The Mumbai hack showed complete disregard for collateral damage.
Washington, DC: Did China cause the blackouts in Mumbai last year? Nearly six months later, the answer is still unclear, but if recent reports that a Chinese cyber operation bears partial responsibility are accurate, Beijing just signalled a willingness to use its cyber power to target civilian lifeline infrastructure during a crisis. Even more worrying, the hackers used hard-to-control cyberattack tools in a destructive manner against a nuclear-armed country, India.
In a report last month, threat analysts at the cybersecurity firm Recorded Future detailed their discovery of China’s systematic penetration of India’s electricity infrastructure. Given the event’s concurrence with the border skirmishes in the disputed area of Galwan Valley, the Chinese hackers appear to have targeted nodes of India’s electric grid to demonstrate Beijing’s capabilities and to convince New Delhi that it should not oppose China’s claims over the area.
Without analysis of the malware or confirmation from Indian officials, we will not know if malware was responsible for the Mumbai blackout, if the outage was caused by operator error while responding to the malware, or if the outage was some kind of combination of these. But the possibility that Chinese hackers planted malware in India’s grid that has no economic or espionage value suggests that Beijing had malicious intent, aiming either to coerce New Delhi by threatening the country’s critical infrastructure or to activate the malware and cripple India’s strategic capabilities.
The breach of critical infrastructure is more concerning than the recent Russian espionage exploiting SolarWinds and other software supply chain vulnerabilities. While the SolarWinds hack helped Russia gain insight into US decision making practices and sensitive information, Moscow’s hackers were targeted and methodical in their exploitation of America’s cyber vulnerabilities, wary of causing collateral damage.
By contrast, the Mumbai hack showed complete disregard for collateral damage. In fact, since then, Beijing demonstrated similar disregard in its breach of Microsoft earlier this year, which exposed vulnerabilities in thousands of companies for criminal actors to exploit. The Microsoft operation appears to be Beijing’s latest effort to conduct espionage and widespread intellectual property theft as part of China’s decades-long cyber-enabled economic warfare campaign, which has undermined the long-term economic and national security of the United States and its allies and partners. In addition to intellectual property theft, the Chinese have conducted aggressive efforts to steal American citizens’ personal data, collecting as much information as possible for further exploitation and analysis.
Four years ago, the world witnessed how a similar disregard for collateral damage in a disruptive and destructive attack could spiral beyond an attacker’s control. In 2017, Russian state hackers targeted Ukraine’s banks and federal agencies using NotPetya ransomware to punish Kyiv and destabilize the country. The operation immediately had unintended consequences, spreading to the electrical power infrastructure. Forensic analysis of the malware revealed that because the hackers used a computer worm with the ransomware package, it inadvertently and indiscriminately infected machines elsewhere in Ukraine and then moved outside Ukraine, causing significant economic damage across Europe.
The lack of attacker controls to limit which machines were infected could have led to significant escalation. Had the ransomware spread even more aggressively, the United States and its European allies might have chosen to respond with actions beyond economic sanctions, such as a cyber response in kind or other form of escalation. At the time, Russia appeared to have signalled it was willing to take that risk to punish a recalcitrant neighbour.
Last year’s Cyberspace Solarium Commission report urged Congress and the White House to issue a declaratory policy that clarifies what cyber activity Washington finds unacceptable and more clearly conveys US intent and willingness to respond to attacks against the United States and its allies and partners. America must reinforce this declaration with a rapid and effective system for attributing malicious behaviour, and ensuring it has the appropriate coordination, authorities, and capabilities in place to enable quick offensive and defensive responses to malicious cyber activity.
China’s contesting of norms in cyberspace appears to risk miscalculation and potentially significant escalation. This irresponsible behaviour is especially worrisome from a nuclear-armed state. The United States needs to firmly establish the declaratory and signalling guidance recommended by the Cyberspace Solarium Commission or risk allowing its adversaries to continue to define the terms of acceptable behaviour in cyberspace. In such a world, the American people, and citizens of our allies and partners like India, would have to live with the risk that a nuclear-armed adversary could accidentally trigger escalation or take steps that cripple civilian critical infrastructure in times of crisis.
Mark Montgomery is senior director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), where Trevor Logan is a cyber research analyst. FDD is a nonpartisan research institute focused on national security and foreign policy. Follow Mark and Trevor on Twitter @MarkCMontgomery and @TrevorLoganFDD.