Cybersecurity in India: From attacks on Infrastructure to Pant’s Rules

Overview

India is currently drafting its new Cybersecurity Rules under Lt. General (Dr) Rajesh Pant. The urge to fast-track Cyber Security occurred due to many cyber-attacks on India’s critical infrastructure, including Mumbai’s Blackout, MobiKwik attack, the Kudankulam Malware, and Aadhaar case. This article deals with the need for upcoming cybersecurity rules 2021, the need to enact them, and the attacks that urged updating the Rules of 2013.

Introduction

Cyberspace has inherent vulnerabilities that cannot be removed, one of which is the numerous entry points that make it relatively easy to misdirect a foreign participant’s attribution. Due to this very reason, cyberspace is a critical issue of military and strategy for nations.

Most of the equipment and technology for setting up Cyber Security infrastructure in India is currently procured from global sources.[i] Due to this, these systems are vulnerable to cyber threats just like any other connected system. The threats include a manufacturing backdoor in such foreign procured technology that may be created for malware or other penetrative purposes. These backdoors may be embedded in Radiofrequency Identification (RFID) chips and memories. Such unauthorised access to protected memory may cause faults or interruptions in the equipment’s normal behaviour and tamper with the hardware by performing invasive operations. The admission of such kind can bypass the standard authentication mechanism of the systems meant for cyber threats.

 The Need: A legion of cyber-attacks

While the Computer Network Defence techniques, tactics, and practices broadly protect individual systems and networks, they are not enough response for critical operations and missions. Moreover, new age attacks are not only on the defensive breakdown but also on the nation’s critical administrative and infrastructural systems. One such probable attack happened allegedly on Mumbai’s Grid Board.  

In October 2020, a significant power cut-down took place in Mumbai and its surrounding areas, impacting the electricity supply and local trains, etc. Another major cyberattack includes the personal user data leak at MobiKwik and the Kudankulam Nuclear Plant’s administrative network with trojans. Moreover, foreign cyberattacks and even internal scandals of the Aadhaar card holder’s information for leverage in Puducherry elections on which the Madras HC has ordered an inquiry is another battle of cybersecurity that Indian administrative and infrastructure agencies have to conquer.

In India, the gravity of cyber-attacks was explained in November by the newly appointed Chief of the National Cyber Security Coordinator, Lt. General (Dr.) Rajesh Pant, in his statement where he claimed that their research shows that India witnesses 4 lakh malware and 375 cyber-attacks, every day. Moreover, the new norm of work-from-home (WFH) during the lockdown, including corporate offices and government services, has increased dependence on the internet during the present crisis, thereby increasing the opportunities for attackers to steal money and data.” Asserting the same, Lt. General Pant stated that these 3C’s, COVID-19, Cyber Attacks, and China’s Infiltration is a big turmoil that India needs to fight now.

An immediate solution to decrease cyber-attacks is by practicing basic cyber hygiene and conscious internet behaviour of not clicking on unknown links and attachments. However, to avoid cyber warfare or collective waging, nations need a pre-emptive technology to attack, parallel to the defence technology. India, specifically, lacks cybersecurity infrastructure and the policy of reasonable reaction in case of such an attack. Moreover, such attacks are not known to government agencies due to a lack of research and technical and legal development.

Recorded Future’s Report on Mumbai Blackout

Recorded Future, a Massachusetts-based cybersecurity firm, released a report titled, ‘China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions’.[ii] The report claims that RedEcho targeted ten vital nodes in India’s power distribution system and two seaports. RedEcho, which has been identified as a China-based Advanced Persistent Threat (APT) group, attempted to infiltrate India’s power grids in May 2020 with a trojan named ShadowPad, amid heightened tensions at the border.

