The supreme art of war is to subdue the enemy without fighting.
― Sun Tzu, The Art of War
Many moons ago, during a long chat with the former head of a People’s Liberation Army thinktank in Shanghai on the possibility of another India-China war, I recall being told that modern war no longer involves putting boots on the ground or “occupying enemy territory”.
When I asked him to elaborate, he simply asked: “Have you seen Die Hard 4?”
Also known as Live Free or Die Hard, the fourth of the Hollywood action series starring Bruce Willis revolved around cyber-terrorists infiltrating America’s computer-controlled national infrastructure and creating massive chaos and mayhem across the country by disrupting power, traffic signals and more, until NY/LAPD cop John McClane, played by Mr Willis, manages to save the day.
The Ukraine crisis, which essentially involves annexation of territory, proved the first part of the Chinese academic’s assertion wrong.
But I was reminded of that conversation when I heard about a spate of cyber attacks on Indian institutions and assets recently, including on the All India Institute of Medical Sciences, or AIIMS, the country’s premier medical institution, on Nov 23, and subsequent attempts to infiltrate India’s top medical research organisation, the Indian Council of Medical Research.
While no doubt disruptive, how, you might ask, does that constitute a threat to national security?
To answer that question, let’s look at what happened at the AIIMS, which treats thousands of people every day. One media report quoted the AIIMS management as saying the ransomware attack had “affected outpatient and inpatient digital hospital services, including smart lab, billing, report generation, appointment scheduling”. Another said the attackers had demanded Rs 200 crore in crypto-currency to restore access.
Apart from causing major chaos with doctors unable to access reports and schedules online, it seems the attackers accessed over four crore, or 40 million, patient profiles, including those of VVIPs and senior government officials who frequent the hospital.
As the AIIMS limps slowly back to normal after fortifying its cyber defences, the Indian Computer Emergency Response Team (CERT-IN), Indian Cybercrime Coordination Centre, Intelligence Bureau, Central Bureau of Investigation and National Investigation Agency are among the multiple agencies investigating the attack.
In its India Ransomware Report 2022*, CERT-IN notes that there has been a 51% increase in the number of ransomware attacks across multiple sectors, including critical infrastructure, over the first half of 2022 alone.
Now imagine if this were just a test run. And that tomorrow, or the day after, not just every hospital on the system, but airports, the stock market, the power grids, all went down at the same time across the country.
On Oct 12, 2020, India’s financial capital Mumbai was hit by a massive power outage which disrupted local trains and metro services and shut down stock exchanges and hospitals for hours. It also switched off CCTVs and traffic signals, throwing life out of gear for over two hours before power was restored. Colaba, Mahim, Bandra and several other areas from Mumbai to Thane were affected. Several areas in suburban and central Mumbai faced outages for almost 12 hours.
On Mar 1 the next year, Maharashtra Energy Minister Nitin Raut admitted that a report in The New York Times claiming that the outage could have been due to a cyber attack from China was probably true, and that the State Government had "formed three committees to inquire into the matter".
The NYT report, quoting Recorded Future, a Massachusetts-based company that reviews online digital threats, said the malware was being inserted into the control systems responsible for power supply across the country, at a time when Indian and Chinese troops were engaged in an eyeball-to-eyeball confrontation along the Line of Actual Control in eastern Ladakh, where some of the worst clashes since the 1962 war had led to the death of 20 Indian soldiers in June that year.
Recorded Future said the malware, traced to China-linked threat activity group RedEcho, was planted in major power plants in India. “Chinese malware was seen flowing into the control systems that manage electric supply across India, along with a high voltage transmission substation and a coal-fired power plant,” it said. It added that most of the malware was never activated, and that only a small proportion of it led to the Mumbai electricity outage.
The NYT report quoted Lt Gen Deependra Singh Hooda, then GOC, Northern Command, as saying that “I think the signalling is being done that we can and we have the capability to do this in times of crisis... it is like sending a warning to India that this capability exists with us.”
So regardless of whether the AIIMS attack was done by the Chinese or by a random criminal group seeking ransom, the fact remains that China — and its supplicant state Pakistan — clearly has the capability to cause massive disruptions in India without ever having to fire a shot, leave alone putting boots on the ground.
Of course, India is not sitting idle, with reports claiming several cyber attacks on digital military and civilian infrastructure assets in China, Pakistan and even Nepal and Bangladesh originated from Indian hacking networks with exotic names like Sidewinder, Lookout, Sunbird and Hornbill.
But as India races towards a digital future, with ever increasing dependence on connected networks and tools to power its progress, the AIIMS attack underlines that it is also becoming increasingly vulnerable. And if Recorded Future is correct, like sleeper cells, some of the Chinese malware is already lurking in our systems, just waiting to be activated. And John McClane is too busy saving America to come save us.
Ramananda Sengupta is a foreign and strategic affairs analyst
(If you have a story in and around Mumbai, you have our ears, be a citizen journalist and send us your story here. )