India was one of the first countries to act on cybersecurity and securing critical information infrastructure. The government released guidelines for critical information infrastructure in 2015, outlining six priority areas. But, the response has lagged since.
Budget data shows that the FY21 allocation for cybersecurity was a mere Rs 170 crore. In contrast, the UK had allocated Rs 18,050 crore for five years starting 2016. (Representative image)
Whether or not Chinese hackers gained access to the power utilities in Maharashtra during last October’s grid failure—The New York Times cites cybersecurity concern Recorded Futures to say Chinese group RedEcho did this while the Union government has denied it—India really needs to stay ahead of threats when it comes to cybersecurity. Even if it wasn’t the Chinese, lingering suspicion that a cyberattack caused the outage only underscore the vulnerabilities of India’s cybersafety architecture. Two years ago, the Kudankulam nuclear power plant had fallen prey to a malware attack. Meanwhile, Indian banks and companies have been constant targets for hacking groups.
India was one of the first countries to act on cybersecurity and securing critical information infrastructure. The government released guidelines for critical information infrastructure in 2015, outlining six priority areas. But, the response has lagged since. The guidelines have not been revised after 2016—despite cybersecurity needing to be as dynamic as evolving threats—and only prescribe basic procedures instead of setting sector-wise standards. A power utility can’t be asked to keep the same level of security as, say, a bank or a data repository like UIDAI.
The other problem is that the nodal agency, National Critical Information Infrastructure Protection Centre (NCIIPC), has itself been vulnerable to attacks. Last month, a hacking group had reportedly found eight security gaps in NCIIPC architecture, claiming that it was leaking sensitive information. Furthermore, even three weeks into the attack, the security group found that NCIIPC had patched only one of the eight vulnerabilities.
India has done well to partner with global security agencies to strengthen the cybersecurity framework. However, it also needs to revise local guidelines and make processes simpler. First, there is a need to introduce the National Cybersecurity Policy, 2020. This needs to be complemented with sector-specific standard operating procedures. RBI and Sebi have done this for banks and financial firms, but the purview needs to be expanded to other domains. Second, the government has to upgrade its systems, which have been running legacy software, and incorporate new technologies like AI/ML for threat detection. As more services get connected to utilities with IoT devices, there is a need to better India’s cyberdefence.
More important, coordination between different bodies has to improve. At present, India has 36 different coordination agencies under different departments; besides, each state has a state-level computer emergency response team. All these need to be brought under a single umbrella organisation, in line with what exists in the UK and Singapore. This would ensure faster reporting and better coordination in case of a cyberattack. It would also remove red-tape.
At present, financial entities in India have to abide by RBI, Sebi, CERT and NCIIPC guidelines and report to all these bodies in case of a breach. The state also needs to start spending more on cybersecurity. Budget data shows that the FY21 allocation for cybersecurity was a mere Rs 170 crore. In contrast, the UK had allocated Rs 18,050 crore for five years starting 2016.