In 2019, one of India’s largest nuclear reactors located at Kudankulam suffered a malware attack that not only breached the plant’s firewalls but also reportedly stole data and information. Though only breaching the administrative network of the plant, and not as catastrophic as other malware attacks such as Stuxnet—the highly sophisticated computer worm most well-known for attacking nuclear centrifuges at Iran’s Natanz facility—this attack posed major concerns to safety measures for nuclear installations around the world. While the attack was eventually attributed to a North Korea-based group, speculation and uncertainty underscored the challenges of pinpointing the source of cyberattacks as well as the potential for cyber threats to exacerbate existing tensions in the region.
The attack at Kudankulam brought to the forefront not only risks of economic sabotage or data theft from malicious actors, but also questions of India and Pakistan’s vulnerabilities to state and non-state actors exploiting weak points in cyber infrastructure. For Pakistan and India these questions are essential in rethinking how they—jointly and independently—aim to address their national security concerns in the 21st century. Kudankulam represents a point in time where both Pakistan and India have a direct interaction with cyber vulnerabilities, which go beyond mere threats of hacking and have the potential the spillover into new security areas. While bilateralism between the two historic rivals will undoubtedly be difficult, as both states look to develop their nuclear energy portfolio and work to secure systems against cyber threats exploring a bilateral framework can be an important first step towards confidence-building measures (CBMs) that begin to address challenges for the future threat environment.
Features of the Cyber Domain
One of the unique features of cybersecurity is that the government’s national security interests and the private sector’s corporate interests may overlap in terms of fears of stolen data, information, or financial resources. An effective cybersecurity system for sensitive installations and their associated subsystems would closely merge corporate and national security interests. Cyber intrusions have the potential to cause panic and risk the theft and subsequent sale or leaking of sensitive information. Therefore, states are required to physically secure their facilities and protect against cyberattacks. As India and Pakistan move ahead with nuclear energy projects, signing agreements and continuing cooperation with their partners, both states will need to take measures to make sure these sites are secure.
Cyber threats also open the door for potential new pathways of escalation as well as new risks of miscalculation or misperception. For this reason, any form of cooperation that could serve as a confidence-building measure (CBM) between India and Pakistan in the cyber domain may be helpful in risk reduction or preemptive attribution in the event of a future cyberattack. The multiple cyberattacks and data breaches at nuclear facilities underscore the extent that accidental or intentional cyber breaches at nuclear facilities have become a new domain nuclear safety. While international organizations like the International Atomic Energy Association (IAEA) have hosted training programs to enhance cybersecurity at nuclear facilities, India and Pakistan need to review their security regimes concerning nuclear power plants within their respective domestic security frameworks.
While bilateralism between the two historic rivals will undoubtedly be difficult, as both states look to develop their nuclear energy portfolio and work to secure systems against cyber threats, exploring a bilateral framework can be an important first step towards confidence-building measures (CBMs) that begin to address challenges for the future threat environment.
Pakistan and India have limited reasons to engage with each other owing to repeated confrontations over the past 50 years, however, as cyber becomes an increasingly important domain any steps towards trust or confidence-building may help mitigate future risks. With foreign technical assistance and partnerships, both Pakistan and India have laid the groundwork for more robust nuclear energy programs. Pakistan and India also have some shared vulnerabilities. Despite significant improvement, both states still are susceptible to insider threats and cybersecurity risks. Illicit activities by non-state actors, weak insider threat prevention, and understanding cybersecurity risks are some of the domains where Pakistan and India could perform better. As highlighted by the Kundankulam incident, these vulnerabilities can be exploited beyond the scope of India-Pakistan’s conventional rivalry. Pakistan and India should adopt a joint learning mechanism under the assistance of the IAEA training programs to understand the real-time risk of cybersecurity lapses within their security frameworks. As attribution is a core challenge of cyberattacks, and India and Pakistan may be more likely to attribute a cyberattack to the other due to their standing trust deficit, these training programs are also essential in outlining mutual understanding against non-attributable or delayed attribution from third-party activities that stand to harm both states’ interests if successfully executed.
