The National Cybersecurity Policy is yet to be updated, seven years after the last one was released; bear in mind, threats and vulnerabilities are evolving almost literally by the minute.
The Maharashtra government has claimed—based on a probe report of the state police’s cyber-cell—that the October 12 power outage in Mumbai was an act of sabotage. The government, in a press briefing, said that the probe report revealed that there were multiple suspicious log-in to the servers of the power supply and transmission utilities by accounts operating from a clutch of South Asian countries.
While the Mumbai Mirror cited an unnamed source to say in a report that similar cyber-attacks have been targeting the city’s power supply since February—indeed, in June, there was a swarm of 40,000 such attacks, from suspected Chinese non-state actors—the state government hasn’t made the report of the cyber-cell public. Against growing concern about countries resorting to cyber-attacks with debilitating effects over a large geography, that the government should be taciturn on informing the public is rather unfortunate. Indeed, with most of the available information being from unnamed sources in media reports, the picture on the exact nature of the attack and the vulnerabilities in each link within the system is not clear.
While effective communication is only one part of the problem, the bigger issue is that India seems to have learnt little from past breaches of its cyber defences. Cyber-attacks on key utilities have become worryingly frequent: The Jawaharlal Nehru Port Trust was attacked in 2017, and the government had to send its cybersecurity head to investigate the matter. While that should have served as a warning, last year, hackers got access to administrative servers of the Kudankulam Nuclear Power Plant. Even after, the response seems to be marked by lethargy.
The National Cybersecurity Policy is yet to be updated, seven years after the last one was released; bear in mind, threats and vulnerabilities are evolving almost literally by the minute. The Union government is yet to decide on the contours of the national data protection policy, which has a bearing on cybersecurity. More so, as this newspaper has highlighted earlier, India lacks an umbrella structure for reporting the reporting and response to such attacks.
The government needs to have a cybersecurity playbook for critical infrastructure till the time it comes out with a cybersecurity policy. Also, it needs to interact with other jurisdictions to strengthen its cybersecurity defences. Sensing a threat to their systems and in order to share best safety practices, UK energy operators, earlier this year, joined the European Network for Cybersecurity. A Siemens-Ponemon Institute report released this year states that the risk of cyberattacks on the utility industry may be worsening. Fifty-six per cent of respondents reported at least one shutdown or operational data loss per year, whereas mega attacks impacted 25%.
The intensity of such attacks has increased in India too. The government needs to mandate companies to earmark adequate spending for cybersecurity. There is also a need to create a reporting structure wherein related parties of a target are also informed of cybersecurity threats. The recent BigBasket episode, etc, make having critical cybersecurity infrastructure in place an urgent need, more so in the government sector. Budget data shows that the FY21 allocation for cybersecurity in India was a mere `170 crore. In contrast, the UK has allocated Rs 18,050 crore for five years starting 2016.