Originally published in South Asian Voices
Editor’s Note: This commentary is part of a special series originally published on the South Asian Voices website, focusing on regional cybersecurity priorities and threats. It is a collaboration between Stimson’s Cyber and South Asia programs, in partnership with Global Affairs Canada as part of ongoing work on cyber accountability.
By Allison Pytlak, Senior Fellow and Director, Cyber Program
Today our lives are inextricably linked to the digital space; cyber governs almost everything we do. From simple text messages and email to booking a gym class or accessing health information via an app to controlling critical infrastructure, our interaction with the digital space is tremendous—both at a daily human level and at a national governance or global institution and market level. A disruption to any of these interactions, from internet outages to attacks on critical infrastructure, could have serious implications for governments, businesses, and human security.
Threats to Critical Infrastructure Today
The recent power grid outage in peninsular Spain and mainland Portugal, which lasted almost 24 hours, was one of the worst failures in Europe in over two decades. Lives were lost and thousands affected, with the loss of power impacting everything from communications to transport and transit as well as medical and emergency services. While investigations are underway to determine the exact cause of the blackout and a cyber attack has primarily been ruled out, the nature of our dependency on the digital space is on stark display. Closer home, the cyber attack at the All India Institute of Medical Sciences in New Delhi in 2023 that wiped outpatient and research data is also instructive. The vulnerability of critical infrastructure to natural hazards and environmental degradation or even deliberate attacks by government and non-state actors is a reality that cannot be ignored.
Cybersecurity is not only about national security, securing financial institutions or data privacy, but also about protecting infrastructure, resources and human lives and livelihood.
Vital resources from water to energy to electricity as well as travel and transit infrastructure such as ports, airlines and shipping are being attacked globally, sometimes as a demonstration of force and destruction or to instill fear. Such attempts are not new. The Islamic State (ISIS) seized large dams, reservoirs and electricity grids to achieve military aims throughout 2013 and 2014. In 2021, a hacker tried to poison the water supply in Florida by controlling the online systems. Technology has made us and our resources both safer and more open to newer forms of risk.
Extreme weather events and natural hazards can also be a risk to infrastructure, leading to potentially devastating damage. This could be from storms, earthquakes, heatwaves, lightning strikes that affect substations, power or internet lines, and dams and other critical resources that are necessary for everyday stability. The risk of these events occurring is on the rise as manifestations of the environmental crisis increase in frequency and severity. While we increase our resilience to climate vagaries, we also need to ensure that our critical infrastructure and resources are well protected from emerging and innovative cyber threats.
Cybersecurity is not only about national security, securing financial institutions or data privacy, but also about protecting infrastructure, resources and human lives and livelihood. Cyber attacks on water infrastructure or electricity or network grids could affect the availability of that resource. While water has in the past been used as a tool and a weapon by state and non-state actors to exercise control, as our infrastructure is increasingly more enmeshed with technology, the lack of proper cyber security creates new vulnerabilities and threats. The manifestation of disruptions and threats to assets and essential delivery services such as communications or financial services, food or water or energy, transportation or others are multi-fold. They impact everyone, and to a large extent have a greater impact on women and other vulnerable populations.
South Asia’s Digital Growth and Interconnectedness
While in many ways South Asia has some of the lowest levels of regional cooperation, the rapid pace of growth is leading to more digitalization. South Asia, especially India, Pakistan and Bangladesh, has some of the highest growth in digital consumption, largely due to its young population, high mobile penetration, and rapid adoption of financial services using smartphones. As of December 2024, India’s internet subscribers were at 970 million, with a compounded annual data consumption growth of 54 percent. In Bangladesh, the internet penetration is at 50 percent of households; social media users represent around 30 percent of population and growing. There are national-level initiatives like India’s National Digital Communication Policy and Bangladesh’s National ICT Strategy, amongst others across the region, that, while still having a long way to go in terms of implementation, are pushing for rapid digital growth.