Cybersecurity Challenges to Nuclear Installations: Assessing Vulnerabilities
Civilian nuclear installations are both essential commercial establishments and sensitive strategic sites. Such installations are assisted by a complex matrix of services ranging from transmission of electricity, transportation of nuclear materials, and systems monitoring nuclear reactors. Housing such information requires investing resources in physical security and material transportation and addressing cyber-related commercial risks. New domains of national security threats, such as terrorist organizations potentially targeting civilian facilities, commercial and industrial espionage, commercial theft, and inadvertent information breaches, pose substantial risks to the operability of nuclear installations. International organizations like the IAEA, World Association of Nuclear Operators (WANO), and the Rusatom Automated Control Systems have developed training programs to enhance and expand security measures on nuclear installations beyond traditional understanding. States looking to induct more nuclear power plants or manage existing platforms, but lack the financial or technical capabilities to do so, require assisted understanding through international training programs and development of protocols to overcome such challenges. For Pakistan and India, learning from previous cyber-breaches can help preempt vulnerabilities before they can opt for expanding their nuclear power potential.
In installing more reactors, Pakistan and India stand to face associated risks—such as waste disposal, avoiding civilian contamination, meltdowns and natural disasters, material safety, and security—and cyber vulnerabilities that will be a future cause for concern. Despite China and the United States assisting Pakistan and India, respectively, both recipient states’ cybersecurity infrastructure is nascent. Pakistan and India have only announced their cybersecurity policies and both policies can do more to fully address the cybersecurity threats at nuclear facilities. Their policy drafts either generalize nuclear installation security with respect to cybersecurity measures or overlook this dimension.
A further challenge with cybersecurity threats is determining the proper response—particularly to an attack that is difficult to attribute. If a cyberattack is countered by an inappropriate or disproportionate response; this may raise questions on the effectiveness of national security systems in responding to threats or create more uncertainty for future exploitation. Like all other global nuclear facilities, Pakistan and India are also prone to a similar scope of cybersecurity vulnerabilities: theft or financial exploitation, espionage or commercial exploitation, and sabotage or adversarial exploitation. With non-state actor and traditional security concerns operating simultaneously in both countries, cybersecurity vulnerabilities in Pakistan and India require a mutual appraisal of their national security architecture.
Framework for Cooperation in South Asia: The Case for Assisted National Security
The idea that Pakistan and India cannot or will not venture beyond their traditional competitiveness is a major impediment in their ability to fully rationalize the impact of cybersecurity vulnerabilities. As the Kudankulam incident highlights, cyber threats to nuclear energy sites is a threat that South Asia must contend with. Given that both states face similar challenges—such as non-state entities conducting nefarious cyber operations—a bilateral, cooperative understanding of nuclear cybersecurity concerns is a mutual interest. Though Pakistan has not suffered reported cyberattacks on nuclear installations, it has endured a significant number of cyber-related incidents ranging from ransomware hacking of large electricity distribution systems, snooping against secure lines of communication to attacks on financial data centers. Since both countries are in the process of improving their cybersecurity frameworks, Pakistan and India should opt for starting a joint cybersecurity initiative.
Pakistan and India have historically engaged in CBMs to reduce traditional security challenges. Such CBMs, however, have not ventured beyond their mutual arrangement of information sharing through Director-General Military Operations which forms their basic information sharing consistently to static ends. India and Pakistan’s reliance on Track-II or third-party assisted diplomacy has been more pronounced than conventional bilateralism. However, unlike traditional security domains, cybersecurity vulnerabilities — particularly on nonmilitary installations—present the unique challenge of non- attributable attacks. Traditional bilateralism might not work effectively against cybersecurity threats since such intrusions, attacks, or breaches could likely be non-attributable until extensive investigations report otherwise.
The idea that Pakistan and India cannot or will not venture beyond their traditional competitiveness is a major impediment in their ability to fully rationalize the impact of cybersecurity vulnerabilities.
That vulnerabilities are inadequately addressed by both states is in itself an opportunity for India and Pakistan to examine a mechanism to address the issues bilaterally. Previous engagements have mostly attempted to settle strategic issues and were met by rigidness and inflexibility due to each side’s national concerns. However, cybersecurity and nonattributable incidents offer a commercial and industrial approach to non-traditional security mechanisms. Cybersecurity focuses on risk reduction and risk aversion, as well as the virtual security of civilian installations that can be bilaterally maintained without influencing each state’s national security apparatus by focusing on common threats or vulnerabilities. A bilateral cooperative framework for cybersecurity not only accommodates commercial and industrial security but also stands to prevent traditional security fractures that could be caused by non-traditional, non-attributable incidents.
