The Scorpene submarine leak is a reminder of a basic flaw in India’s weapons acquisition and digitisation: a lack of expertise in cyber security and data encryption.
Recently, technical and operational specifications of the Scorpene class submarine that India is buying from DCNS — a naval shipbuilder two-thirds owned by the French government — were leaked to The Australian newspaper.
The incident follows the Modi administration’s launch of an AU$150 billion (US$113 billion) program to modernise the armed forces. It is a timely reminder of a basic flaw in India’s weapons acquisition and digitisation: a lack of expertise in cyber security and data encryption.
DCNS recently won the AU$50 billion (US$37 billion) contract to build the next generation of twelve submarines for Australia. Though the United States remained publicly neutral during the bidding process, privately it advised Australia against France because, as was widely reported, France was not careful enough with its military secrets.
The initial reaction of the Indian Defence Minister, Manohar Parrikar, was that the leak was ‘not a big worry’. He added that India was not the source of the leak, implying there was nothing to worry about. The following day Parrikar blamed The Australian for causing embarrassment by breaking the story.
Articles and commentaries eventually forced the defence establishment to admit that the leak was a serious matter and that the effectiveness of Scorpene class submarines has been severely compromised. The enormity of the damage done by this leak is dawning on New Delhi: on 4 September Parrikar cancelled the proposed purchase of a further three submarines.
But this is not the first such cybersecurity breach in India. In March 2010, Minister of State for Communications and IT, Sachin Pilot, told reporters that government networks had been attacked by China but that ‘not one attempt has been successful’. For nearly a year prior to Pilot’s assertion, a US–Canada team of cyber spy-hunters had been tracking the activities of a southern China-based cyber espionage gang that was mainly targeting India.
The gang, most likely from China’s prestigious University of Electronic Science and Technology, had in fact accessed the Ministry of Defence’s vast array of computers and stole the design and other technical details of several Indian missile systems. They accessed documents relating to the security outlook of Nagaland, Assam, Tripura, Manipur, and other Indian states.
The gang also targeted organisations including the Ministry of External Affairs, India’s United States embassy, and even companies like Tata Group, DLF, and YKK India. New Delhi only learnt of this theft when the US–Canada cyber spy-hunters informed it.
The US–Canada team published their findings in a report in 2010. The report reinforced that weak security in one group can result in the theft of data from another organisation. This is why experts find it so hard to pinpoint the original source of cyber spying and why countries active in cyber espionage are able to refute such accusations.
Cyber security is not achieved merely by installing firewall and anti-virus software. It is a work in progress, and so the security architecture of an organisation’s computers must be monitored constantly. Yet it seems that no serious effort has been made by India to remedy the situation since the report was published.
Last year, the Australian Strategic Policy Institute (ASPI) published a report on the cyber maturity of the Asia Pacific region. In the ASPI report, India scores 4 out of 10 on each of four critical aspects of cyber security, well below the scores of China, Japan and Singapore. These include the organisational structure of cyber matters, the accessibility of cyber security assistance, the existence of a cyber crime centre and financial cyber crime laws and, finally, the extent of the military’s role in cyber security.
India’s overall weighted cyber maturity ranking was 50 — well below countries like Australia (79.9), New Zealand (72.8), Japan (85.1), China (64) and even Brunei (51).
The monitoring of social media is another weak spot in India’s cyber security architecture. For example, in the case of Mehdi Masroor Biswas, an Islamic State sympathiser and Bangalore’s most prolific jihadi tweeter, India only knew of his existence after British journalists tracked him down and informed Indian authorities that he had been arrested.
India suffers from a skills shortage in cyber security. According to a secret paperprepared by the National Security Council Secretariat in 2013, India employed only 556 cybersecurity experts in all organisations in the government domain. By comparison, China employed 125,000 and the United States 91,080.
Cyber security is not merely a technical or software problem. Besides knowledge of information technology, it requires appreciation of a range of disciplines including engineering and sociology. When dealing with state-sponsored cyber hackers, experts need an understanding of a range of factors including that country’s psychology, motives, political decision-making processes and the depth of its expertise and resources.
India has close defence and economic ties with both Israel and the United States. They are leaders in cyber-security. The Indian government should actively encourage cyber security firms from these countries to bid for business in India, pass on their expertise to indigenous firms, and help set up start-up firms in this rapidly growing field.
India aspires to be a global power, a superpower in computer software and hardware developments, a hub for advanced manufacturing systems and an E-commerce specialist. To realise all these aspirations, India must first tackle its skills gap and adopt a more long-term strategy.
This article was republished from Eastasiaforum.org. Dr. Vidya Sharma is an advisor on country risk management and inter-country joint ventures.