The public revelation of a China-backed cyberattack’s likely role in Mumbai’s electricity blackout on 12 October last year has revived worries across India over the vulnerability of key installations, a lazily-aimed security focus on Chinese apps, and national laxity in a theatre of hostility where we had assumed some prowess, thanks to Indian exploits in the sphere of information technology. To assure us of the government’s alertness, the Union power ministry admitted that a Chinese hacker group called Red Echo had repeatedly targeted the control rooms of Power System Operation Corp. Ltd (Posoco), but flatly denied it had any role in Mumbai’s outage. By the Centre’s claim, Red Echo failed to hack the state-run grid operator’s computer systems and no breach of data took place. The ministry said it was alerted by the Indian Computer Emergency Response Team, a cybersecurity agency, of a malware threat to Posoco on 19 November. It was not until 12 February that our National Critical Information Infrastructure Protection Centre informed the ministry of Chinese attempts to disrupt domestic power supply. All this was long after—almost aeons on an ‘internet time’ scale—our commercial capital was paralysed by what was probably a Chinese e-salvo fired in the wake of Ladakh’s border scuffle and resultant tensions, as a US-based cybersecurity firm Recorded Future claimed.
The public revelation of a China-backed cyberattack’s likely role in Mumbai’s electricity blackout on 12 October last year has revived worries across India over the vulnerability of key installations, a lazily-aimed security focus on Chinese apps, and national laxity in a theatre of hostility where we had assumed some prowess, thanks to Indian exploits in the sphere of information technology. To assure us of the government’s alertness, the Union power ministry admitted that a Chinese hacker group called Red Echo had repeatedly targeted the control rooms of Power System Operation Corp. Ltd (Posoco), but flatly denied it had any role in Mumbai’s outage. By the Centre’s claim, Red Echo failed to hack the state-run grid operator’s computer systems and no breach of data took place. The ministry said it was alerted by the Indian Computer Emergency Response Team, a cybersecurity agency, of a malware threat to Posoco on 19 November. It was not until 12 February that our National Critical Information Infrastructure Protection Centre informed the ministry of Chinese attempts to disrupt domestic power supply. All this was long after—almost aeons on an ‘internet time’ scale—our commercial capital was paralysed by what was probably a Chinese e-salvo fired in the wake of Ladakh’s border scuffle and resultant tensions, as a US-based cybersecurity firm Recorded Future claimed.
While Beijing issued its routine statement of denial and the Centre pinned the Mumbai trip-up on human error, the government of Maharashtra contended that a preliminary report by the state’s cyber police pointed to an act of sabotage by “unidentified foreign agencies". Its probe, the state said, had found evidence that implied trojan infiltration of Maharashtra State Electricity Board’s server: 8 gigabytes of data had been sneaked in from overseas. That this discovery led to nothing notable by way of fortification is worrisome enough. That the official statements of the two governments are at odds would suggest cracks between the Centre and opposition-ruled states that could be exploited by aggressors. Instead of popular apps with Chinese antecedents, such online exposure is what should be the focus of top-level attention.
As the tools of cyber warfare get ever more sophisticated, India’s e-defence apparatus cannot afford to drop its vigil. Conventional wars have become relatively rare. The asymmetries of power projection that are gaining relevance are those in the domains of digital technology. China’s latest revision of its military strategy laid much emphasis on this. Spyware is but one aspect of it. A Beijing-backed group called Stone Panda, for example, recently aimed its cyber-moles at Serum Institute and Bharat Biotech to exfiltrate intellectual property. But bits and bytes can wreak much worse havoc. If remote malevolence can cripple an electricity network, it could conceivably also push a nuclear plant into meltdown. In 2010, a sharply-aimed piece of code called Stuxnet, seen as the handiwork of Israel and America, managed to penetrate Iran’s Natanz nuclear facility and stall its uranium-enrichment for some time. The very existence of digital weapons should serve as a warning of how ugly their use could get. What India needs right now is a thorough audit of all our cyber defences to plug any gaps that may exist, apart from better Centre-state coordination on e-security. Let’s never be caught napping. It’s too dangerous.