The other aspect of this growth is the accompanying rise in cyberattacks and digital scams in the region. Financial institution scams have been growing and are some of the largest sources of money lost. For instance, in just the first four months of 2024, Indians lost more than USD 17.6 billion to cyber criminals, reported through over 740,000 complaints to the National Cybercrime Reporting Portal. The growing appetite for life on the internet, especially in the post-Covid environment, has led to growing usage, which in turn has resulted in increasing vulnerability to attacks from both internal and external forces.
But cybercrime and hostile cyber activity are limited not only to individuals and institutions, but also encompasses government entities, including critical infrastructure. According to the Indian Ministry of Electronics and IT, cyberattacks on Indian government entities increased by 138 percent between 2019 and 2023, going from 85,797 incidents in 2019 to 204,844 in 2023. The 2019 cyber attack on a nuclear power plant in Kudankulam, Tamil Nadu, and the 2020 attack on Maharashtra’s electricity grid that lead to a massive power outage in Mumbai and other cities is a stark reminder of the vulnerability that still exists in our systems and the strategic damage that can be caused. Safeguarding critical infrastructure ensures basic functioning of society where any disruption can have several cascading risks and consequences for communities.
This is not only within a country but also across the region that is seeing more sectoral collaboration, especially in inland navigation, power grids and electricity transfers. In October 2024, a trilateral power sharing agreement between Kathmandu, Dhaka, and New Delhi formally opened a new frontier in energy trade between Nepal and Bangladesh via an Indian grid as part of which Nepal will export 40 megawatts of electricity annually to Bangladesh for a period of five years. The grid runs via a short Indian stretch that territorially separates the two countries. While a landmark agreement that paves the way for greater energy cooperation between the three countries, it also opens up the possibility of greater threats. Any attack on one could have a spillover effect on others.
Over the last several years, there has also been greater connectivity between parts of the region through inland navigation. In 2016, India passed the National Waterways Act and has been developing both the main Ganga and Brahmaputra Rivers along with major tributaries with new watercourses and infrastructure for a greener and cheaper alternative to overland transportation. Bangladesh is also improving its inland waterways that carry about 80 percent of all bulk cargo. The 1972 Indo-Bangladesh Protocol for Inland Water Transit and Trade, which was revived in 2015, has the potential to drastically improve the movement of goods and people across the eastern regions of South Asia—opening up new forms of connectivity for India, revenue for both India and Bangladesh, and new markets for landlocked Nepal and Bhutan. The development of an eastern water grid will also involve key infrastructure such as ports, vital services, telecommunication channels and other ancillary assets over time to support localized development and growth, all of which are now increasingly on the grid.
Any risks to these forms of infrastructure would affect the entire population dependent on them, and more so the vulnerable sections of society, leading to enhanced cycles of poverty and other socio-economic risks. Robust infrastructure is necessary for the growth of the economies of South Asia that still lag behind, but any disruption may have severe consequences for the immediate community, in terms of economy, services and safety. In South Asia, where women are still the primary caregivers and homemakers and are responsible for water security as well as the health and wellbeing of their families; any such disruption could affect their ability to provide for their homes and communities. This could also potentially reinforce a new cycle of violence.
Recommendations and Way Forward
The recent discourse on security measures for critical infrastructure has primarily been around critical information infrastructure and systems, given that the most recurrent targets are financial or data-centric in nature. The other key aspect of this dialogue, not always public or transparent, is around the measures needed by governments to safeguard military and security-related systems. However, while these are important, there is also a need to revamp our understanding of what critical infrastructure is down to the last mile and how we can ensure that security measures are well-considered. For instance, when thinking about the security of an energy grid, it is not only about the grid itself or the area of energy production, but the extent of its supply chain.
A whole of society approach is needed to build a culture where cybersecurity is improved and integrated within all aspects of life, both from the bottom up and from the top down. If we were to see cyber security as a medium to keep all critical assets secure and resilient from both human and environmental threats, we need to widen the discourse and stakeholders involved in that discourse.
