13 March 2017

India’s Cyber Potential: A Bridge Between East and West


Security researchers and policymakers around the world are struggling with the challenge of securing the digital networks that governments, private companies, and people in general depend on every day. While the most common points of reference to engagements in cyberspace are in the United States, Europe, Russia, and China, other countries are quickly realizing the importance of securing critical networks from crime, sabotage, subversion, and espionage. As the country with one of the world’s fastest-growing populations and economies, this realization is bearing down on India more than most.

So what is India’s current cybersecurity atmosphere, where are the major threats, and what role does the country play in online normative efforts?

Jonathan Reiber, a Senior Fellow at the Berkeley Center for Long-Term Cybersecurity and former Chief Strategy Officer for Cyber Policy in the U.S. Office of the Secretary of Defense, notes that “While China has upwards of 720 million internet users, India jumped past the United States to something like 460 million internet users in 2016. But the interesting thing is that the United States is at essentially 90 percent user penetration, and by the end of 2015, China and India were only at about 51 percent and 36 percent penetration respectively.” This means that India, and its populous neighbor China, will dwarf other countries in digitally connected individuals and organizations, and therefore in attack surface vulnerabilities as well.

Cherian Samuel, a Research Fellow in the Strategic Technologies Centre at the Institute for Defence Studies and Analyses in New Dehli, points out that already “India has faced attacks from nonstate actors, cybercriminals, and hacktivists. Nonstate actors, backed by the usual suspects, have largely engaged in cyber espionage by hacking into government networks while cybercriminals have been feeding off the ever-expanding landscape of Digital India. Hacktivists identifying themselves as part of the larger Anonymous collective and so-called patriotic hackers have also targeted Indian networks and systems.”

As early as 2010, the Indian government noted that more than 3,600 websites were hacked in the span of six months. Cybercrime in India then jumped 350 percent from 2011 to 2014, and just last month, Indian authorities arrested individuals involved in an online scam that duped 650,000 people into sending $550 million to criminal-controlled accounts. Reiber notes “India faces a lot of cybercrime. Ransomware is a huge problem and a major concern for the Indian government as people often have their passwords stolen and control of their devices held by criminals.”

Like other countries – though perhaps to a lesser extent – India’s geopolitical factors impact the cyber world. Last year, cybersecurity firms Proofpoint and FireEye revealed a sustained cyber espionage campaign targeting Indian government officials, allegedly the work of a Pakistani group. Most of the activity seemingly emanating from Pakistan, however, seems to come in the form of basic website defacement. The problem, of course, is attribution. According to Samuel, “there has been no means of verifying whether they are acting independently or under the direction of unseen hands.” Meanwhile, in 2013 Russian cybersecurity firm Kaspersky released a report identifying a sustained Chinese cyber espionage campaign targeting Indian institutions, while in 2015 FireEye maintained that China was burrowing into Indian government bodies, universities, and companies to steal sensitive political, military, and economic information.

The threat of escalating cyberattacks prompted Indian officials to call for the creation of a military cyber command in 2013, with the aim of creating a 500,000-strong force. India has also sought to set up a National Cyber Coordination Centre as a centralized mechanism for monitoring internet traffic in cooperation with local internet service providers in order to better assess cybersecurity threats – and to facilitate variety of other international and domestic intelligence collection similar to the NSA’s PRISM program, revealed in 2013 by former contractor Edward Snowden. Internet freedom proponents, however, fear the new intelligence apparatus could facilitate domestic surveillance and censorship in the world’s largest democracy.

Furthermore, much like the information campaigns that plagued the 2016 U.S. presidential election – and those threatening the integrity of many upcoming European elections – there is a fear that botnets could be used to spread confusion and doubt among an increasingly digitally informed Indian citizenry. Regional players like China and Pakistan could indirectly sway policy, while Russia – despite being India’s primarily supplier of military equipment – could gain favor or simply disrupt India’s internal deliberations.

To date, India has shown close cooperation with the United States on establishing international norms in cyberspace. Reiber argues that “India is a country of laws and democracy, and they share similar values and views of the world with the United States. Regarding norms of cyberspace operations, India largely follows the laws of armed conflict. The United States does too, and the United States sensibly wants to partner with India on an entire range of strategic issues that impact both countries.”

One example of shared norms, according to Reiber, has been that India expressed a desire to follow a multi-stakeholder internet governance model, similar to the longtime ICANN model in the United States. The adoption sends a message to other developing countries that the internet can be secured without infringing on freedom of expression and commerce. India has also injected the norm into discussions with Russia and China, showing India could act as a bridge between the East and West in international forums.

However, Samuel argues that “while the United States and India have had a history of sustained consultations on cybersecurity, with a number of agreements being signed between relevant agencies of the two countries, including an overarching Framework Agreement in 2016, these developments are yet to make a visible difference to India’s cybersecurity.”

India, like all countries, has a long way to go in securing their digital networks.

No comments: