We all understand the challenges of maintaining cybersecurity. All the threats of cybersecurity that we have been professing for over a decade and a half, are all, unfortunately, coming true now. And the more we get connected, our cities get connected, our homes get connected, our bodies get connected, the greater the threats of cybersecurity will be there.
With great connectivity, comes great challenges.. with apologies to Spiderman.
I have often argued that the digital connectivity of a nation is like neuron connectivity in our body. The most potent of toxins and snake poisons is the neuro-toxins that impact our nervous system and can kill a human within minutes. Similarly, the most potent adversarial attack is compromising our connectivity, paralyzing our banking, power systems, metros, railways, airports and so on. Paralyzing every aspect of a nation and bringing the nation down to its knees. And this happens not just by a touch of a button (that is famously made out in Hollywood and Bollywood movies), but by also compromising people who run these systems.
The cyberbombing of the Iranian nuclear centrifuges in 2010, which physically decimated the centrifuges, did not happen by a cyber-attack over the internet. There was no internet connecting the nuclear centrifuge facilities. In all probability, it happened by someone inserting the malware by physically inserting a Pendrive into some system of the nuclear facilities.
Why are these issues relevant now? Because earlier this month, there were reports that the blackouts in Mumbai last year happened because of cyberattacks from China. Unfortunately, in India, it is believed that much of the power systems have embedded Chinese systems, thereby making them potentially compromised. However, one need not connect these power systems to the internet. There can be, what is technically referred to as an “air-gap” between the power systems and the internet, thereby foiling any cyberattack through the internet. An “air-gap” implies that there is no connectivity between the internet and the said systems. However, as was demonstrated in the cyberbombing of the Iranian nuclear facilities in 2010, and subsequent cyberattacks on the Iranian power plants in 2012, demonstrated that a cyberattack can be launched even if the systems are not connected to the internet, by compromising people involved with the systems.
How difficult is it to compromise the people involved in managing such critical systems? Not too difficult. When 70% of the smartphone market is owned by Chinese smartphones, one rests assured that all detailed information, including chats and phone calls of most people in this country, can be accessed by the military of the nation that manufactures those phones. So the probability of people running critical infrastructure being compromised through their smartphones is very high.
So what can be done?
This is not India only issue. Australia, the US and Japan have faced similar frequent cyberattacks and cyber-espionage from China. It is an issue that is global, and hence the solution also has to have a global component. Fortunately, we also see the blossoming of an alliance between the US, Australia, Japan and India – is the Quad. And then there are possibilities of a Quad plus grouping, which aims to further democratic values and rule-based global engagements. It is vital that cyber defence as an issue is vigorously brought under the Quad agenda, if not already been done.
Acronis’ Cyber Readiness Report 2020 placed India as the country facing most cyberattacks in the world, more than double compared to any other country. At the same time, ITU’s Global Cybersecurity Index 2018 ranked India 47th in the world and places it in the category of countries showing ‘high commitment to cybersecurity. India’s National Cyber Security Policy, 2013, is a holistic framework “to build a secure and resilient cyberspace for citizens, businesses, and Government”. India also has initiatives such as the Cyber Swachhta Kendra (Botnet Cleaning and Malware Analysis Centre) which detects malicious programs and provides free tools to remove the same. Now imagine if such centres could be made much larger with greater funding from other similar nations, the combined cybersecurity defence profile of all the nations involved would increase significantly.
India has a dedicated National Cybersecurity Coordinator (NCC) at the National Security Council Secretariat (NSCS), which coordinates cyber-issues between different agencies. This includes CERT-In, National Critical Information Infrastructure Protection Centre (NCIIPC), and the Indian Cyber Crime Coordination Centre (I4C). Apart from the government, there is also a dynamic not-for-profit industry body, the Data Security Council of India which ensures that the industry and the government operate in tandem on cybersecurity issues.
India already has a Cyber Diplomacy Division in addition to a New and Emerging Strategic Technologies Division in its Ministry of External Affairs. India is also in the process of formulating a Cyber Security Strategy 2020-2025, to keep its cyberspace safe, secure, and as a means of generating prosperity. India could accelerate the use of these institutional structures to build a Quad alliance on cybersecurity.
From a Quad perspective, if we consider only Australia, ITU’s Global Cybersecurity Index 2018 ranks Australia at 10th in the world and places it in the category of countries showing ‘high commitment to cybersecurity. Acronis’ Cyber Readiness Report 2020 pointed out Australia as facing a general ‘lack of IT support, even though it did not receive more than average instances of cyberattacks compared to the world. Could Australia do with support from India, the US and Japan? Could India, the US and Japan gain support on cybersecurity from Australia, given Australia’s experience of being at the receiving end of state-driven cyberattacks?
Australia’s Commonwealth Scientific and Industrial Research Organisation’s (CSIRO) Cyber Security Roadmap forms the basis for industrial guidance and a scientific evaluation of prospects. Australia’s Cyber Security Strategy, 2020, envisions “A more secure online world for Australians, their businesses and the essential services” towards which an investment of $1.67 billion has been allocated over 2020-30. The 2020 Defence Strategic Update recognises cyber warfare as a key enabler of ‘grey zone activities’, and calls for strengthened cyber capabilities. Also, the Australian Cyber Security Centre is a centralised centre bringing together all government cybersecurity assets and serves as an interface for collaboration and information-sharing.
The Academic Centres of Cyber Security Excellence (ACCSE) program launched in 2016 established Centres of Cyber Security Excellence at the Universities of Melbourne and Edith Cowan. Australia also has the Cybercrimes Act, 2001, which serves as the primary legislation governing cybercrime. Apart from this, it has the Security of Critical Infrastructure Act, 2018, which focuses on sabotage, espionage, and coercion posed by foreign involvement in Australia’s critical infrastructure. Australia also has a dedicated Ambassador for Cyber Affairs and Critical Technology since 2017, leading Australia’s international engagements in cyberspace and critical technology.
Hence Australia too has the institutional structures required to build an international cybersecurity alliance. It is a similar story with the US and Japan also.
So it is but a natural step further to vigorously accelerate the cybersecurity angle to the Quad equation. Fortunately, there is also a considerable cybersecurity market that forms the carrot for the private sector in the Quad economies to step up and invest in the sector. It is now for the Quad Sherpas to provide the momentum.