The understanding of cyber security and its relationship with critical infrastructure beyond institutions is limited. This would fundamentally require a clear and transparent picture of assets, including a broader framework and definition of what is considered an asset. The 2018 Australian Security of Critical Infrastructure Act and other similar global efforts offer interesting ideas and frameworks, which can be adapted to relevant contexts in South Asia. In countries like India, Bangladesh or Sri Lanka, where such data exists in a de-centralized manner, such a framework can help in the identification and comprehensive risk assessment of assets. While India might have a number of laws, policies and projects to combat cyber threats, accompanied by a rising budget to tackle these issues, collaboration with and integration amongst different government entities as well as with industry verticals remain weak. Elsewhere in the region, Nepal has seen an increase in cybercrime and cyber fraud over the last few years and despite a National Cybersecurity Policy, the country is severely limited by outdated legal frameworks as well as lack of awareness, education and interagency collaboration. Given that the development of various sectors is conducted by separate government agencies, systems do not always speak to each other, fundamentally hampering the effective implementation of well-intentioned laws and policies.
A whole of society approach is needed to build a culture where cybersecurity is improved and integrated within all aspects of life, both from the bottom up and from the top down. If we were to see cyber security as a medium to keep all critical assets secure and resilient from both human and environmental threats, we need to widen the discourse and stakeholders involved in that discourse. This needs to range from securing infrastructure that provides basic services and resources like water and electricity from mundane threats as well as the cascading risks from erratic weather hazards. Many hazards are transboundary in nature, from cyclones to flooding to earthquakes, and as countries in the region collaborate to build joint early warning systems or share hazard communications, there needs to be more collaboration on cyber security systems. As countries in the subcontinent integrate further and establish joint infrastructure, the latest technological and construction innovations must be incorporated into maintaining existing and developing new critical infrastructure.
As threats multiply and diversify, so should our response mechanisms. As we integrate various forms of artificial intelligence into our systems, technology becomes a key factor to consider in the critical infrastructure-security-climate nexus. With a lot of this infrastructure yet to be built in the region, South Asia has an opportunity to get it right from the get-go.
Originally published in South Asian Voices
Editor’s Note: This commentary is part of a special series originally published on the South Asian Voices website, focusing on regional cybersecurity priorities and threats. It is a collaboration between Stimson’s Cyber and South Asia programs, in partnership with Global Affairs Canada as part of ongoing work on cyber accountability.
By Allison Pytlak, Senior Fellow and Director, Cyber Program
Today our lives are inextricably linked to the digital space; cyber governs almost everything we do. From simple text messages and email to booking a gym class or accessing health information via an app to controlling critical infrastructure, our interaction with the digital space is tremendous—both at a daily human level and at a national governance or global institution and market level. A disruption to any of these interactions, from internet outages to attacks on critical infrastructure, could have serious implications for governments, businesses, and human security.
Threats to Critical Infrastructure Today
The recent power grid outage in peninsular Spain and mainland Portugal, which lasted almost 24 hours, was one of the worst failures in Europe in over two decades. Lives were lost and thousands affected, with the loss of power impacting everything from communications to transport and transit as well as medical and emergency services. While investigations are underway to determine the exact cause of the blackout and a cyber attack has primarily been ruled out, the nature of our dependency on the digital space is on stark display. Closer home, the cyber attack at the All India Institute of Medical Sciences in New Delhi in 2023 that wiped outpatient and research data is also instructive. The vulnerability of critical infrastructure to natural hazards and environmental degradation or even deliberate attacks by government and non-state actors is a reality that cannot be ignored.
Cybersecurity is not only about national security, securing financial institutions or data privacy, but also about protecting infrastructure, resources and human lives and livelihood.
Vital resources from water to energy to electricity as well as travel and transit infrastructure such as ports, airlines and shipping are being attacked globally, sometimes as a demonstration of force and destruction or to instill fear. Such attempts are not new. The Islamic State (ISIS) seized large dams, reservoirs and electricity grids to achieve military aims throughout 2013 and 2014. In 2021, a hacker tried to poison the water supply in Florida by controlling the online systems. Technology has made us and our resources both safer and more open to newer forms of risk.
