Despite speculation of rising cyber attacks after India-China border clash, we seem to prefer the ostrich approach – ‘nothing has happened’.


Lt Gen (Dr) Prakash Menon  (Retd)


The US-Russian meeting in Geneva on 15 June signified an attempt by both sides to arrest the pace of a worsening relationship. The US, as the aggrieved party, accused the Russians of cyberattacks. US President Joe Biden handed over a list of 16 ‘critical infrastructure’ entities and warned that if they were attacked, the US will respond in a ‘cyber way’. Russian President Vladimir Putin denied culpability for any attacks and held the US responsible for several malicious cyber campaigns in Russia. Both parties have, however, agreed to the creation of working groups for urgent arms control and cyber issues.

Cyber now sits alongside nuclear threats, and it is definitely a promotion in the value chain of strategic affairs. The US is concerned and there are good reasons for it. India should be too. On 23 March 2021, in response to a question in the Lok Sabha on cyberattacks, the Narendra Modi government, replied that the Indian Computer Emergency Response Team (CERT-In)had reported and tracked 3,94,499 and 11,58,208 cyber security incidents during 2019 and 2020 respectively. But without an accepted definition of ‘cyber incident’, it is impossible to discern the scale and nature of the attacks.


Offence is the best defence

Dependency in strategic affairs is a vulnerability that adversaries can exploit. The US’ dependency on cyberspace as an enabler of most of its critical functions is also its vulnerability. It is not surprising that its major adversaries, Russia and China, are attempting to exploit this. On the other hand, both Russia and China have the same dependency and therefore there is mutual vulnerability. Yet cyberattacks continue on a daily basis across the globe. Primarily, because it has deniability and cyberspace is largely ungoverned. Deniability pervades the nature of cyber activity and cannot be wished away. International governance of cyberspace, which is also linked to satellites, seems to be doomed to remain beyond the pale of regulation by international law. Even then, regulated compliance cannot be monitored or verified due to the potential of deniability. The promotion of cyberspace is highly beneficial to all nations. India is no exception and for a developing power like us, it is inescapable.

Cyberattacks on India’s Critical Infrastructure (CI) have been on the rise. Though no official figures are available, many reports indicate that with the intensifying China-India border tensions, there has been a surge in cyberattacks. On 12 October 2020, a month and a half after India surprised China by occupying the Kailash Ranges in Ladakh, a major power outage occurred in Mumbai. In March 2021, Maharashtra Energy Minister Anil Deshmukh confirmed that the state cyber agency investigations revealed that insertion of malware caused the cyberattack. He also affirmed reports of China being responsible. However, the Union Minister in charge of Power R.K. Singh while admitting that cyberattacks on three grids were thwarted,  attributed the Mumbai outage to human error. Subsequently, reports indicated that cyberattacks had been attempted on at least ten assets that included power generation and ports. The Union minister’s obfuscation could have implications for the messaging regarding India’s political will, and weakens deterrence. The perpetrator could study India’s reaction and play the next round accordingly, which may be just a matter of time.

Cyberattacks are actions that target computer information systems/infrastructure/computer networks/personal computer devices, using various methods to steal, alter or destroy data or information systems. By conflating the complete spectrum of inimical cyber actions that could range from minor to major, irrelevant to lethal, criminal to political, the figures given by the minister in the Lok Sabha, conceal from the public the ones that could be of serious national security concern. Two issues emerge here.

First, it appears that India has built quite a capability for early warning of cyberattacks. This increases the possibility to undertake counteractions to mitigate the impact. But essentially, cyber defence is a challenge that cannot possibly keep up with the potential of cyber offence. In a democracy, the odds are further skewed. In India, the sheer numbers involved, and profusion of computer device usage are coupled with weak cyber security hygiene to make formulating an effective cyber defence a challenge. And a cyber offensive enjoys formidable advantages. It can be undertaken by teams that can range from individuals to organisations that are backed and resourced by the State. It is also far cheaper to build offensive capability. The nature of the cyber environment favours the offensive and that is unlikely to change. The major point that emerges is that in cyberspace, offence is the best defence.

The second issue is that retaliation requires intelligence on who is the perpetrator, which may not be easy to identify except when the attack has political objectives and is undertaken by State or non-State actors. The Mumbai cyber-attack and other attempts during the period of border tensions with China makes identification of the perpetrator somewhat easier even though the possibility of providing proof may be minimal. In any case, internationally, cyberspace remains ungoverned, so the requirement of providing proof does not arise. Politically, once culpability for an attack is known, the question is what action the State takes, and that requires a strategic approach. It is feasible that India has retaliated through cyber means and the ‘policy’ dictates that deniability be maintained. Such an approach is understandable and acceptable. The policy provides space for the government to either react or not, also whether to publicise the reaction or not. Reaction primarily depends on answers to the question that must be posed following an attack – so what?

Given the existing state of affairs, what could have been intent of the Mumbai cyberattack? It could have been to create a psychological impact by exposing India’s vulnerability in cyber space. It could have been to remind India’s political leadership that China has the potential to cause more harm. It could be part of China’s larger psychological game that pushes the narrative – “I am the strongest and therefore subordination is inevitable.” India will never know for sure, but it must consider the matter not as a standalone issue but work out how it fits into the existing dynamics of the larger China-India relationship.