UPSC GS Paper III: Internal Security, Cyber Warfare and Hybrid Threats

Must?Know

• Cyber warfare involves state-sponsored or non-state actors conducting cyber operations to disrupt, degrade, or destroy information systems of another nation; exemplified by Stuxnet (2010), a joint US-Israel operation targeting Iran’s nuclear centrifuges.
• India’s National Cyber Security Policy (NCSP) was launched in 2013 with the objective of creating a secure cyber ecosystem and reducing vulnerabilities through CERT-In as the nodal agency.
• The Indian Computer Emergency Response Team (CERT-In) functions under the Ministry of Electronics and Information Technology (MeitY) and was established under Section 70B of the Information Technology (Amendment) Act, 2008.
• The IT (Amendment) Act, 2008 introduced Section 66F, defining cyber terrorism as unauthorized access to critical information infrastructure with intent to threaten unity, integrity, sovereignty or security of India.
• Critical Information Infrastructure (CII) is defined under Section 70 of the IT Act, 2008; the National Critical Information Infrastructure Protection Centre (NCIIPC) was set up in 2014 to protect such assets, including power grids and financial systems.
• The 2016 SWIFT banking cyberattack on Bangladesh Bank, which led to $81 million theft, highlighted vulnerabilities in global financial messaging systems; Indian banks like Cosmos Bank were similarly targeted in 2018.
• The 2020–21 SolarWinds supply chain attack, attributed to Russian APT group Cozy Bear (UNC2452), compromised multiple US federal agencies and demonstrated risks of third-party software vulnerabilities.
• The Budapest Convention on Cybercrime (2001), ratified by 68 countries including the EU members, is the first international treaty addressing cybercrime; India has not ratified it, citing sovereignty concerns over cross-border data access.
• India’s Cyber Crime Coordination Centre (I4C), launched in 2018, coordinates with states and agencies to combat cybercrime under the National Cyber Crime Reporting Portal (cybercrime.gov.in).
• The 2017 WannaCry ransomware attack, exploiting EternalBlue vulnerability developed by NSA and leaked by Shadow Brokers, affected over 200,000 computers in 150 countries, including Indian Railways and hospitals.
• The NotPetya attack (2017), initially disguised as ransomware but later identified as wiper malware, caused $10 billion in global damages; attributed to Russian military unit GRU by US and UK governments.
• The 2022 CERT-In directive mandates all virtual asset service providers, data centres, and VPS providers to report cyber incidents within six hours and maintain logs for 180 days, raising privacy and compliance concerns.
• The Defence Cyber Agency (DCA), established in 2019, is a tri-service command headquartered in Delhi, tasked with handling cyber threats to military networks and achieving integrated cyber operations.
• The National Technical Research Organisation (NTRO), created post-Kargil War (1999), operates under the National Security Advisor and includes cyber surveillance and technical intelligence capabilities.
• The 2021 Kudankulam Nuclear Power Plant cyber incident involved malware (Dtrack) linked to North Korean Lazarus Group, though NPCIL denied any breach of control systems.
• The concept of hybrid warfare combines conventional, irregular, cyber, and information operations; Russia’s annexation of Crimea (2014) used cyberattacks on Ukrainian infrastructure alongside disinformation and proxy forces.
• The 2020 China-Pakistan joint cyber exercise “Ex-Cyber Storm” focused on countering cyber terrorism, reflecting growing Sino-Pak strategic coordination in cyberspace.
• The Deep Web refers to parts of the internet not indexed by search engines; the Dark Web, a subset, uses encrypted networks like Tor and is often used for illicit cyber activities, including ransomware negotiations.
• The 2023 data breach of Air India, affecting 4.5 million global customers, originated from a cyberattack on Swiss-based SITA passenger service system, underscoring third-party supply chain risks.
• The Indian Cyber Crime Coordination Centre (I4C) launched the Cyber Crime Volunteers Programme (CCVP) to engage citizens as “cyber scouts” for reporting online content related to terrorism and child pornography.
• The 2021 Colonial Pipeline ransomware attack in the US, carried out by DarkSide gang, led to fuel shortages and a $4.4 million ransom payment, prompting global reassessment of critical infrastructure protection.
• The concept of “active cyber defence” includes pre-emptive actions like threat hunting and counter-hacking; India’s cyber doctrine remains largely defensive, unlike the US’s 2018 shift to “defend forward”.
• The 2023 Global Cybersecurity Index (GCI) by ITU ranked India 10th globally, up from 47th in 2017, reflecting improvements in legal, technical, and organizational frameworks.
• The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, require social media intermediaries to enable traceability of message originators, raising encryption and privacy debates.

Difficulty Level

Intermediate – requires integration of legal, technical, and strategic dimensions with evolving threat landscape and policy responses.

Common UPSC Traps

Trap: CERT-In and NCIIPC are the same agency – Fact: CERT-In handles general cyber incident response under MeitY, while NCIIPC, under NTRO, specifically protects Critical Information Infrastructure (CII) as per Section 70 of IT Act, 2008.
Trap: India is a signatory to the Budapest Convention – Fact: India participated in observer capacity but has not signed or ratified the treaty due to concerns over jurisdiction and data sovereignty (Ministry of External Affairs, 2021).
Trap: Cyber warfare is covered under the Geneva Conventions – Fact: No international treaty specifically governs cyber warfare; existing laws of armed conflict (LOAC) are applied analogously, as per the Tallinn Manual (non-binding academic study).
Trap: The Defence Cyber Agency (DCA) is a statutory body – Fact: DCA is an integrated tri-service command under the Integrated Defence Staff, not established by legislation but through executive order (Ministry of Defence, 2019).
Trap: The IT Act, 2000 covers data protection – Fact: The IT Act, 2000 (amended 2008) lacks comprehensive data protection; the Digital Personal Data Protection Act, 2023, is the first dedicated legislation for this purpose.

