Cyber policy to factor in threat from state actors

Cyber operations by state actors and the abuse of social media for “narrative warfare” are some of the particular threats likely to be recognised by the government in the National Cyber Security Strategy, 2021 (NCSS 2021), a policy paper that could also make it mandatory for any business or government department with a significant IT interface to set up a cyber safety cell.

These will be part of a long-awaited overhaul in how India sees and approaches dangers in the digital domain. India’s current posture stems from the National Cyber Security Policy of 2013, which officials and experts say has become outdated in the face of a threat landscape that affects national security, governance and critical infrastructure, communications, and business more deeply than ever.

“It is an all-encompassing document,” said a key official who worked on the paper, asking not to be named. “It addresses all our shortcomings, how to look at infrastructure development and updates the last policy which was relevant at that point of time.’’

The 50-odd pages document, anchored by the national security adviser’s office, is now awaiting the approval from the Prime Minister’s office before it is released. Hindustan Times has spoken to several key officials who worked on the paper and shared contours of what the strategy will include.

Over the last couple of years, India has faced several high-profile cyber attacks, including those purportedly originating in North Korea that targeted the Kudankulam Nuclear Power Plant and the Indian Space Research Organisation (Isro) in 2019. Earlier this week, security consultants reported finding a China-backed operation to target India’s electricity grid.

HT reported last month several instances in which government domain email addresses were used to launch cyber attacks and the discovery of critical vulnerabilities in several government servers, which could have given attackers access deep into sensitive networks and underscores the need for the country’s digital infrastructure to be made more secure.

The government has not commented on the role of any nation-state in any of the incidents cited above.

NCSS 2021 is likely to continue with the stance on not attributing threats from a particular country. “We have not named any country,” said an official quoted above. “However, we do recognise that there are both state and non-state actors that are looking to target us in the cybersphere and along with them you have state-backed actors, hacktivists and cyber mercenaries.”

The threat landscape, this official added, “has really exploded” with attacks that have now “grown in scope and state sophistication”. “They have all come into play and they are targeting our infrastructure.”

The paper has been prepared after consultations hosted by the Cyber Security Coordinator’s office. While it does not go into solutions, it outlines the government’s threat perception in the domain. India’s approach is expected to be along the lines of the strategy documents released by countries such as the US and the UK.

The UK, for instance, recognises state-sponsored threats as “a small number of hostile foreign threat actors [that] have developed and deployed offensive cyber capabilities, including destructive ones”. The UK’s strategy document adds: “These capabilities threaten the security of the UK’s critical national infrastructure and industrial control systems. Some states may use these capabilities in contravention of international law in the belief that they can do so with relative impunity.”

NCSS 2021 will also recognise the threat of “narrative wars” on social media services, the official quoted above said. Fake news, manipulation, fraud, misinformation and disinformation will be identified as major threats. “A great number of our population use social media so we need to be aware of the different kinds of threats that lurk there,” said the official.

One of the other key aspects of the policy will be a proposal to create cells for cyber security in all institutions, public and private, which will involve dedicated budgeting of funds for such resources. “If you use information technology, then you will have to create a cell with experts in your office that will not just protect you but also protect everyone you are dealing with,” said the official. This will need a new regulatory framework, and the authors see it as a possible area of opportunity for employment and skill development.

“As a business is connected in the interconnected world, the cyber attacker may attack you and then spread their attack from there to other places. They will have to invest in IT infrastructure and security,” the official added.

Experts said India needs to focus on several aspects relating to cybersecurity. “Networks need more robust cyber physical infrastructures and for that more allocation has to happen for critical information infrastructures,” said Subimal Bhattacharjee, an independent adviser on cyber security policy issues.

“Likewise, incident reporting and response ecosystem needs more focused attention and so budgets for CERT-IN (the Indian Computer Emergency Response Team) and NCIIPC (National Critical Information Infrastructure Protection Centre) has to be increased so that they add more resources and capabilities.”

A second expert said the focus on information security in the context of social media was surprising. “The narrative warfare finding mention in the policy is surprising. I am not sure of the efficacy of mixing this with cybersecurity as it makes implementation problematic,” said Gunjan Chawla, who works with technology and national security at the National Law University, Delhi.

“We hope that with this policy being developed, a lot of our security concerns will be addressed,” said a second official working on the policy, asking not to be named.