Risk intelligence (08/03/2021) - India

Our risk intelligence specialists, led by Ian BETTS, take a 24/7 coverage approach to local, regional and global emerging threats and occurrences. Below is a small sample of our reporting, and you can discuss gaining comprehensive material through our risk intelligence function, and by using our 247 App.

CYBERATTACK SUSPECTED IN MUMBAI BLACKOUT: RISK IMPACT

Background

Last week, The New York Times published an article detailing the possibility that a city-wide grid failure in Mumbai last year that left millions without power for several hours could have been the result of a cyberattack.

Much of the story is based on an analytical report by cyber threat research firm, Recorded Future.

The report described a substantial increase in suspected “targeted intrusion activity” directed at Indian assets, primarily in the power sector, from state-sponsored hacking groups, but noted that no link between the outage and a cyberattack has been substantiated.

A government minister from the state of Maharashtra, where Mumbai is located, said that authorities were investigating “Trojan horse” programs found on power system networks, but the Ministry of Power denied any connection to the outage. India’s national Computer Emergency Response Team (CERT-In) has remained silent on the matter.

Hill and Associates analysis

In our view, it is unlikely that the Indian government will publicly disclose the role of any cyberattack in the Mumbai blackout, if indeed it did play a role, or provide the kind of detailed technical information that would enable a third party to reach a conclusion, as such a decision would create new risks.

Operationally, divulging details could provide attackers with valuable feedback as to the effectiveness of their techniques, as well as vulnerabilities in India’s critical infrastructure.

Politically, acknowledging a successful attack could be damaging at home and abroad – the government and CERT-In, for instance, may have incentive to downplay recent findings.

On the other hand, the cyber threat narrative, even with an unproven incident, is powerful and politically useful, and may have a policy impact.

First, and most obviously, the ban on the importation of power equipment, introduced last July, is now more unlikely to be lifted. Rules and regulations regarding critical infrastructure equipment in the grid and other areas could very well expand.

Non-critical areas and everyday consumer technology may also be impacted: it is worth noting that the difficult nature of understanding cyber risks allows for security explanations to more easily be offered for decisions that may in fact be politically driven, for example the blocking of consumer mobile apps.

While less direct and impactful, the narrative also contributes to the general anti-foreign sentiment allowing for the acceptance of retaliatory measures that inflict collateral damage.

India’s Economic Times reported that the government is considering relaxing FDI rules somewhat, but only “to a limited extent where local manufacturing units don’t have sufficient capacity or in sectors extremely crucial to India’s interests.”

These rules may be quite unpopular with the business community, and even some provincial governments that rely heavily on foreign investment.

Going forward, we foresee this particular area of tension becoming more relevant, and key source of uncertainty for foreign investors in India.

More Conflict?

Cyberattacks going both ways will certainly continue. In fact, the cyber element of the recent border crisis is perhaps underappreciated: the Recorded Future report makes note of suspected Indian cyber efforts to target foreign government and military entities in the same timeframe. This activity is also likely to drive continued tightening of regulation, and further economic and diplomatic retaliation.

At the border itself, efforts at disengagement have so far proven successful, and this week the two sides established a crisis hotline between their respective foreign ministers. These developments further shift our attention to long-term policy outcomes and their impact on trade and investment, and away from the risk of physical confrontation.