On 28th June 2017, India’s busiest port—Jawaharlal Nehru Port Trust (JNPT) was forced to shut down operations at one of the three terminals due to the fallout of a global ransomware attack.
On 4th September 2019, the Kudankulam Nuclear Power Plant, one of India’s most advanced stations, was under a cyberattack. Cyber sabotage leading to a power grid failure in Mumbai, on 12th October 2020 was traced to unknown Chinese entities.
While these are just a few examples, there are plenty of other national and global instances of critical infrastructure cyberattacks that have occurred over the last few years.
The cybersecurity threats posed to the systems that control and operate the critical infrastructure on which we all depend are among the most significant and growing issues confronting our Nation. The degradation, destruction, or malfunction of systems that control this infrastructure could cause significant harm to the national and economic security of India.
Around a couple of months back, Bharat Panchal Chief Industry Relations & Regulatory Officer-India at Discover Financial Services along with Ramanathan Srivathsa from Mazars in India and Saikrishna Budamgunta, Founder & CEO at Saptang Labs released a research report on “Protection of National Critical Information Infrastructure.”
This interview is focused entirely on the report findings. Bharat Panchal provides a comprehensive understanding of the intersection of malicious players and the expanding attack surface, and how as a Nation we need to mitigate and confront the threat to critical infrastructures. This is no small task.
The views expressed by Bharat Panchal (BP) are his own and do not represent the views of his current company. Excerpts:
Q. The critical infrastructure (CI) and essential services are more vulnerable to widespread cyber threats. The world has witnessed plenty of attacks in the last few years.
In your report, you have highlighted several national and global instances of critical infrastructure cyber-attacks. How can we, as a Nation, continuously raise the bar to protect our mission-critical systems from such threats? What is missing and what are the challenges?
BP: Let me first answer your last point on what we are missing or lacking.
Today, we are looking at all these cyberattacks in isolation despite these attacks happening across sectors. Attacks have been made on banks, on Air India, on pizza service delivery chain Domino’s, on the Serum Institute, online stock trading platform Upstox was attacked and the list can go on. Are we connecting the dots? No, we are not. This is a grave concern.
70 percent of the cyberattacks that happen worldwide are for financial gains. But espionage or State sponsored attacks are targeted to disturb a country, its economy and damage its cyber and physical infrastructure.
In India, the critical infrastructure has traditionally been the rail system, airports, ports, oil and gas companies, and other public utilities/companies owned by the government. This is not the case today. Large business houses are critical. All telecom, Gas, and electricity providers are critical. Some of the large banks are critical.
It is time for us to think differently. If a particular company from one sector has been attacked, how will it impact other companies in the other sectors? We need to get into an impact analysis mode for such attacks across sectors. It could be too early to predict who did it, but it is easier to see what they did.
Q. In several instances, the perpetrators and victims usually act as if an attack never took place, while the evidence is designed to erase itself. Cyberwarfare is a potent weapon in political conflicts, espionage, and propaganda. Difficult to detect a priori, it is often recognized only after significant damage has been done. How can we connect the dots, and is there a method in this madness?
BP: Unfortunately, severe cyberattacks keep occurring and we keep on forgetting.
I want to highlight some key points here. First, we have the Reserve Bank of India (RBI) which regulates the banks, there is the Insurance Regulatory and Development Authority (IRDA) which regulates the insurance sector, we have the Telecom Regulatory Authority of India (TRAI) for the telecom sector. How are we going to have a concerted effort from all these regulators to tackle cybercrime in the scenario of cross-sector cyberattack?
Secondly, let’s look at state-sponsored attacks. Recently, there was an article that stated that the Hacker Group Anonymous claimed to have hacked around 1500 websites of Russian companies and their establishments. The Russian hackers have also attacked Ukrainian cyberspace. I think this is the first war that is being fought equally in cyberspace too. In India, a statement was made in the parliament that around 80,000 websites of Indian companies have been hacked in the last three years. All these different instances tell us that we need to connect the dots in every direction.
I have led several large breach investigations in the last decade, especially in the banking sector. In most of the cases, we knew the ‘what, when, and how’ of these attacks. In half of the cases, we didn’t know who carried out the attack. And in the other half, we knew who did it, but were unable to reach that person. The mechanism of identifying such actors and bringing them to justice in the country is difficult and a complex process. Also, one of the most critical reasons is that cybercrime is a ‘borderless crime’ and there is a lack of religious implementation of the Budapest convention by many countries to tackle it worldwide.
Q. What you are saying is that there is a presence of complex guidelines for securing the infrastructure and reporting. We have every organization following instructions and directions from various stakeholders, and since the stakeholders see issues from their narrow lens, there is a lack of coherence in their instructions. And therein lies the roots of chaos in the response.
