When Mumbai’s electrical grid went down last October, Indian officials blamed “technical problems” for the outage that left millions without power or cellphone service. Power outages are not unusual in India, and service was restored within a few hours for essential services. A New York Times story months later suggested that this was a Chinese cyberattack, possibly a warning to India during the two countries’ border dispute.
China denied that its hackers were behind the power outage, but India’s chief of defense staff, Gen. Bipin Rawat, has since said, “We know that China is capable of launching cyberattacks on us, and that can disrupt a large amount of our systems.”
Foreign relations experts in the United States and India cite as fact that China was using its computing capabilities to coerce India in the border spat. But the evidence linking the power outage to a Chinese cyberattack is shaky, with little information in the public domain to indicate whether China attacked India’s electrical grid.
What do we know about China’s ability to launch this type of attack? And what incentives might guide a Chinese decision to conduct a cyberattack against Indian critical infrastructure — or to refrain?
No clear evidence links China to the Mumbai outage
In February, Recorded Future, a U.S. cybersecurity firm, reported that Chinese hackers had infiltrated the computer networks of Indian ports and its electricity grid. Indian officials and the report itself did not claim that these intrusions caused the Oct. 13 power outage in Mumbai — and the Indian government has not attributed the power outage to a Chinese cyberattack. For its part, China has vehemently denied responsibility.
Starting in mid-2020, Recorded Future detected a series of malware infections — using a back door called ShadowPad — within these various Indian networks. Hacking groups linked to both China’s Ministry of State Security and People’s Liberation Army (PLA) have used ShadowPad in the past, which led Recorded Future to conclude that the group was linked to the Chinese government. But it wasn’t able to attribute these intrusions to a known state-sponsored hacking group.
Does China plan to attack critical infrastructure networks?
My research, which draws on influential documents written by Chinese military officers, indicates China could conduct “strategic” cyberattacks on another country’s critical infrastructure to coerce an adversary in a conflict. In the early 2000s, the PLA claimed these types of attacks could persuade an adversary not to push its claims any further, by paralyzing an adversary’s critical infrastructure and damaging its latent military power. These views endured into the 2010s and were reflected in influential publications like the 2013 “Science of Military Strategy.”
A cyberattack of this magnitude would probably require approval at the highest level of the PLA chain of command, the Central Military Commission. But Chinese leaders are less likely to approve such attacks today than in the past. Chinese President Xi Jinping has repeatedly emphasized that China itself would be vulnerable to cyberattacks targeting its critical infrastructure, which could lead to societal and economic chaos.
Around 2014, these concerns prompted changes to the PLA’s offensive cyberoperations, capabilities and organization. Self-restraint was part of the PLA’s solution to China’s computer-network vulnerability, calling for caution when conducting cyberattacks against countries that could retaliate in kind against China’s networks.
Some Chinese analysts now view cyberattacks on adversary critical infrastructure as unacceptable in peacetime. Officials might share that view. By endorsing the U.N. Group of Governmental Experts report in 2015, China tacitly approved of a norm against attacks on critical infrastructure contrary to international law. But U.S. officials and experts suggest Beijing has since walked back its approval.
Nonetheless, the PLA’s consolidation of cyberespionage and attack units into a new organization, the Strategic Support Force, has probably improved its ability to plan and coordinate targeted cyberattacks on critical infrastructure. Unlike the United States, Russia, Israel and North Korea, China has yet to clearly demonstrate its ability to create physical or digital effects with cyberattacks, despite extensive cyberespionage efforts.
China’s leaders had incentives to disrupt India’s electrical grid
China’s increasing restraint on utilizing cyberattacks doesn’t mean that option was off the table, however. Chinese leaders might have hesitated to cyberattack in peacetime, but China and India were already in an armed conflict. Moreover, Chinese leaders might feel less restrained about using cyberattacks against India, compared to their main rival, the United States. Beijing might have judged India as incapable of attributing the attack to China — or lacking the capacity to retaliate in kind. And the Indian electricity grid might have appeared an attractive target for the PLA to demonstrate its cyberattack capabilities.
And they also had strong reasons not to
Chinese leaders had equally strong incentives not to attack India’s critical infrastructure. Preparations for sophisticated cyberattacks are expensive, time-consuming and fragile — a reason to use them sparingly. October 2020 was not a pivotal moment in the border conflict. And if Beijing caused the power outage and did not claim responsibility either privately or publicly, the attack might have gone unnoticed and failed to serve as a warning to India.
The PLA might not yet have the testing capabilities they desire to anticipate and manage all of the second-order effects of a cyberattack on critical infrastructure that would reverberate beyond its original target. A cyberattack could have caused an international outcry and Indian retaliation if the Mumbai outage had deprived hospitals of power for longer than backup systems could sustain.
Nevertheless, Chinese leaders’ incentives for restraint don’t rule out the possibility that a government-linked group or patriotic hackers might have disrupted the Mumbai electrical grid by accident or without official authorization. An attack could have slipped through despite the stricter oversight of PLA cyber operations since 2014, and non-PLA groups may be subject to different rules; at least one group linked to the Ministry of State Security reportedly still hacks for profit. And it’s also possible that China’s laws prohibiting individuals from hacking may not be enforced, especially when the target is a geopolitical rival.
While it’s not clear exactly what happened in Mumbai on Oct. 13, the speculation that it was a Chinese cyberattack has nevertheless galvanized India’s military to better counter Chinese cyber threats in the future.