Further, the report suggested that these malwares’ attacks could be the possible cause of the massive power outage in Mumbai in October 2020.[iii] This report was sent to the Computer Emergency Response Team (CERT) in India, which acknowledged twice that it had received the information. However, it stated that no alliance could be drawn between the attack and the grid failure. It was later confirmed that the Power Ministry of India thwarted the Chinese Cyber Attack as the government’s cyber agencies warned them about the intrusion. However, the Ministry ensured that there was “no data breach” from the threat.[iv] The probable aim to pre-position malware in the infrastructure system is to get the upper hand, as an attacker can activate the malware during cyber warfare by shutting down essential services during times of crisis.

Mobi Kwik Data Leak

Another instance was the data breach of nearly 110 million users for mobile wallet and payments application, MobiKwik. The data leaked is 8.2TB in size and includes details of KYC documents, Aadhaar cards, credit card details, mobile phone numbers linked to MobiKwik wallet, etc.[v] and is reported to be on sale on a hacker forum on the dark web.

An independent security researcher, Rajshekhar Rajaharia, first claimed the leak; however, MobiKwik categorically denied it. Even after public support on Rajaharia’s claim, the company did not accept the breach and stated that a thorough investigation was conducted and no evidence was found. Further, it added that it is confident that security protocols to store users’ sensitive data are robust and have not been breached.

Due to recurrent denials, the Reserve Bank of India (RBI) has ordered[vi] MobiKwik to inquire about the allegations of its 110 million users’ data leaks and cautioned that the company would face fines if lapses are found.

Kudankulam Nuclear Plant Attack

The 2019 malware attack on the state-run Nuclear Power Corporation of India Limited’s (NPCIL), Kudankulam Nuclear Power Plant (KKNPP) in Tamil Nadu was another cybersecurity threat.[vii]  A remote access trojan called D-track, which has been used in the past to attack financial institutions in India, was found in the administrative network of the plant, converging and integrating the information technology (IT) systems with Operational Technology (OT).

The attack on Kudankulam is similar to the D-track and ATMDtrack attacks in the 2013 DarkSeoul campaign, which froze thousands of computers in South Korean banks and media firms. The probable attackers were Lazarus- a pseudonym; however, Kaspersky cybersecurity firm has found the IP addresses which traced to North Korea. Like the previous attacks, the Kudankulam attack wasn’t life-threatening; however, it was a pre-positioning in critical infrastructures. 

Leakage of Aadhaar  Details: Madras High Court’s Verdict

The Madras High Court, in March 2021, heard a plea alleging that the Bharatiya Janata Party (BJP) in Puducherry had misused the Aadhaar data of voters to boost election campaigns. The claim was that a bulk of Short Messages were received by voters on numbers that were linked with Aadhaar, to join 952 WhatsApp groups run by the BJP.[viii] The division bench has directed the Unique Identification Authority of India (UIDAI) to investigate how confidential information that is held by it has been leaked. Moreover, even the Election Commission of India is enquiring about the gross breach of election codes. 

Intermediary Liabilities in Cybersecurity

Cyberspace, being a borderless arena of communication, provides an environment of easy access to everyone. Especially with the coming of the global pandemic, the internet has become the only alternative, and an upsurge in online shopping and users on social media platforms is evident; owing to this, there has been an escalation in unlawful activities as well. More often than not, cyber threats have foreign participation, which makes it challenging to hold international companies liable in case of an attack against an individual or nation. Three of the four episodes mentioned above are foreign attacks.

In such a situation, the liability of intermediaries, such as the social media platforms, e-commerce websites, blogging portals, search engines, etc., for any unlawful or scrupulous content, product or service, posted in such outlets by a third party is a critical issue of Cyberlaw.

‘Intermediary’ term has been defined in the Information Technology Act,[ix] which states that if any person who on behalf of another person receives, stores or transmits that message or provides any service concerning that message, including Internet Service Providers (“ISPs”) as well as any website that provides user-generated content, are intermediary. Therefore, vicarious liability arises when an individual(s) uses the intermediary’s platform for the transmission or publication of information.

The rate at which these intermediaries have failed to regulate the religious, socio-political, and economic negative content leading to misuse of data and spread of hate speech is mammoth. One of the extreme examples was Facebook and Twitter’s involvement in the US presidential elections in 2016;[x] hints of a similar incitement are also alleged against the BJP government in Puducherry Elections through WhatsApp groups. 

