So what’s new? China yet again seems to have hacked into Indian infrastructure. Not just any infrastructure, but critical ones. Specifically they got into the Mumbai power grid effecting a blackout.
What saved us wasn’t the government — far from it, the redundancies that citizens take to compensate for India’s governance failures are what saved the day. At a time when Mumbai was reeling due to its abysmal mismanagement of COVID-19, a lockdown in any normal country would have resulted in several deaths. In India, because we are so used to the power going off for hours on end, every hospital, transport station, etc. has generators and power backups factored in. That this particular attack did not cost lives was mere fortitude; in any other country a similar attack would have claimed dozens, if not hundreds, of lives.
Past Hackings
This isn’t the first time China has made a mockery of India’s alleged ‘cyber prowess’. On two occasions in 2008 and 2009, and possibly again in 2011, the Chinese were able to turn on the cameras and microphones of every networked ministry of external affairs computer at any Indian embassy anywhere in the world. Mind you, this was not detected by the authorities concerned, but it was the anti-virus companies that were summoned in to look at anomalies who detected it on all occasions.
Now if the same thing happening twice (possibly thrice) isn’t bad enough, the fact that we on all three occasions lacked the diagnostic capacity speaks volumes for how seriously we still take it. This story only gets worse.
In 2010, Chinese hackers broke into computers at the Prime Minister’s Office and gained access to sensitive files. In 2017 they broke into a high profile government video conference.
In 2019, the Kudankulam nuclear power plant was hacked, albeit only on the administrative site, but enough information to provide the Chinese with a comprehensive profile of who worked there and leads, therefore, on how to compromise employees at a later date.
Problems Aplenty
One would reckon that being a nuclear power and an aspiring global power, India would take cyber issues more seriously? No. The problem is we in India seem stuck in a toxic cycle comprising several elements that form a systemic inability to evolve a comprehensive approach to cyber security.
First is the lack of cyber hygiene training of government officials, leave alone senior government ones. This is a cultural issue, because once you become a government servant, the culture is you pretty much know everything and are infallible.
The second is also a cultural trait that exempts VIPs from following the rules — the higher you go, the more the exemptions. Screenings at airports is a good example. Why are there exceptions for select categories of flyers from security checks similar to what regular passengers undergo? This system of privilege creates a culture of fear in the security officer, and has given us the phrase ‘janta nahin mera Baap kaun hai!’
The general laxity, or in some cases ‘flexibility’, of security is another major issue. I’ve been in at least three airport queues where people have been able to plead with the CISF officials to allow huge bottles of shampoo, conditioner and other assorted cosmetics in quantities way over the safe limit. Individually they might appear harmless, but positively weaponisable when taken in totality.
The problem gets compounded when you look at the punishment and reward culture. On the one hand the need for finding an immediate scapegoat who can take the fall, removes the need for a systemic response. On the other, the lack of accountability of those in charge means even a basic incentive to initiate a systemic response is absent — leave alone living up to performance standards.
Sociological Problems
The other two problems are sociological. The first is that India’s education system is a learn-by-rote model that actively dis-incentivises problem-solving. Moreover individual human investment is virtually non-existent, with knowledge seen as a finite end point, rather than a constant evolution. While the former approach was at best tenuous till the 1970s, given the rapidity of technology, this approach is ruinous. Its side effects include excessive systemic and institutional rigidity and the inability to evolve rapidly to face new and emerging threats.
Finally there is absolute absence of trust in the government. Unlike say France where most people prefer sharing data with the government rather than private companies, India’s public trust is almost non-existent given the rampant abuse of governmental power. This essentially thwarts the creation of a public-private threat database where information can be shared freely and comprehensive responses developed.
Individually, any one of these would be enough to wreak havoc on a robust security system. Collectively they are absolutely calamitous. One only needs to visit the plethora of Indian cyber security conferences to understand the gaping chasm between the rest of the world and the Indian government’s understanding of the underlying issues.
Sadly even this latest episode has seen the same lack of corrective action. It is only a matter of time before a cyber-attack leads to fatalities in India. Efforts should be to prevent such an attack, and not wait to take corrective action after the event.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!