India has witnessed a major jump in cyber-attacks by foreign entities and governmental agencies have not ruled out the involvement of foreign hands aiming to disrupt India’s robust growth post the global Covid-19 lockdown.
The Times of India’s Sanjeev Singh spoke to Pavan Duggal, cyberlaw expert and Advocate, Supreme Court of India on how India needs to focus on a robust legal framework against cyber-attacks which are only going to increase in the coming years.
Q1: The Centre and Maharashtra government seem to have different opinions on the reasons behind the 2020 Mumbai outage. Your thoughts?
A1: If a cyber-security company outside India is consciously looking at the traffic coming and targeting the Indian critical information infrastructure. It is updating the Indian government and coming up with a report. Then that report needs to be seen in a holistic and objective manner. There is no denying the fact that India has been a target of cyber-attacks by state and non-state actors. The reason is because India is bouncing back to economic growth and revival. This growth has not been to the liking of a number of state and non-state actors. Trying to hold India’s progress looks like a logical corollary.
The issue of targeted cyber-attacks on Indian critical information infrastructure should be a logical priority. To say that India is completely safe, and we will never be attacked, is something that has no connection with ground reality. We are being attacked 24/7 and we need to have a more realistic approach on how to deal with this. Till now, India has only adopted a lip service approach to cyber-security. Here also, there are two distinct divergent thought processes among different sets of ministers.
Q2: The Mumbai outage was fixed quickly. Is there any reason to worry?
A2: Fortunately for us, the Mumbai outage was only for a couple of hours and things were restored. What would have happened if the outage had gone for another 15-16 hours? What would have happened if the Ukrainian cyber-attack model had gotten replicated in India? The Ukrainian power grid was specifically targeted by Russian hackers in 2015. Large parts of Ukraine had gone into complete darkness. We still don’t know what kind of audit has been done by the power corporation. Later, they found many hackers were still sitting inside, silently watching things happening. It’s very important for us to wake up to this ground reality. Let’s take for granted what’s been given in this report is factually inaccurate. But there’s nothing stopping us from reviewing the situation.
Q3: How has Covid-19 affected cyber-attacks?
A3: Cyber-attacks have become common in the last couple of years. But the coming of Covid-19 has ushered the golden age of cyber-crime. We have never seen this kind of cyber-criminal activity at this stature and frequency. It is natural to expect these attacks will target where it hurts the most. They target the country’s critical information infrastructure like electricity, power, banking, insurance, governmental networks and healthcare. The two prime targets are power grids and health related services.
Q4: How do these cyber attackers operate?
A4: The modus operandi is very clear. The attackers operate from the dark net most of the time. This helps them hide their electronic footprints. Even if law enforcement agencies try to investigate, they may not be able to do so. They are very proficient in obliterating their electronic footprints. This makes it tougher to attribute these attacks to a particular cyber actor. These groups focus on identifying those targets which don’t have a legal framework or adequate attention is missing. They focus on breaching vulnerable targets. Unfortunately, India has many vulnerabilities in the governmental systems including in the critical information structure.
Q5: can we expect more attacks in the future?
A5: I expect more attacks to come. We are bound to be targeted far more. We should focus on pre-empting this. We should have an appropriate mechanism and revisit the cyber-security infrastructure. Countries like China are miles ahead of us with three national legislations on cyber-security. India is still steeped in a historical mode. We still have not come up with a dedicated cyber-security law. The Indian IT Act 2000 is not adequate to deal with the challenges of cyber-security. India requires an enabling legal framework. We require to straddle stakeholders with appropriate responsibility for protecting and preserving cyber-security. A large chunk of critical information infrastructure is both in public and private sector hands. We will have to have a collaborative model on cyber-security. We need to create more awareness on cyber-security.
A6: Does India have an adequate legal framework to deal with cyber-attacks?
A6: We have been very soft on cyber-security. We have had data breach notification which mandates all corporates to report all such breaches from January 2017. Nobody really reports cyber-security breaches to the government. In February 2021, the government implemented the IT intermediary guidelines and the digital media ethics code. They have announced specific requirements for all intermediaries to mandatorily report all cyber-security incidents. Hopefully things should change. As of now, it is a very relaxed atmosphere. Somehow Indians excel in the idea of jugad school of management. What we don’t realise is that the electronic ecosystem does not give you a second chance.
In Video:How economic growth and revival has led to more cyber attacks on India?