Extreme weather events and natural hazards can also be a risk to infrastructure, leading to potentially devastating damage. This could be from storms, earthquakes, heatwaves, lightning strikes that affect substations, power or internet lines, and dams and other critical resources that are necessary for everyday stability. The risk of these events occurring is on the rise as manifestations of the environmental crisis increase in frequency and severity. While we increase our resilience to climate vagaries, we also need to ensure that our critical infrastructure and resources are well protected from emerging and innovative cyber threats.
Cybersecurity is not only about national security, securing financial institutions or data privacy, but also about protecting infrastructure, resources and human lives and livelihood. Cyber attacks on water infrastructure or electricity or network grids could affect the availability of that resource. While water has in the past been used as a tool and a weapon by state and non-state actors to exercise control, as our infrastructure is increasingly more enmeshed with technology, the lack of proper cyber security creates new vulnerabilities and threats. The manifestation of disruptions and threats to assets and essential delivery services such as communications or financial services, food or water or energy, transportation or others are multi-fold. They impact everyone, and to a large extent have a greater impact on women and other vulnerable populations.
South Asia’s Digital Growth and Interconnectedness
While in many ways South Asia has some of the lowest levels of regional cooperation, the rapid pace of growth is leading to more digitalization. South Asia, especially India, Pakistan and Bangladesh, has some of the highest growth in digital consumption, largely due to its young population, high mobile penetration, and rapid adoption of financial services using smartphones. As of December 2024, India’s internet subscribers were at 970 million, with a compounded annual data consumption growth of 54 percent. In Bangladesh, the internet penetration is at 50 percent of households; social media users represent around 30 percent of population and growing. There are national-level initiatives like India’s National Digital Communication Policy and Bangladesh’s National ICT Strategy, amongst others across the region, that, while still having a long way to go in terms of implementation, are pushing for rapid digital growth.
The other aspect of this growth is the accompanying rise in cyberattacks and digital scams in the region. Financial institution scams have been growing and are some of the largest sources of money lost. For instance, in just the first four months of 2024, Indians lost more than USD 17.6 billion to cyber criminals, reported through over 740,000 complaints to the National Cybercrime Reporting Portal. The growing appetite for life on the internet, especially in the post-Covid environment, has led to growing usage, which in turn has resulted in increasing vulnerability to attacks from both internal and external forces.
But cybercrime and hostile cyber activity are limited not only to individuals and institutions, but also encompasses government entities, including critical infrastructure. According to the Indian Ministry of Electronics and IT, cyberattacks on Indian government entities increased by 138 percent between 2019 and 2023, going from 85,797 incidents in 2019 to 204,844 in 2023. The 2019 cyber attack on a nuclear power plant in Kudankulam, Tamil Nadu, and the 2020 attack on Maharashtra’s electricity grid that lead to a massive power outage in Mumbai and other cities is a stark reminder of the vulnerability that still exists in our systems and the strategic damage that can be caused. Safeguarding critical infrastructure ensures basic functioning of society where any disruption can have several cascading risks and consequences for communities.
This is not only within a country but also across the region that is seeing more sectoral collaboration, especially in inland navigation, power grids and electricity transfers. In October 2024, a trilateral power sharing agreement between Kathmandu, Dhaka, and New Delhi formally opened a new frontier in energy trade between Nepal and Bangladesh via an Indian grid as part of which Nepal will export 40 megawatts of electricity annually to Bangladesh for a period of five years. The grid runs via a short Indian stretch that territorially separates the two countries. While a landmark agreement that paves the way for greater energy cooperation between the three countries, it also opens up the possibility of greater threats. Any attack on one could have a spillover effect on others.
