In response to a report from Kaspersky about a cyber attack, and a subsequent disclosure by a cyber security expert that it was on the Kudankulam Nuclear Power Plant, an official from the power plant hasn’t denied whether it faced any cyber attack, or was infected: only that the control systems are not connected to the Internet, and that the power plant units are operating without any operational and safety concerns.

Two things to consider here: This doesn’t mean that other systems related to the power plat, that are indeed connected to the Internet, weren’t affected. It also doesn’t mean that there weren’t any concerns earlier, or that there aren’t concerns related to other parts of the nuclear facility that might be connected to the Internet. Remember that a power plant had stopped operations on October 19, 2019. Also that an air-gap isn’t necessarily sufficient to prevent a cyber attack on a nuclear facility. This kind of an incomplete denial, and the ad-hominem of calling credible information from credible sources as “false information” is right out of the UIDAI’s playbook of denying that data breaches ever happened, and does little to address legitimate concerns.

Cyber attacks are here to stay, and how we respond to them needs to be given due consideration. A few points to consider:

1. Cyber threats and attacks are going to increase: Nuclear power plants aren’t the only critical infrastructure in operation, and as India digitises further, and as more institutions are created, it will mean that there are more surfaces for attacks. Remember that it isn’t just power plants and digital payments: India is centralising datasets, and connecting them together: India is in the process of setting up a public credit registry; there’s Aadhaar, the largest biometric database in the world; there are state resident data hubs with citizen data; the National Health Information Network with electronic health records is being planned; UPI just crossed a billion transactions per month; NATGRID has a plan to connect multiple databases together. As more critical infrastructure is set up, the risk of crippling critical parts of India’s security and economic infrastructure increases. (P.S.: I’m not suggesting that India shouldn’t digitise its systems; just that the scale at which we are centralising poses great risks)

2. Systems are going to be breached: There’s no such thing as a perfectly secure system: even one that may be disconnected from the Internet. Those looking to attack critical infrastructure can wait for years for a single mistake to be made. This is cyber warfare and vulnerabilities are gong to be found. Dealing with zero day vulnerabilities, where there is limited info of security problem up for exploit, are thus at least one chance to exploit, is next to impossible, and this is why there’s a price that attackers pay for such vulnerabilities.

3. Attribution is extremely difficult in cyber warfare: Attributing cyber attacks to specific entities or nation states is extremely difficult, because cyber attacks can be launched by compromised devices spread across various countries, as well as via proxies. Cyber attacks are something that no one claims credit for. An attack on a nuclear installation, would be an act of war under normal circumstances, but what what if no one knows where the cyber attack came from?

4. What will is help is perhaps defining global conventions around cyber attacks, something like a global agreement around the digital space, akin to a digital Geneva convention on cyber warfare. A minimum agreed-upon list of norms on what states must absolutely not do to other states and citizens. At present, there’s the Paris call for trust and security in cyberspace (Editor: MediaNama is a signatory), Tallinn Manual, and Microsoft, the Hewlett Foundation and Mastercard have set up the Cyberpeace Institute.

At the United Nations, from 2-4 December 2019, an intersessional meeting of the open ended working group is being held to discuss aspects of cybersecurity in the United Nations international security context. The agenda is to discuss, among other key things (more here):

  • Cooperation between states around cyber security, related to:
    • Preventive practices that might pose a threat to international peace and security
    • Information exchange for prosecution of terrorist and criminal usage of ICTs.
    • Assisting other states whose critical infrastructure has been affected by malicious ICT attacks, and take steps to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory.
  • States not knowingly allowing the usage of their territory for cyber attacks, as well as not using proxies for cyber attacks.
  • States not conducting or knowingly supporting the usage of ICTs to damage or impair critical infrastructure that provides service to the public, and take measures to protect their critical infrastructure from threats.

In this, India should consider strengthening its CERTs, and empowering sectoral CERTs. Working with the private sector to enhance capacity and manpower related to cyber security will help develop local capabilities.

5. This shouldn’t be used for politicisation: It’s likely that such instances will be politicised for furthering ideas of data localisation and “digital sovereignty”. These will not help:
a. Data localisation will create more vulnerabilities for Indian users, because localisation will mean that it is easier to identify targets for attacking in a country.
b. “Digital sovereignty” or creating the great firewall of India will not help. India will benefit more from global cooperation on cyber security, and building internal prevention and response capabilities, rather than shutting out the Internet’s access to India and India’s access to the open Internet.

If indeed these attacks have happened, it would be best for the Indian government to acknowledge the attacks, address the vulnerabilities found, improve processes and build capacity to respond faster.