Hence, it is crucial to impose greater liability on the intermediaries. For the same, Courts have constantly re-examined and reframed legislation and guidelines for intermediaries’ liability while ensuring strict accountability through a user-friendly approach.

The rights, immunities and liabilities of intermediaries in India are evolutionary, as several judicial pronouncements have made laws more stringent for intermediary’s liability. Section 79 of the IT Act,[xi] the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the Shreya Singhal Judgment,[xii] are the primary authorities on intermediary liability.

Under the IT Act, Section 79 states that “for any third-party information or data made available by him if he proves that the offence or contravention was committed without his knowledge or that he had exercised all due diligence to prevent the commission of such offence or contravention.”[xiii] Therefore, the IT Act provides little or no safe harbour protection to intermediaries.

The 2008 amendment in IT Act,[xiv] led to introducing the Intermediary Guidelines,[xv] which for claiming safe harbour protection, intermediaries must necessarily follow. The guidelines state that the intermediaries need to publish rules and regulations, privacy policy and user agreement, which specify all prohibited acts and the violation of which shall lead to termination of access to that user. Moreover, intermediaries are obligated not knowingly to host or publish information; however, if such information is posted, it must be disabled within 36 hours; and stored with the intermediary for 90 days to investigate. Furthermore, they assist the authorised government agencies and must take all reasonable measures to secure their computer resource. In case of an incident, it must be reported to the Indian Computer Emergency Response Team. And lastly, every intermediary is mandated to appoint and publish a Grievance Officer’s details on its website.

The landmark case of Shreya Singhal [xvi] essentially deals with free speech rights in cyberspace as it strikes down Section 66A of the IT Act.[xvii]

However, on Section 79 and Guidelines, the Court observed that-

“Section 79 is valid subject to Section 79(3)(b) being read down to mean that an intermediary upon receiving actual knowledge from a court order or on being notified by the appropriate government or its agency that unlawful acts relatable to Article 19(2) are going to be committed then fails to remove or disable access to such material expeditiously…. Similarly, the Information Technology “Intermediary Guidelines” Rules, 2011 are valid subject to Rule 3 sub-rule (4) being read down in the same manner as indicated in the judgment.”[xviii]

Further, the Court added, “…it would be challenging for intermediaries like Google, Facebook etc., to act when millions of requests are made, and the intermediary is then to judge as to which of such requests are legitimate and which are not.”[xix]

Therefore, the Indian law on intermediaries’ states that liability cannot arise unless they have the proper information and proper order for such accountability is given by the requisite authority. Moreover, the intermediaries’ information must be specific, not broad or warning for vigilance; however, due diligence is mandatory to be practised by intermediaries. 

Cybersecurity Rules of 2013: Do we need to review them?

The National Cyber Security Policy, 2013,[xx] was the first comprehensive document on India’s cybersecurity. It led to the setting up of the National Cyber Security Centre, Test Infrastructure, Malware Monitoring & Cleaning Centre, National Critical Information Infrastructure Centre, etc.

However, the last seven years have caused many gaps concerning the resilience of infrastructure in India and global technology. With the coming of artificial intelligence, machine learning, internet-enabled devices and big data, cyberspace has become complicated and even more vulnerable to the cyber-attack ecosystem. Moreover, some issues are intricate to cyberspace in India, such as the Indian military, central police organisations, and law enforcement agencies have a deficiency in the workforce for software and hardware aspects integral to this field. 

Moreover, India does not have an ‘active cyber defence’ like the European Union’s General Data Protection Regulation (GDPR)[xxi] or the Active Cyber Defense Certainty Act (2019-2020).[xxii] Furthermore, unlike the United States & the United Kingdom, India has several overlapping central bodies and laws that deal with cyber issues, and each has a different reporting structure.  India also lacks indigenisation in hardware and software cybersecurity tools and most of them have been procured from global partners.