The first level of such a cooperative arrangement can focus on collective learning. Producing a joint academic and technological analysis of cyber-related issues will bolster both countries’ understanding of shared concerns. Following the American model designed under the Cybersecurity and Infrastructure Security Agency (CISA), both states can augment their current disaster management architecture to induct separate agencies to address specific challenges to nuclear cybersecurity. Not only would such an arrangement be out of the ambit of India and Pakistan’s traditional security framework—which is dominated by a bilateral adversarial environment—but it would also provide international stakeholders a means to offer assistance similar to that extended by WANO mission support programs. A joint-understanding approach focused on academic discourse has the potential to improve risk assessment and gaps in current frameworks without upsetting both countries’ national interests. A potential initiative in assisted training programs also allows international stakeholders to combine IAEA assistance and training programs with other possible investors in nuclear technology to increase learning in cybersecurity, computer security, data protection, firewalls and breach incidents, malware, IP spoofing or inadvertent breaches and related incidents. An academic discussion is a possible first step as it does not require formal state sanction—a challenge in South Asia’s security environment—and could provide a base for international involvement, enhance existing literature on the subject, as well as improving confidence between both countries.
The second level would focus on bringing civilian nuclear enterprises to act as Track-II diplomacy mediums. Such a medium will allow both parties to highlight risks posed by nuclear cyberattacks and cyber-related incidents while creating a dynamic platform to continue the conversation over time. Bilateral CBMs, in the eventuality of civilian nuclear enterprises acting as mediums, would address deficiencies in cybersecurity policies of both states from a non-strategic and commercial angle. Cyber CBMs can be three-pronged. First, addressing the commercial necessity of installing bilateral understanding of cyber vulnerabilities. Second, managing standalone and comparative fallout of such an incident on human security aspects. Third, periodically designing and sharing information on possible domestic and international vulnerabilities to such installations from cyberspace. The expansion of nuclear energy projects in India and Pakistan stands to eventually allow the industrial or commercial interests of institutions like the Nuclear Power Corporation of India Limited and the Pakistan Atomic Energy Commission to opt for measures beyond the current ambit of Pakistan Nuclear Regulatory Authority or Indian Atomic Energy Regulatory Board.
With both states experiencing ransomware attacks, hacking, probing and snooping incidents on sensitive information and risks of theft of commercial and essential data from sensitive installations, their cooperative understanding of the issue should be a top consideration.
The third level of cooperation would involve a joint task force on cyberspace to detect and avert civilian installation threats. This joint task force could be further strengthened if both states provide it with institutional backing, as they have done with the Indus Water Commission to address the issues of water distribution. In the case of the Indus Water Commission, both countries were able to agree that there were performance deficiencies and engage in a joint initiative addressing mutual vulnerabilities. This joint task force would focus on threat assessment concerning cybersecurity vulnerabilities based Pakistan and India’s learning on these issues thus far. Given that cyber threats are often anonymous or inadvertent, or focused on commercial or financial gains, attacks on civilian installations are unlikely to trigger a national security response. With material safety and cybersecurity being one of the most crucial factors in indexing compliance to international safety standards, however, such incidents require a deeper appraisal of security concerns. Acceptance of areas of potential improvement may be an avenue for bilateral learning between Pakistan and India towards cyber-vulnerabilities of nuclear facilities. International organization like the IAEA can assist in any bilateral initiatives. Both India and Pakistan can further enhance this three-pronged approach—collective learning, Track II dialogue, and a joint task force—by using it to reflect the dynamic nature of the ever-changing cybersecurity landscape. Such measures would also contribute to a better understanding of the relationship between cyberspace threat perceptions, nontraditional national security, and vulnerabilities to nuclear installations in South Asia.
Pakistan and India cannot afford nuclear disasters which threaten human security, financial capacity, and may pose escalatory risks. With both states experiencing ransomware attacks, hacking, probing and snooping incidents on sensitive information and risks of theft of commercial and essential data from sensitive installations, their cooperative understanding of the issue should be a top consideration. Both states have improved compliance with international safety standards but still their progress is slow with respect to cybersecurity and insider threat perceptions, a common ground that can be constructed to engage in bilateral—albeit assisted—learning of this threat matrix. Cybersecurity and its impact on national security is significant and it stands to present itself more robustly in comparison to traditional rivalries. Pakistan and India need a working solution where they understand and eventually strive to prevent vulnerabilities that can aggravate challenges to their plans for future nuclear energy production.
Editor’s Note: This article is part of series of pieces published in partnership with CRDF Global. Articles for the series, written by recipients of the CRDF-SAV research grant in nuclear security, cover topics ranging from cyber security at civilian nuclear energy sites, regional and international cooperation in South Asia, to personnel protection at nuclear sites, and other topics related to nuclear security on the subcontinent.
Image 1: via Pixabay