Practice MCQs

Question: Which of the following best describes the role of the National Critical Information Infrastructure Protection Centre (NCIIPC)?
A) It is the nodal agency for handling cybercrime complaints from the public
B) It coordinates national-level response to cyberattacks on financial systems and power grids
C) It is responsible for formulating national policy on data localization
D) It investigates cybercrimes involving social media platforms
Answer: B
Explanation: NCIIPC, established in 2014 under NTRO, protects Critical Information Infrastructure (CII) such as power, banking, and transport systems as defined under Section 70 of the IT Act, 2008.
Why others fail: A describes the role of CERT-In and I4C, not NCIIPC.

Question: The ‘Budapest Convention’ is primarily associated with:
A) Cyber warfare doctrines among NATO countries
B) International cooperation in combating cybercrime
C) Data protection standards for EU citizens
D) Regulation of artificial intelligence in military applications
Answer: B
Explanation: The Budapest Convention (2001), formally known as the Council of Europe Convention on Cybercrime, is the first international treaty on crimes committed via the internet and computer systems.
Why others fail: C refers to the GDPR, not the Budapest Convention; India’s non-ratification is due to concerns over cross-border jurisdiction.

Question: Which cyberattack exploited the EternalBlue vulnerability leaked by the Shadow Brokers group?
A) NotPetya
B) Stuxnet
C) WannaCry
D) SolarWinds
Answer: C
Explanation: WannaCry (2017) used the EternalBlue exploit, developed by the NSA and leaked by the hacker group Shadow Brokers, to propagate ransomware globally.
Why others fail: NotPetya also used EternalBlue but was more targeted; WannaCry is the most widespread example directly linked to it.

Question: The Defence Cyber Agency (DCA) is primarily tasked with:
A) Regulating private sector cybersecurity standards
B) Conducting offensive cyber operations in coordination with intelligence agencies
C) Protecting military networks and conducting integrated cyber operations
D) Managing national-level cyber incident reporting through CERT-In
Answer: C
Explanation: DCA, established in 2019, is a tri-service command under the Integrated Defence Staff responsible for safeguarding military networks and executing cyber operations.
Why others fail: B overstates India’s current posture, which remains largely defensive; offensive capabilities are not officially acknowledged.

Question: Under which section of the IT Act, 2008 is the Indian Computer Emergency Response Team (CERT-In) established?
A) Section 66A
B) Section 70B
C) Section 69
D) Section 43A
Answer: B
Explanation: Section 70B of the IT Act, 2008 mandates the establishment of CERT-In as the national nodal agency for cyber incident response.
Why others fail: Section 66A was struck down in Shreya Singhal v. Union of India (2015); Section 69 grants interception powers.

Question: The SolarWinds cyberattack (2020) primarily exploited which type of vulnerability?
A) Phishing emails targeting executives
B) Zero-day exploit in endpoint security software
C) Supply chain compromise through software updates
D) Denial-of-service attack on cloud servers
Answer: C
Explanation: The attackers compromised SolarWinds’ Orion software update mechanism, distributing malware to thousands of customers, including US government agencies.
Why others fail: A and B are common attack vectors but not the primary method in SolarWinds; the attack was stealthy and long-term, not disruptive like DDoS.

Question: Which of the following is NOT a component of hybrid warfare?
A) Use of proxy militias
B) Cyberattacks on communication networks
C) Formal declaration of war under UN Charter
D) Disinformation campaigns via social media
Answer: C
Explanation: Hybrid warfare avoids formal declarations of war, instead blending conventional, irregular, and cyber tactics to achieve strategic objectives below the threshold of open conflict.
Why others fail: A, B, and D are core elements of hybrid warfare, as seen in Russia’s actions in Ukraine.

Last?Minute Revision

• CERT-In established under Section 70B, IT Act, 2008.
• NCIIPC protects CII; set up in 2014.
• IT (Amendment) Act, 2008 introduced Section 66F (cyber terrorism).
• Budapest Convention (2001) – India not a signatory.
• WannaCry (2017) used EternalBlue exploit.
• NotPetya (2017) attributed to Russian GRU.
• SolarWinds attack discovered in December 2020.
• Defence Cyber Agency (DCA) established in 2019.
• NTRO created after Kargil War (1999).
• Digital Personal Data Protection Act passed in 2023.
• Air India data breach in 2021 via SITA system.
• I4C launched National Cyber Crime Reporting Portal.
• Section 66A struck down in Shreya Singhal case (2015).
• Colonial Pipeline attack (2021) by DarkSide ransomware gang.
• Global Cybersecurity Index 2023: India ranked 10th.
• IT Rules, 2021 mandate traceability on social media.
• Kudankulam cyber incident linked to Lazarus Group (2021).
• India’s cyber doctrine is defensive; no official offensive policy.
• Tallinn Manual – non-binding guide on cyber warfare under LOAC.
• No international treaty specifically governs cyber warfare.
• Hybrid warfare example: Russia in Crimea (2014).
• CERT-In directive (2022): 6-hour incident reporting.
• SWIFT attack on Bangladesh Bank: $81 million stolen (2016).
• NCIIPC operates under NTRO, not MeitY.
• Deep Web-Dark Web – latter uses Tor, I2P for anonymity.