Moreover, the geopolitical changes, specifically in the South-Asian subcontinent, with increased hostility in neighbouring states, specifically India and China, both in the geographical acquisition and economic market, the threat to cyber warfare has increased. The recent banning of the Chinese applications, including TikTok, by India,[xxiii] which became a headline, has caused the situation to worsen.

A review of the 2013 policy is critical for taking corrective steps to strengthen the system and enhance the resiliency of cyberinfrastructure in the country, specifically infrastructure. The draft of the policy 2021 shall consider the technological innovations and resulting complexity in cyber incidents. Hence, it shall be better if India is prepared with a policy and legal framework to monitor infrastructure and technology to emerge, with safety and security.

Pant’s Plan for Cybersecurity of India

Coming from a background of Defence IT, Electronic Warfare and Telecom background, Lt. General (Dr) Rajesh Pant (Retd.) took over as the Chief of National Cyber Coordination Centre (NCCC) in March 2020.[xxiv] NCCC is a classified project of India’s Government, a primary cybersecurity and e-surveillance agency. It is a cybersecurity intelligence that mitigates online attacks and manages National security.

A team headed by Lt. General Pant, is formed in NCCC to deal specifically with the rise of cybercrimes due to the highly internet-reliant and steadily digitised administration, both government and private. In a recent interview, he also informed that like Estonian cybersecurity firm Cybexer Technologies’ online free course of cyber hygiene, Ukraine’s National Academy of Internal Affairs’ course,[xxv] Indian Government is also pitching an online cyber system.

Moreover, India is also procuring domestically produced infrastructure and Indian technology companies to offer cyber solutions. India mulling to strengthen cybersecurity, has decided to take up a holistic multi-ministries collective project, including Home Affairs, Information Technology, Defense, and the National Critical Information Infrastructure Protection Centre set audit procedures along with the National Cyber Security Coordinator.

The NCCC’s team is presently working on the cybersecurity rules of India. Lt. General Pant in an interview stated the real-world telemetry data collected by the Indian Cyber Security Firm, K7 Labs.[xxvi] It reported that between February 2, 2020, to March 25, 2020, that is 52 days, there was a 30% increase in cyber-attacks, among which 1756 blocked malicious attempts to attack was made using the Covid-19 theme.

Recommendations and Suggestions

Following are the recommendations that should be considered in the Cybersecurity Rules:

1. While the upcoming rules will majorly focus on infrastructure’s critical information in cyberspace, they should also build integrated capabilities to prevent and respond to cyber threats. This shall include methods that aim at reducing vulnerabilities and minimising damage from cyber incidents. This can happen through a combination of institutional structures, people, processes and technology with a well-defined governance framework. An urgent need to have a comprehensive and unified government institution, agencies, and legal structure for creating a cyber defence network;
2. Ensuring that for the short- term, until a concrete indigenous market of cybersecurity can be formed, there should be a standardised method, detailing the steps to follow, to prevent state-sponsored cyber-attacks while procuring foreign cybersecurity hardware and software;
3. Ensuring that for the long-term, manufacturing indigenous cybersecurity infrastructure and software encourages entrepreneurship in Cybersecurity by subsidising. Hence, a business ecosystem must be built to leverage artificial intelligence and robotics. This must be part of a comprehensive policy for 2030 to effectively coalesce cyber defence;
4. Train youth for Artificial Intelligence, Blockchain Technology, Internet of Things and Machine Learning; including such subjects as a compulsory part of school education. Furthermore, asking citizens to mandatorily undergo a basic cybersecurity course online. This also must be part of a comprehensive policy for 2030 to coalesce cyber hygiene effectively;
5. We should form an Indian Active Cyber Defence that enhances the defensive cybersecurity capabilities for the Government and the Intelligence Community, which must have local and national offices; and
6. Further, on-point five, a cyber commando force must also be formed as part of the defence, inclusive of technicians and law-qualified individuals, to deal with cyber-terrorism or cyber-attack. Moreover, a specialised cyber police cadre must also be formed in every State police department.

