In the past two weeks, India has acknowledged two major cyberattacks, both of which demonstrated evidence of North Korean involvement. The first attack was carried out against India’s newest and largest nuclear power plant, Kudankulam Nuclear Power Plant, while the second targeted the Indian Space Research Organization (ISRO), India’s space agency, during its failed moon landing mission in September.
These two incidents underscore criticism that India’s cybersecurity capabilities have failed to keep pace with Prime Minister Narendra Modi’s Digital India Initiative. Inadequate cybersecurity could turn the Digital India Initiative, which hopes to “transform India into a digitally empowered society and knowledge economy,” into a serious economic and national security vulnerability. To address its cybersecurity gaps, the Indian government should follow the examples of other Asian governments, such as Taiwan, and implement cybersecurity training for its government employees that meets international standards, develop a domestic cybersecurity workforce, and increase cybersecurity exercises with partner nations, especially in Asia.
The hacks of Kundankulam Nuclear Power Plant and ISRO both began after their employees fell for phishing attacks, which are targeted emails often containing malware-infected attachments or links to malware. Once employees open the attachment or click on the link, the malware infects the computer, thus giving the adversary access to it. Eventually, attackers move from the infected computers through the connected networks, gaining control over different systems. Unsophisticated, phishing attacks are responsible for over 70 percent of hacks globally, but with adequate employee training and institutional measures, India can reduce their impact.
In order to accomplish this, it should look to Taiwan’s model of cybersecurity training. In 2018, Taiwan’s National Center for Cyber Security Technology (NCCST) launched its Information Sharing and Analysis Center for coordinating cybersecurity auditing and training for government agencies. The center’s trainings on how to handle phishing emails and texts for government employees have dramatically lowered the rate of malware infections on government networks and spread awareness of the dangers posed by phishing attacks to the public. The Indian Computer Emergency Reponse Team (CERT-In), which serves as the national agency for handling India’s cybersecurity, should follow the NCCST’s example and implement anti-phishing and cybersecurity awareness trainings across India’s government agencies. These measures are cheap and could prevent attacks, like the ones suffered by Kundankulam Power Plant and ISRO, from occurring in the future.
As India adopts new technologies and pursues digital modernization, it will also need to cultivate a cybersecurity workforce. Recognizing this, India’s National Association of Software and Services Companies (NASSCOM) launched a Cyber Security Task Force in 2015 to plot a course for training 1 million certified cybersecurity professionals and launching over 100 “successful” cybersecurity startups by 2025. However, it is unclear what progress has been made, as the number of vacancies for cybersecurity positions in India still outnumber the number of qualified candidates. According to Debjani Ghosh, president of NASSCOM, “If you look at the job openings in these areas in India, the numbers are mindboggling.”
With too few cybersecurity professionals, critical infrastructure is at an increased risk of being targeted by adversaries. In order to play catch up and respond to demand, India should look to the United States’ National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, which helps empoyers assess their cybersecurity workforce, identify critical gaps in cybersecurity staffing, and provides guidelines to cybersecurity education providers to develop practical curricula. By following the NICE model, India can establish effective vocational training programs for cybersecurity professionals. Moreover, the Indian private sector will be more aware of the threats that they face and what skills they require.
India should also engage in cyber exchanges and exercises with other governments, particularly in Asia. While it has run simulations of cyberattacks on its critical infrastructure domestically, India would benefit from participation in international exercises and gaming. It is likely that the Indian military has simulated attacks on the same domestic targets over the years, probably using a similar set of tactics, techniques, and procedures. New exercises would expose India to simulated attacks from a wide range of countries with different levels of capabilities. For starters, India should advocate for its participation in the U.S.-led Cyber Storm exercises, which are international cyberwar simulations held every other year. Also, the United States concluded its first Cyber Offensive and Defense Exercises (Code) with Taiwan in November, which, beyond simulating a massive cyberattack on Taiwan’s computer systems, also strengthened cybersecurity cooperation between the governments that participated. These ties set a foundation for further cooperation, assistance, and even intelligence sharing in the future. Participation in multilateral cyber exercises, like Code and Cyber Storm, would grant India all of these benefits.
India has much to gain by learning from the experiences of other governments that have tackled similar cybersecurity challenges. By taking these steps, India will improve the cybersecurity component of the Digital India Initiative, add to its cybersecurity workforce, improve partnerships across the region, and lay the foundation for a more secure India as its economy becomes increasingly digitized in the future. Most importantly, India will be better prepared to protect its critical infrastructure from attacks like the ones it recently fell victim to. All of these proposed steps are preventative in nature, which will pay off in the long run as India becomes more technologically connected, and therefore more enticing as a target for adversaries.
Connor Fairman is a Research Associate in Digital and Cyberspace Policy at the Council on Foreign Relations in New York.