Relevance : GS Paper III
Theme of the article
India’s claims to being a legitimate power in cyberspace have come under doubt following the recent revelations.
Context
Recently , it was identified that a DTrack data dump linked with the Kudankulam Nuclear Power Plant — indicating that a system (or more) in the plant had been breached by malware. The Nuclear Power Corporation of India Ltd (NPCIL) confirmed the breach. Separately, WhatsApp sued the Israel-based NSO Group for the use of its ‘Pegasus’ spyware on thousands of WhatsApp users in the lead-up to the general elections.
Doubts in India’s claims
These two incidents cast serious doubts on the India’s claims to being a legitimate power in cyberspace, both due to the vulnerability of its critical information infrastructure and blatant disregard for the fundamental rights of its citizens online.
The Pegasus attack
- As for Pegasus, it appears that over a two-week period in May 2019, an as-yet unknown number of Indian journalists, academics and activists were among those targeted by a government agency using Israeli spyware bought off the shelf.
- Following a lawsuit, the NSO Group, the Israeli company that created the spyware, released a statement claiming that it licenses its product “only to vetted and legitimate government agencies”.
- There are but a handful of agencies that are authorised under the Information Technology Act, 2000 to intercept, monitor and decrypt data. Should the fingers point to the National Technical Research Organisation, the country’s foremost TECHINT gathering agency?
Important issues highlighted by these cases
- There are three glaring issues highlighted by these cases.
- First, contrary to what the NPCIL may claim, air-gapped systems are not invulnerable. Stuxnet crossed an air gap, crippled Iran’s nuclear centrifuges and even spread across the world to computers in India’s critical infrastructure facilities. It is also not enough to suggest that some systems are less important or critical than others — a distributed and closed network is only as strong as its weakest link.
- Second, with the Indian military announcing that it will modernise its nuclear forces, which may include the incorporation of Artificial Intelligence and other cybercapabilities, the apparent absence of robust cybersecurity capability is a serious cause for concern. If it cannot secure even the outer layer of networks linking its nuclear plants, what hope does the government have of inducting advanced technologies into managing their security?
- Third, the surveillance of Indian citizens through WhatsApp spyware in the lead-up to the general elections highlights once again the government’s disregard for cybersecurity.
- Ironically, these instances point out to a weakening of India’s cybersovereignty: the government comes across as incapable of protecting its most critical installations and, by rendering digital platforms susceptible to spyware, limiting its own agency to prosecute and investigate cybercrime.
- These incidents also fly in the face of the country’s claims to being a responsible power as a member of export control regimes such as the Wassenaar Arrangement.
Conclusion
If India plans to leverage offensive and defensive cybercapabilities, which are of course its right as a sovereign power, it needs to get serious about cybersecurity. The security of a billion hand-held devices are of equal strategic value to the country’s nuclear assets.