Over the last several years, there has also been greater connectivity between parts of the region through inland navigation. In 2016, India passed the National Waterways Act and has been developing both the main Ganga and Brahmaputra Rivers along with major tributaries with new watercourses and infrastructure for a greener and cheaper alternative to overland transportation. Bangladesh is also improving its inland waterways that carry about 80 percent of all bulk cargo. The 1972 Indo-Bangladesh Protocol for Inland Water Transit and Trade, which was revived in 2015, has the potential to drastically improve the movement of goods and people across the eastern regions of South Asia—opening up new forms of connectivity for India, revenue for both India and Bangladesh, and new markets for landlocked Nepal and Bhutan. The development of an eastern water grid will also involve key infrastructure such as ports, vital services, telecommunication channels and other ancillary assets over time to support localized development and growth, all of which are now increasingly on the grid.
Any risks to these forms of infrastructure would affect the entire population dependent on them, and more so the vulnerable sections of society, leading to enhanced cycles of poverty and other socio-economic risks. Robust infrastructure is necessary for the growth of the economies of South Asia that still lag behind, but any disruption may have severe consequences for the immediate community, in terms of economy, services and safety. In South Asia, where women are still the primary caregivers and homemakers and are responsible for water security as well as the health and wellbeing of their families; any such disruption could affect their ability to provide for their homes and communities. This could also potentially reinforce a new cycle of violence.
Recommendations and Way Forward
The recent discourse on security measures for critical infrastructure has primarily been around critical information infrastructure and systems, given that the most recurrent targets are financial or data-centric in nature. The other key aspect of this dialogue, not always public or transparent, is around the measures needed by governments to safeguard military and security-related systems. However, while these are important, there is also a need to revamp our understanding of what critical infrastructure is down to the last mile and how we can ensure that security measures are well-considered. For instance, when thinking about the security of an energy grid, it is not only about the grid itself or the area of energy production, but the extent of its supply chain.
A whole of society approach is needed to build a culture where cybersecurity is improved and integrated within all aspects of life, both from the bottom up and from the top down. If we were to see cyber security as a medium to keep all critical assets secure and resilient from both human and environmental threats, we need to widen the discourse and stakeholders involved in that discourse.
The understanding of cyber security and its relationship with critical infrastructure beyond institutions is limited. This would fundamentally require a clear and transparent picture of assets, including a broader framework and definition of what is considered an asset. The 2018 Australian Security of Critical Infrastructure Act and other similar global efforts offer interesting ideas and frameworks, which can be adapted to relevant contexts in South Asia. In countries like India, Bangladesh or Sri Lanka, where such data exists in a de-centralized manner, such a framework can help in the identification and comprehensive risk assessment of assets. While India might have a number of laws, policies and projects to combat cyber threats, accompanied by a rising budget to tackle these issues, collaboration with and integration amongst different government entities as well as with industry verticals remain weak. Elsewhere in the region, Nepal has seen an increase in cybercrime and cyber fraud over the last few years and despite a National Cybersecurity Policy, the country is severely limited by outdated legal frameworks as well as lack of awareness, education and interagency collaboration. Given that the development of various sectors is conducted by separate government agencies, systems do not always speak to each other, fundamentally hampering the effective implementation of well-intentioned laws and policies.
A whole of society approach is needed to build a culture where cybersecurity is improved and integrated within all aspects of life, both from the bottom up and from the top down. If we were to see cyber security as a medium to keep all critical assets secure and resilient from both human and environmental threats, we need to widen the discourse and stakeholders involved in that discourse. This needs to range from securing infrastructure that provides basic services and resources like water and electricity from mundane threats as well as the cascading risks from erratic weather hazards. Many hazards are transboundary in nature, from cyclones to flooding to earthquakes, and as countries in the region collaborate to build joint early warning systems or share hazard communications, there needs to be more collaboration on cyber security systems. As countries in the subcontinent integrate further and establish joint infrastructure, the latest technological and construction innovations must be incorporated into maintaining existing and developing new critical infrastructure.
As threats multiply and diversify, so should our response mechanisms. As we integrate various forms of artificial intelligence into our systems, technology becomes a key factor to consider in the critical infrastructure-security-climate nexus. With a lot of this infrastructure yet to be built in the region, South Asia has an opportunity to get it right from the get-go.
