Cyberattacks: India needs to harden its defences

The recent hacking attack on the All India Institute of Medical Sciences (AIIMS) has again brought to the fore the state of India’s cybersecurity preparedness. The breach may have harvested the sensitive personal and healthcare data of millions of patients and VIPs using this premier medical facility. Delhi Police has denied that the hackers made any specific ransom demand, but some reports speculate the involvement of China-based hackers.

This isn’t the first time that India has faced such an attack. In 2017, the NotPetya ransomware disrupted operations at Mumbai’s Jawaharlal Nehru Port Trust. But barring such prominent breaches, other ransomware attacks have gone unreported. According to Sophos’ ‘The State of Ransomware 2021’ report, India topped the ransomware victims list, with 68% of respondents reporting that they were hit by ransomware in 2020.

In the past few years, India has witnessed ransomware and other kinds of penetrative cyberattacks targeting national and commercial critical infrastructure– services that need to be continually functional. Any disruption or manipulation of these can have catastrophic consequences and cause kinetic damage. The sensitive data pilfered through these breaches has often been traded on darknet marketplaces, available for those willing to pay.

The geopolitical dimension of these cyberattacks is important. India’s adversaries have utilised cyberspace to coerce and send a political message. For instance, during the ongoing border stand-off with China, Beijing-backed hackers have repeatedly breached India’s power grids – the two known instances being Mumbai (October 2020) and Ladakh (reported in April 2022). Likewise, Pakistani hackers have targeted India’s power sector and government departments.

Also Read | India: Threatened by Cybergeddon?

In response, India has made cybersecurity a policy priority in the last decade through two landmark measures: the Information Technology Act (2000), amended in 2008, and the National Cyber Security Policy (2013). Several sector-specific guidelines and technical frameworks accompany these. There are also multiple agencies dealing with a specific aspect: National Critical Information Infrastructure Protection Centre (NCIIPC), Reserve Bank Information Technology Private Limited (covering cybersecurity, audit and assessment of Reserve Bank of India-regulated entities), Computer Emergency Response Team-India (nodal technical agency for countering cyber threats), Indian Cyber Crime Coordination Centre (lead agency for tackling cybercrimes) and Defence Cyber Agency (addressing military’s cyber issues).

Additionally, India created the office of National Cyber Security Coordinator in 2015 to synchronise efforts among the above-mentioned government agencies. There is also a greater focus on augmenting technical skills and forensic capabilities to investigate cybercrimes.

This sustained focus has helped India move up to the 10th position in the International Telecom Union’s Global Cyber Security Index in 2020 from the 47th in 2018.

Yet, as the hacking attack on the AIIMS has demonstrated, the government must do more. The NCSP, which is being recast as a National Cyber Security Strategy, has been inordinately delayed due to the inability of different government departments to assign the primary responsibility to safeguard cyberspace. This necessitates improving inter-agency coordination and fixing accountability within the government. Furthermore, the NCIIPC must step-up coordination with the private sector, by devising security standards, ensuring stricter auditing and evolving an incident-reporting framework. Also, a greater general focus on expanding cybersecurity awareness and inculcating cyber hygiene among organisations and employees will be helpful.

These domestic initiatives are necessarily part of larger international collaboration to bring to justice the perpetrators of cybercrimes. India is already a part of the US-led International Counter Ransomware Initiative, but it is not part of the Budapest Convention on Cybercrime.

Besides, India has not publicly attributed cyberattacks to their perpetrators or adversarial state actors. As the frequency and intensity of cyberattacks increase, India will need to revise its approach to harden its cyber defences and deter its adversaries.

(The writer is Senior Fellow, Strategic Studies Programme at the Observer Research Foundation. He is the author of the book Securing India in the Cyber Era, published by Routledge in 2021.)