Conclusion

With the coming of Cyber Security Rules 2021, India will be taking a leapfrog into the digital transformation. However, such rules may not be efficient in the long term if we do not have a solid shield to protect government agencies, private firms, and individuals against cyber-attacks and threats.

Mumbai Blackout, Kudankulam Attack, and the alleged Aadhaar misuse for elections are critical cybersecurity issues that are a threat to national security and integral democracy, which must be dealt with to protect the infrastructure and organisation of democracy in India. Moreover, MobiKwik Leak highlights the threat which even private companies of India are facing from foreign elements. Though there is no big loss from such a cyber threat; however, it does not mean that such an attack will not happen in the future or will not cause such a monstrous shutdown of one of the most vital infrastructural services or agencies of democracy of India.

The asserted deduction after the cyber-attacks and speed-tracking of Cyber Security Rules by Lt General Pant (Retd.) is that cyberspace infringement is an upcoming battle that India must be ready for. It needs stringent laws and policy to combat these issues, with proliferation and assimilation, with an ex-ante approach of more kinds of intrusions that may take place and how to tackle them, ex-post.

Cyberattacks that are targeting perilous information infrastructures in India, such as energy, financial services, defence, and telecommunications, have the capability to brutally impact the nation’s economy and public safety. With the coming of the new reality, now, more than ever, the dependence on the internet has shown how the cyber world is tomorrow’s world for war; and therefore, immediately must be dealt with. As we are one click away from the future; it is essential to not click any malevolent portal. We shall endeavour to remove the redundancy from IT Act, and formulate Data Privacy Laws and then form progressive legal policies in education and business. Hence, the policies about cyberspace must cover an entire spectrum of current and future cyber challenges. 

The article can be cited as:

Tannvi, Cybersecurity of India: From attacks on Infrastructure to Pant’s Rules, Metacept-Communicating the Law, accessible at https://metacept.com/cybersecurity-in-india:-from-attacks-on-infrastructure-to-pant’s-rules

References:

---

[i] Raghuvanshi, D., INTRODUCTION TO CYBERSECURITY, https://www.ijeast.com/papers/178-181,Tesma407,IJEAST.pdf.

[ii] China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions, February 28, 2021, RECORDED FUTURE, https://www.recordedfuture.com/redecho-targeting-indian-power-sector/. (Last accessed on: April 14^th 2021, 14:00)

[iii] Archana Chaudhary, India Formulates New Strategy to Counter China’s Cyber Threat, BLOOMBERG QUINT, March 10 2021, 4:25 AM, https://www.bloombergquint.com/global-economics/china-hacking-concern-revives-india-focus-on-cybersecurity-plan. (Last accessed on: April 14^th 2021, 14:00)

[iv] Special Correspondent, Chinese cyberattack foiled: Power Ministry, March 02, 2021, 10:34 IST, THE HINDU, https://www.thehindu.com/news/national/attacks-by-chinese-groups-thwarted-power-ministry/article33965683.ece. (Last accessed on: April 14^th 2021, 14:00)

[v] ETech, Data of 10 crore Mobikwik users for sale on the dark web, say, cybersecurity experts, ECONOMIC TIMES, March 30, 2021, 05:07 PM IST, https://economictimes.indiatimes.com/tech/startups/mobikwik-data-breach-personal-data-of-over-10-crore-users-allegedly-available-on-sale/articleshow/81756544.cms. (Last accessed on: April 14^th 2021, 14:00)

[vii] Debak Das, An Indian nuclear power plant suffered a cyberattack. Here’s what you need to know., THE WASHINGTON POST (Analysis), November 4, 2019, at 4:30 p.m. GMT+5:30, https://www.washingtonpost.com/politics/2019/11/04/an-indian-nuclear-power-plant-suffered-cyberattack-heres-what-you-need-know/. (Last accessed on: April 14^th 2021, 14:00)

[viii] Mohamed Imranullah S., Was Aadhaar data breached, asks HC, THE HINDU, March 27, 2021, 01:13 IST, https://www.thehindu.com/news/national/tamil-nadu/was-aadhaar-data-breached-asks-hc/article34173871.ece. (Last accessed on: April 14^th 2021, 14:00)

[ix] Information Technology Act, Act No. 10 of 2009, INDIA CODE (2008), Vol. 1, §§ 2 (w).

