After the blackout

When the Maharashtra government said earlier this week that there was a possibility that the Maharashtra State Electricity Board’s servers were breached by malware inserted by unknown foreign entities, and suggested a link to the massive power outage on October 12 last year, it seemed that long held fears and warnings by sections of India’s national security policy community had come true — that hostile state actors may shift to “non-contact warfare” for which cyberspace provides unlimited opportunities. In this particular case, a US firm that studies the use of cyberspace by state actors appears to have alerted Indian authorities to the breach. The power breakdown occurred at the height of India-China tensions at the Line of Actual Control in Ladakh. There is speculation that the breakdown was a warning from Beijing that it could take hostilities to a whole new level. Delhi has denied a Chinese link to what happened in Mumbai, but the fact that unidentified entities made attempts to hack a vital arm of India’s infrastructure and the possibility that this might have played a role in paralysing its financial capital should serve as a wake-up call. For, despite the awareness for at least a decade, if not more, of the coming of a new age of digital warfare, India seems to have done little to prepare for it.

A National Cyber Power Index drawn up by the Belfer Center at Harvard University last year ranked India 21 out of 30 countries in cyberspace abilities. The composite ranking was derived from expertise on seven parameters, broadly indicating intent and capacity: Defence, Offence, Surveillance, Control, Intelligence, Commercial and Norms. China was number 1, followed by the Netherlands, France, United States and Canada. The report concluded that India was among the 13 countries that did not exhibit either the intent or the capacity to use cyberspace to achieve policy goals. An India that considers itself a knowledge economy cannot remain defenceless and/or without adequate capacity in this sphere. The lack of expertise showed in the Maharashtra state government’s inability to detect the malware in the MSEB servers in time, and has exposed the country’s vulnerability.

Cyberwars can be fought on many fronts, from a country’s electoral politics to its banks and road traffic systems to its publishing houses and military operations. India has no choice but to confront this threat, prioritise it, and invest in technology and knowledge systems that can deal with it. It took nearly a decade after it was proposed for the government to approve the setting up of a tri-services Defence Cyber Agency in 2019. But as has been pointed out repeatedly, it can prove to be an effective arm of national security only when its place is understood in a codified national security doctrine, which for a country of its size, aspirations and ambitions, India surprisingly does not have.