In recent years, there has been a notable surge in successful cyberattacks targeting Indian government entities. The year 2023 witnessed a staggering 4,29,847 cyberattacks on financial services organisations in India alone, with 70 government websites, spanning both Union and state governments, falling victim to hacking. Moreover, the first half of 2023 saw 1,12,474 cybersecurity incidents linked to various government organisations
As India approaches the interim budget for 2024-25, it is imperative to prioritise cybersecurity as a cornerstone for bolstering deterrence. This necessitates a comprehensive approach that encompasses considerations of offensive capabilities, attribution of attacks and the establishment of effective countermeasures. While entities such as CERT-In, the National Cybersecurity Coordination Centre, the National Critical Information Infrastructure Protection Center and the Indian Cyber Crime Coordination Centre have implemented proactive programs against cybercrime, additional efforts are required to safeguard the ever-evolving modern attack surface.
Understanding the nature of the threat, its potential impact on Indian government systems, and devising appropriate responses takes precedence over merely identifying the source of the threat. Given the escalating frequency of attacks, it is important for India to fortify its critical infrastructure against nation-state actors, cybercriminals and ransomware groups. This entails allocating budgets to implement robust cybersecurity risk management practices, ensuring a proactive and resilient defense against evolving cyber threats.
Clearly defined cybersecurity standards: The Union budget requires monetary allocation towards establishing baseline cybersecurity standards for critical infrastructure that align with international standards and the National Institute of Standards and Technology (NIST) Framework to improve Critical Infrastructure Cybersecurity, which are founded on effective cyber hygiene practices. Investments are needed to create basic cyber hygiene for critical infrastructure operators including continuous understanding of what assets are on the network, what assets are connected to the internet, establishing strong identity and access management practices, scanning for and patching known vulnerabilities, in addition to CERT-In’s robust incident detection and response activities.
Public-private partnerships: When it comes to securing critical infrastructure, it is natural for governments to shy away from partnerships with private organisations and rely on in-house security efforts. Largely due to the sensitive information in their possession. However, more investments towards strengthening value added engagement between the private and public sectors can greatly benefit the Indian government. This includes bringing together representatives from private industry and key government agencies to drive strategic planning and incident response capabilities, along with providing necessary training for those responsible for India’s critical infrastructure.
Zero Trust: Given the complexity of the modern attack surface, India needs budgetary allocation towards establishing zero-trust architecture. The Government of India should provide various departments and agencies with the resources needed to modernise and strengthen their collective cyber defence, and establish a Zero Trust framework that dictates systems design and operation.
Fund the Digital Personal Data Protection Act: Since its enactment in 2023, the DPDP Act is a step in the right direction to ensure Indian organisations take data protection seriously. With fund allocation to implement the legislation, India can greatly benefit from proactive measures to protect the data of its 1.4 billion people.
Drive stronger OT security: Union government departments and agencies own and operate numerous OT and ICS systems. To drive stronger asset management practices for OT and ICS systems, it is vital that the government invests in establishing security controls that ensure regular inventory of OT and ICS assets and the establishment of new policies for baseline cybersecurity requirements.
Strengthen Active Directory security: The Active Directory is one of the most highly targeted and compromised pieces of infrastructure. Adding more resources towards securing users and identities can greatly minimise the risk from adversarial foreign intelligence services that actively target Active Directory when going after systems.
The attack on AIIMS, Oil India, Smart City projects and electricity providers underscore the emergence of threats directed at India’s critical infrastructure. In response, the Indian government has proactively channeled resources, earmarking Rs 600 crore for cybersecurity in the 2023-24 budget. While this marks a significant commitment to fortifying cyber defenses, further increased investments in cybersecurity during this fiscal period can propel India towards establishing a more secure cyberspace.