High levels of investments are required to improve the private sector’s cybersecurity framework and regulatory compliance in India.
In the movie Die Hard 4.0, John McClane and a young hacker team up to thwart the plans of cyber-terrorist Thomas Gabriel in Washington D.C. Gabriel’s plan is known as “fire sale” which is a coordinated attack on the US critical infrastructure such as financial and utility systems. But the consequences of cyberattacks were not fully understood as the cyberattack was a fantasy till it become a prolific feature in the second half of the 21st century.
By Mangesh Sawant, Partner, Homeland Security, Global Security, Geopolitics and Military Studies ExeSTAT India Columbia University Alumni
Cyber operations are an integral part of modern warfare. Cyberweapons are tools of war that disable a nation’s critical infrastructure without firing a single bullet. It provides states such as North Korea and China with a degree of plausible deniability. China uses cyberattacks as a way to advance its economy. Critical infrastructure the lifeline of any nation is the prime target as attacks can have a devastating effect on the economy. Electricity grids, hospitals, and telecommunications, and transportation networks will come to a standstill. Ships will be sent off course to unplanned locations. Logistics will be disrupted as supplies will arrive late or not at all.
Nation-states hire hackers who exploit the operational technology (OT) systems gaps in critical infrastructure networks. Targets are no longer limited to the defense industry as multinational organizations and small businesses have been disrupted by cyber attacks. US and India are the prime targets for Chinese cyber operations in an era of geopolitical competition.
Colonial Pipeline suffered a ransomware cyberattack that impacted computerized equipment managing the pipeline. The cyberattack which shut down 5,500 miles of pipeline from Texas to New Jersey was the largest cyberattack on the oil and gas industry target in U.S. history.
Apart from oil and gas the electricity sector is the favorite target of nation-states. Hackers target companies that generate and distribute electricity across the country. About 70% of power transformers in the US are at least 25 years old and were not designed for the digital age. Disruption of power generation across the grid for five days would cause an economic loss of $193.5 billion. This is equivalent to approximately 30 percent of the Department of Defense’s 2021 budget. The US could only afford another three to five days with the Colonial Pipeline crisis before mass transit would have to limit operations according to a confidential assessment prepared by the Energy and Homeland Security Departments. Ransomware will be the prime threat to the private and government sectors.
India: An Ostrich Between a Wolf Pack
Cybersecurity is becoming a top priority for the U.S. as the government and the private sector are implementing cybersecurity standards. U.S. President Joe Biden, Congress, and the senate are implementing plans to protect the critical infrastructure. US Department of Defense has created a Cyber Command which is an integral part of war planning. The U.S. Justice Department has prioritized ransomware attacks on the same level as terrorism. The U.S. private sector is installing access management systems and upgrading security measures. The U.S. government is sharing cyber intelligence with the private sector. The NSA and DHS have been issuing advisories to the private sector and the public about the increase in adversary capabilities and activities for years. The NSA had issued an advisory for critical infrastructure owners to review their OT systems. A national security memorandum outlined the implementation of better cyber security standards while the US government had warned pipeline operators about ransomware threats. Cyberthreat is so serious that the FBI director made direct comparisons to 9/11.
India remains vulnerable to cyber-attacks while the U.S. has taken measures to fortify its cyber defenses. It is a widely known but little appreciated fact that cyber security is a low priority for India’s private sector. India seems to be lacking in cyber security culture, installation of security controls, and implementation of best practices and compliance and regulatory requirements. The present cyber governance management has a negligible impact on lowering the cost of cybercrime.
India is the second most targeted country for cyber attacks globally while ransomware accounted for 40% of all attacks. India was among the top three Asian nations affected by DNS cyber attacks. In India, an organization was being attacked on average 1,738 times per week in the first six months of 2021, compared to 757 attacks per organization globally. Manufacturing, insurance, legal, and healthcare are the most impacted sectors.
The private sector seems to prefer the ostrich approach. A large part of the private sector depends on legacy infrastructure with inadequate cyber security protection. Organizational networks are at risk as backend security infrastructure is not installed even though there is widespread digital adoption across the private sector. The level of understanding of cloud security remains dangerously low. Cyber attacks are becoming more sophisticated yet there is a lack of understanding among the end-user. Prevention continues to be limited to the installation of antivirus and malware protection software by employees on their personal devices. There is a largely unorganized and fragmented sector of cyber security service providers who install illegal software. An absence of a stringent legal cyber framework is affecting the identification and prosecution of cybercriminals.
