#xvi Beyond Citations | Building India’s cyber resilience
Insights from Asia Policy’s roundtable on cyber resilience in the Indo-Pacific.
Programming note: Beyond Citations will be on a summer break over the next three weeks. Regular programming resumes on June 16.
It has been an eventful month for cybersecurity professionals and experts in India. Cyber tit-for-tat between India and Pakistan had immediately followed the terror attack on tourists in Kashmir’s Pahalgam. Cyberattacks on India, including on its critical infrastructure, only intensified during the Operation Sindoor (7–10 May). While swarms of drones and missiles tested India’s air defences, incessant cyberattacks mounted by actors including those identified as Advanced Persistent Threats (APTs) tested India’s cyber resilience.
At the other end of the Indo-Pacific, the US is finding communication devices in China supplied power inverters used in the renewable energy infrastructure. According to Reuters which broke this story:
However, rogue communication devices not listed in product documents have been found in some Chinese solar power inverters by U.S experts who strip down equipment hooked up to grids to check for security issues, the two people said.
Over the past nine months, undocumented communication devices, including cellular radios, have also been found in some batteries from multiple Chinese suppliers, one of them said.
If your adversary is burrowed deep inside your energy infrastructure through compromised hardware and software, imagine the consequences when hostilities break out. Discovery of such ‘backdoors’ serves as a warning for India as well. India’s electricity grid has already been compromised by China in the past, according to a New York Times report.
Facing both cyberattacks — India is one of the most cyber-attacked countries in the world — as well as the risks from potentially compromised hardware supply chains, how can India build cyber resilience?
The Asia Policy journal published by the National Bureau of Asian Research recently carried a series of four roundtable essays on cyber resilience in the Indo-Pacific. The following essay by Arindrajit Basu in the roundtable focuses on India’s cyber resilience:
Basu, Arindrajit. India’s Cyber Resilience: Strategy, Financing, and Collaboration. Asia Policy, Vol. 20, No. 2, pp. 10–24. https://www.nbr.org/publication/cyber-resilience-in-the-indo-pacific/
Basu begins the essay by providing a grim overview of the cyberthreats faced by India. He then unpacks various elements of what constitute resilience: resist, recovery and adaptation. On the resist front, Basu notes the existence of 2013 India’s National Cyber Security Policy and the institutional structure dealing with cybersecurity — Computer Emergency Response Team-India (CERT-In) and National Critical Information Infrastructure Protection Centre and National (NCIIPC) among others. But at the same time, Basu flags the lack of a comprehensive national cybersecurity strategy in the public domain.
The lack of a single, publicly available document does not indicate an absence of institutions, legislation, and other documents that help us evaluate India’s overarching approach to cyberspace. That said, clear and confident normative articulation in an overarching strategy that is compiled with inputs from the broad array of governing institutions would provide clarity to stakeholders and underscore India’s global reputation as a responsible cyberpower.
On the recovery front, the author notes the guidelines issued by CERT-In and NCIIPC over the years, he flags that the ‘specifics’ of how these institutions respond to reported events are not shared with the public or the incident reporters.
On the adaptive front, Basu analyses budget documents to find that the utilisation of budget allocated to cybersecurity organisations has increased over the last few years. The author also details how India’s cybersecurity architecture is working and collaborating with the private sector as well as counterparts in other countries.
Basu ends with a key recommendation for building India’s cyber resilience:
Disclosing the government’s strategic thinking and overarching approach on issues such as cyber partnerships, the debates over global cyber norms, present and future cybersecurity financing, and the conduct of cyberoperations would go a long way toward cementing India’s global and domestic reputation on cyber issues. CERT-In’s annual reports, which list various achievements and collaborations, are a useful starting point, but they stop short of articulating a broader strategic framework that can explain India’s approach to cyber resistance and adaptation.