[x] Correspondent, Facebook ad campaign helped Donald Trump win the election, claims executive, BBC NEWS, January 08^th 2020, https://www.bbc.com/news/technology-51034641. (Last accessed on: April 14^th 2021, 14:00)

[xi] Information Technology Act, Act No. 21 of 2000, INDIA CODE (2000), Vol. 1, §§ 79.

[xii] Shreya Singhal v. Union of India, (2013) 12 SCC 73.

[xiii] Information Technology Act, Act No. 21 of 2000, INDIA CODE (2000), Vol. 1, §§ 79.

[xiv] Information Technology Act, Act No. 10 of 2009, INDIA CODE (2008), Vol 13.

[xv] Information Technology (Intermediaries guidelines) Rules, 2011.

[xvi] Shreya Singhal v. Union of India, (2013) 12 SCC 73.

[xvii] Information Technology Act, Act No. 21 of 2000, INDIA CODE (2000), Vol. 1, §§ 66A.

[xviii] Shreya Singhal v. Union of India, (2013) 12 SCC 73.

[xix] Shreya Singhal v. Union of India, (2013) 12 SCC 73.

[xx] National Cyber Security Policy, 2013, Department of Electronics and Information Technology, MINISTRY OF COMMUNICATION AND INFORMATION TECHNOLOGY, https://nciipc.gov.in/documents/National_Cyber_Security_Policy-2013.pdf. (Last accessed on: April 14^th 2021, 14:00)

[xxi] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL, Regulation (EU) 2016/679 of the European Parliament and of the Council, L 100000 May 2016, p. 1–88, https://eur-lex.europa.eu/eli/reg/2016/679/oj. (Last accessed on: April 14^th 2021, 14:00)

[xxii] Active Cyber Defense Certainty Act, One Hundred Sixteenth Congress, First Session of the United States of America (2019- 2020), H.R.3270, Retrieved from: https://www.congress.gov/116/bills/hr3270/BILLS-116hr3270ih.pdf. (Last accessed on: April 14th 2021, 14:00)

[xxiii] Correspondent, Ban on Chinese apps, including TikTok, surprises India content makers, BBC NEWS, June 30^th 2020, https://www.bbc.com/news/world-asia-india-53232486. (Last accessed on: April 14^th 2021, 14:00)

[xxiv] Nikhar Aggarwal, Lt Gen Rajesh Pant (retd) takes over charge from India’s first cybersecurity chief Gulshan Rai: Sources, ECONOMIC TIMES: CIO, March 26, 2019, 09:57 IST, https://cio.economictimes.indiatimes.com/news/corporate-news/lt-gen-rajesh-pant-retd-takes-over-charge-from-indias-first-cybersecurity-chief-gulshan-rai-sources/68573039.(Last accessed on: April 14^th 2021, 14:00)

[xxv] Chawla G., Aravindakshan S., Srivastava V., COMMENTS TO THE NATIONAL SECURITY COUNCIL SECRETARIAT ON THE NATIONAL CYBERSECURITY STRATEGY 2020 (NCSS 2020), Centre For Communication Governance At National Law University Delhi, https://ccgdelhi.org/wp-content/uploads/2020/03/CCG-NLU-Comments-to-the-National-Security-Council-Secretariat-on-NCSS-2020.pdf. (Last accessed on: April 14^th 2021, 14:00)

[xxvi] Nikhar Aggarwal, Lt Gen Rajesh Pant (retd) takes over charge from India’s first cybersecurity chief Gulshan Rai: Sources, ECONOMIC TIMES: CIO, March 26, 2019, 09:57 IST, https://cio.economictimes.indiatimes.com/news/corporate-news/lt-gen-rajesh-pant-retd-takes-over-charge-from-indias-first-cybersecurity-chief-gulshan-rai-sources/68573039.(Last accessed on: April 14^th 2021, 14:00)