Also, there is ambiguity in regulations as multiple agencies regulate the critical information infrastructure members. And finally, there is a lack of coordination among the various agencies. How can we address these issues, and what is the way forward?
BP: We have tried to explain the problem in our report. First and foremost, we need to revisit and redefine our critical infrastructures in the contextual paradigm of cyberspace. Until we know the value of these companies, we cannot create a defense mechanism to protect them.
Today banks are critical. But is every bank critical? What is the parameter to define critical? For example, RBI has clearly stated that SBI, ICICI Bank, and HDFC Bank are too big to fail. This is clearly stated. There is an assurance. In a similar manner, we need to have clearly stated the name of companies that fit the definition of a critical infrastructure that need to be protected in cyberspace.
Imagine a high-level DDoS attack that occurs on an ISP /telecom provider. Assume that there is a very targeted attack that is coming from a specific country. Do we have a single gateway or a ‘kill-switch’ to cut off such malicious traffic from the internet or the telecom network?
Starlink came to the rescue of Ukraine by sending thousands of satellite internet kits. Do we have something within the country if such a scenario happens here? It will be impractical to imagine that someone will help us. Just like we have strategic locations for emergency landings by fighter aircraft on the roads, we will need to create such corridors for our critical infrastructures so that they stand unaffected. This is one suggestion that we have made.
From the regulations perspective, we have suggested that there is a need to have an apex body that is authorized to define any policy-related matters for the nation when it comes to cybersecurity. We have the four major regulators (RBI, SEBI, TRAI and IRDA) who define the cybersecurity framework for their respective sectors. Now if every sector defines its own policies, who will validate them from a national cyber security viewpoint. In our report, we have suggested that National Cyber Security Coordinator (NCSC) should act as the apex body to define the policy matters on cyber security, and all the other policies from the regulators mentioned earlier must be reviewed and approved by the NCSC before they are implemented.
We have also suggested having a complete repository of malware that is detected. It should be readily available to all agencies and researchers for analysis.
Q. The authors of the report have made a recommendation to merge the Indian Computer Emergency Response Team (CERT-In) and the National Critical Information Infrastructure Protection Centre (NCIIPC) into one agency?
BP: There is no doubt that both are mighty and powerful bodies, but their sphere of work is overlapping. We have suggested that by bringing CERT-In and NCIIPC under a single roof, we can create one single monitoring agency and have a Hub and Spoke model that can be used for coordinating between different sectoral regulators and the national agency for cybersecurity on policymaking and its adherence. The combined entity can safeguard the national interests of the country in a more cohesive way. They will have a bird’s eye view and will be in the best position to ‘connect the dots,’ which I mentioned earlier.
Q. The report seeks a revision in The National Cyber Security Policy 2013 in parallel with the advancement of technological innovations, emerging technologies, cyber threats, and unmanaged networks. What kind of revision changes has been recommended?
BP: From a technology perspective, there has been a drastic change over the last decade. We have over one billion mobile subscribers and have emerged as the largest population in the world that has placed its digital footprint on the internet. Data is a commodity today but the challenges arise out of the exponential growth of digital space that we face today. These challenges were not envisaged in 2014.
The cybersecurity policy of India is outlined in the “National Cyber Security Policy, 2013” and is supported by several guidelines and directions issued by NCIIPC, CERT-In, Department of Telecommunications (DoT), RBI, and other regulators. Certain provisions in the Information Technology (IT) Act, 2000 also support the cyber security policies in the country. However, due to very dynamic changes in the digital and cyberspace in the last decade; the policy and structure so far have not matured. The synergy between the entities has also not matured. So, there is a huge scope to align the proposed new policy with the cyber governance, Integrated Surveillance System for our cyberspace, and also, create a forward-looking strategy to complement it with the overall national security.
The policy also needs a revision in parallel with the advancement of technological innovations, emerging technologies, cyber threats, unmanaged networks, and most importantly the enhanced cyber superpower of some of the neighboring countries.
We are lacking high-skilled cybersecurity professionals. There is no structured curriculum on cyber security as a subject in primary or higher secondary education. Education on cybersecurity at the foundation level is a must. At the same time, the All-India Council for Technical Education (AICTE) and University Grants Commission (UGC) should change the curriculum so that industry-standard talent is available in plenty to be tapped.
We have also suggested creating a national agency-level monitoring of the Dark Web actors by having a presence on the dark web. This will make us aware of what discussions are happening on the Dark Web, and it will provide us to be proactive and get insights into many illegal activities.
Q. What kind of response have you seen far from this in-depth report? Do you see some immediate changes happening?
BP: We cannot expect the government and the policy makers to do everything that we have recommended overnight. This is a highly strategic policy matter and requires lots of deliberations and considerations on many other aspects that the policymakers may have to account for. We have made our suggestions and we have faith that there will be some positive outcomes from the report.