India’s organizational cyber infrastructure is out of date and poorly maintained. Hackers have unimpeded access to networks. Companies don’t patch the old software, default passwords are not changed, security and incident response plans are lacking and two-factor authentication is not implemented. At the Colonial pipeline, it came down to the lack of multi-factor authentication on an old employee account.
A majority of the business sector consists of small and medium-scale enterprises which remain highly vulnerable to sophisticated attacks. The sector is unprepared to deal with a cyberattack as businesses don’t employ sufficient IT professionals while budgetary allocations are acutely insufficient.
Costs to Company
The impact of a cyber incident will lead to business disruption. Ransomware breaches are financially damaging because they affect the balance sheet, productivity, and cost efficiencies. The cost of the ransomware payment – the issue that receives most of the attention – is minor compared to the cost of repairing the breach, information loss, reputational loss, equipment damage, and erosion of profit margins. A class-action suit was filed in federal court in Georgia against Colonial Pipeline. Plaintiffs alleged that the Defendants failed to implement and maintain security measures and procedures.
Ransomware costs businesses more than $75 billion per year while companies lost around $8,500 per hour due to ransomware-induced downtime. According to a survey 90% of clients of 1,100, IT professionals suffered ransomware attacks. The average ransomware payment in 2021 increased by 82% year over year to $570,000 and around 121 incidents have been reported in the first half of 2021, up 64% year-over-year. The largest ransom demand observed so far in 2021 is $100 million. Around 41 percent of insurance claims in the first quarter of 2021 were related to ransomware. High levels of investments are required to improve the private sector’s cybersecurity framework and regulatory compliance in India.
The IT landscape is vulnerable to cyber attacks due to global interconnectedness and the widespread use of devices. Traditional network defenses with multiple layers of disjointed security technologies are unable to meet the cybersecurity needs of the 21st century. The use of IoT devices will accelerate as 5G is implemented which will lead to large-scale, multi-vector fifth-generation attacks. Organizations need a better way to secure their infrastructure and provide unified access control to data, services, and applications.
The digital age has increased productivity and efficiency, but many Indian organizations are unable to manage the risks that accompany it. Organizations are prioritizing short-term growth and cost-cutting at the expense of cyber security. Cyber risks have increased due to the expansion of remote work access during the COVID-19 pandemic. This has led to an increase in cybercrimes by 600%. The pandemic has widened the attack surface.
In another Die Hard movie John McClane takes on the terrorists who hijack ATC systems leaving aircraft stranded midair but John is unavailable in the offline and the real world. A whole government approach in collaboration with the private sector is required as digital technology is now the most valuable asset in the world. Deploying the latest technologies is what separates secure companies from their weaker peers.
Adversaries such as China, terrorists, and cybercriminals have learned how little it takes to provoke chaos across the country through the disruption of critical services. This underscores the need for effective cyber defenses to protect critical infrastructure. Cyber operations against strategic targets will increase in the future. Consider it as an electromagnetic attack on the infrastructure which disrupts services but does not destroy the infrastructure.
Future conflicts will be fought in organizations and not on the battlefields of traditional warfare. Geographical borders are disappearing only to be redrawn in company premises. Adversaries will invade countries through organizational networks. The private sector should harden its cyber defenses while the military protects the nation’s borders. Cyberattacks are the 21st national security threats comparable to conventional warfare.
About the Author
Mangesh Sawant has a Masters in International Affairs Degree from Columbia University, New York, where he concentrated in international security policy. He is a subject matter expert on global security, military studies, Homeland Security, and geopolitical risk analysis. Mangesh has more than 18 years of experience in studying military strategy and tactics, warfare, conducting research, policy analysis and formulation and developing case studies and lessons learned. His articles are published in The National Interest, Small Wars Journal, Modern Diplomacy, Eurasia Review, E-International Relations, Indian Defense Review, Security Management. Geopolitical Monitor, Internationale Politik, Over the Horizon Journal and The Geopolitics.