government, anymore. To add to the questionable series of events, as per this notification, the Designated Authority (appointed by the Government, mind you) can also create a list of such sellers whose software and hardware equipment shall be blacklisted, and with whom any sort of transaction shall jeopardize the interests of telecom carriers. The modus operandum of the DoT notification bears an uncanny resemblance with the banning of the Chinese apps last year – there is no account of what the basis of the administrative acuity behind the decision was, and it, unfortunately, seems like a step taken merely on the perception that such software and hardware components made, manufactured or assembled by certain companies of certain nations “may” serve as the stairs of backdoor surveillance.
Arguendo, even if the justification of such apprehensions of a looming threat to the nation’s assets by such pieces of equipment were to carry weightage – nonetheless, an action exclusively on populist premises, and not on investigative reason and rational, is daftly imprudent. Disheartening as it is, the Electronics & Information Technology Goods (Requirement of Compulsory Registration) Order, 2021 (“Order of 2021”) of the MEITY is perhaps the only policy document of consequential value that affirms the logical rationale of amply testing hardware pieces of equipment first, and thereafter objectively scrutinizing the data of such testing. In close parallels, the Indian Telegraph Rules, 1951 (“Rules of 1951”) mandate for a compulsory assessment of any telecom hardware before it can be given the green light to be sold in or imported to the domestic market in India. In furtherance of the Rules of 1951, the DoT has issued a public list of all telecom components and pieces of equipment that have to be mandatorily tested before they can be put to commercial or personal use in India. However, the catch is that be it in the Order of 2021, or the Rules of 1951, or the public list of the DoT – the scope of mandatory testing applies only to hardware pieces of equipment, and not to the software components.
The functioning of any electronic system is premised on a symbiosis of both the hardware component and the software element – and only the Heavens know why the current legal fabric does not necessitate a compulsory checking of the software element, especially in light of the fact that almost all reported cyber-attacks aimed at India were directed at destabilizing the software-element first!
A lot of us have envisaged the Personal Data Protection Bill, 2019 (“Bill of 2019”) as the light at the end of this dark tunnel; as a one-pit stop solution to all the infirmities of and the loopholes afflicting India’s cyber-security framework, once the Bill becomes an Act – and that thought is misguided. On one hand where the Bill of 2019 aims at protecting the personal data of Indian citizens, what we need is an exhaustive and extensive cyber-security law – which not only plugs the already existing loopholes but also fosters the notion of an all-encompassing research-and-development-induced culture while addressing the issue of cyber-sabotage.
In this game of playing catch-up, Technology is far, far ahead of Law. Metaphorically speaking, if the two of them were to play a game of football; Technology would have scored a few hundred goals before Law would get to know where the goalpost is – in a lighter vein, after all kanoon andha hai.
Jokes apart, on a more realistic note – in India, for metamorphosing from a Bill to a Law, the journey encompasses an extensive legislative process; perhaps, even judicial scrutiny in some instances. On the other hand, Technology advances overnight! And with every technological progression, comes out novel ways in which such technological advancement could be put to a perverse usage – just like we have witnessed over the past decade or so the myriad mutations and variations of the means and manners in which cyber-attacks can be conducted.
And perhaps this solicitude is what makes the significance of the advent of a novel cyber-security enactment all the more consequential. Not only would this particular legislation have to keep up with the newfangled and disruptive ways of cyber-criminals, but it will also have to create a singular nodal agency or authority to address all issues and instances of cyber-sabotage – the creation of this sole authority or agency will go a long way in having a streamlined approach to any particular infraction of the Indian cyberspace. At the present time, we are not endowed with such an approach due to an overlap of mandate between multiple agencies and authorities, and a disarray that follows subsequently with regards to which authority or agency holds competent jurisdiction over an instance of a hack. And very importantly, the need for a new legislative enactment is of paramount importance to place a bar on the administrative authority from taking impulsive and hasty decisions which per se have no objective backing to them – perhaps the only way to diminish the fallout of a cyber-attack on an asset or infrastructure (critical & vital, or otherwise) is to infuse a culture of approaching every vulnerability with a systematic and scientific outlook.
They say an outdated Law, which perhaps doesn’t serve the society today as it did a certain yesterday, is like quicksand – and it ultimately ends up engulfing the same society it was made to serve. Perhaps, the most formidable adversary to India’s virtual defences is not a black-hat hacker operating from a distant, far away land – it is our rambling cyber-security architecture that is in utter shambles. The enemy within is the antiquated legal framework governing our cyberspace, which has lived far beyond its expiry date.