“I was in the middle of my yoga class when I received a call from my children’s schools informing me they would be sent home due to a ‘bomb threat’. I immediately rushed to my daughter’s school while my husband went to my son’s school to get them home. Later, we learnt that the threats were a hoax, but when I received that call, panic set in within a second,” said Gowri Raj, a resident of Yelahanka, about 20 kilometres from the city centre, remembering the events of December 1.
She was not alone. Nearly 70 schools in and around Bengaluru received the same “bomb threat email” from kharijiites@beeble.com on December 1. It threatened to kill “you and your children” and said, “From Buddha to infinity they will fly apart from our explosions”. It even targeted Zionists and signed off with “Allahu Akbar”.
The children had been in school for just an hour or so. Bengaluru, the IT capital of the country, plunged into chaos and was gripped by panic in a matter of minutes. Even parents who hadn’t received intimations from their children’s schools were alerted by rolling television coverage. They rushed there and demanded that they be allowed to take their wards back home.
Schools were milling with police officials and bomb detection and disposal squads while children huddled in playgrounds and other open spaces. The threats turned out to be a hoax. However, over 1 lakh children returned home within hours of that email.
Probes hit dead-end
As the city went into a tizzy that Friday morning, there was also a sense of deja vu. On April 8, 2022, over 20 schools received a similar bomb threat email, which also eventually turned out to be a hoax. The December 1 drill was just a repeat of what unfolded last year in more ways than one.
Over a month after Bengaluru schools received the threat last year, schools in Bhopal received similar hoax bomb email threats in May 2022. This time around, the email to Bengaluru schools was preceded by a similar hoax bomb threat email to 51 schools in Kuala Lumpur, Malaysia; to several schools in Jamaica in November; and to several schools in Germany in October. The email to Bengaluru and Kuala Lumpur schools was sent from a Cyprus-based email service provider, Beeble.com.
In the 2022 case, the email was initially traced to Syria, but as more layers of the Virtual Private Network (VPN) were uncovered, the trail finally went cold in Pakistan. “We couldn’t trace the final user who sent the mail from across the border. We gave our inputs to central security agencies and are unaware of further developments,” said an officer involved in that probe.
The email sent to schools on December 1 differed in their tone in how they had an Islamist slant. However, given that similar emails were sent to different targets across three months, police suspect this is a new kind of “cyber terrorism” to send bustling cities into panic.
Queries with Beeble.com, through which the December 1 email was sent, revealed that the user had used the Switzerland-based Proton Virtual Private Network (VPN), a company that has a “no-logs policy”. “We are not hopeful that the company will give us any useful information that will lead to the identity of the email sender,” a senior police official said.
Changing nature of cyber threats
“A person sitting somewhere, hiding behind the anonymity that VPNs provide, took just a few minutes to send the IT capital of India, a city of nearly 14 million and a growth engine of the country, into a tizzy. It is pretty low-tech. This is the best illustration of how asymmetric cyber threats are,” said a senior police official with considerable experience in fighting cybercrime.
If a hoax bomb threat can send an entire city into a tailspin, imagine what can happen if a city’s power grid is hacked and shut down as a result. That’s precisely what happened in Mumbai on October 13, 2020. A cyber attack on the city’s power grid brought the country’s financial capital to a halt for nearly half a day. The famed local trains stopped, and the stock exchange shut down, even as hospitals struggled to keep ventilators running. The attack was reportedly traced to state actors in China, reported The New York Times in February 2021, a claim acknowledged by Ministers in the government of Maharashtra. India and China relations were tense in October 2020 over the Galwan Valley clash.
Several key cyber attacks were reported on critical information infrastructure in India in recent years: on the Kudankulam Nuclear Power Plant in 2019, on Goa’s flood monitoring system in 2020, ransomware attacks on nationally important institutions like New Delhi-based All India Institute of Medical Sciences and Bengaluru-based National Institute of Mental Health and Neurosciences in 2022. The Karnataka State Data Centre, the information nerve centre of the Government of Karnataka, fell prey to the WannaCry ransomware attack in 2017.
“The trade-off of going more and more digital is like dining with the devil. It is a cat and mouse game, and who wins is always a function of who is ahead of the curve, and the adversary always has an advantage,” said Tobby Simon, founder-president, Synergia Foundation, a Bengaluru-based strategic think tank specialising in cyber security, with over three decades of experience.
Institutional vacuum
Synergia Foundation organised a roundtable meeting for the top bureaucrats of the State and honchos of Bengaluru Inc. in 2018, posing a simple question: “Who cares, and who do you call in case of a cyber attack on critical information infrastructure?” That question hasn’t found a satisfactory answer in Karnataka to this day.
“We have just been lucky that there has been no major attack on our critical infrastructure. Given that our State data centre had a ransomware attack, we are not equipped to prevent it or handle its aftermath efficiently. There are no standard operating procedures (SOPs) and a set chain of command or architecture in place to handle such crises in the State,” said a senior police official who is a cybercrime expert.
A national cyber security architecture has recently evolved — the Indian Cyber Crime Coordination Centre (I4C), which coordinates cybercrime investigations, and the National Critical Information Infrastructure Protection Centre (NCIIPC), with which States have been coordinating. But multiple police officials and e-governance experts said a similar architecture was needed at the State level. That is missing in Karnataka, even as Maharashtra and Odisha have taken the lead in this avenue.
Multiple proposals from the Karnataka State Police and e-Governance Department to set up a cyber security architecture like I4C and NCIIPC have been ignored. The Cyber Security Policy 2023, still in the draft stage, does provide a State Cyber Security Committee led by the Chief Secretary but doesn’t include the Karnataka State Police and has come under criticism over it by the police, who are at the forefront of fighting cybercrimes, cyber security breaches, and now cyber terrorism.
“What we need is a two-organisation set-up. One organisation that coordinates and has adequate skill sets for cybercrime probes also houses a command centre to handle any crisis in the state. Another organisation needs to proactively ensure that our critical information infrastructure — like our power grids, flood management systems, metro and railway signals, and traffic management systems — is safe. We must ethically hack our systems, identify vulnerabilities, and patch up our bugs and gaps. That is the only way we can stay ahead of the curve,” said a senior police official.
Officials responsible for cyber security and fighting cybercrime said there was a lack of understanding of these ideas in the government across parties. “Unless a big attack happens, there seems to be a lack of receptiveness to these ideas, even though the vulnerability of Bengaluru to such attacks is very high. This is like waiting for your first accident to get insurance. But often, that is how it works. Maharashtra is now investing over ₹800 crore in a Computer Emergency Response Team - Maharashtra (CERT-MH) after the 2020 power grid attack,” a senior official said.
In the Budget the then Chief Minister Basavaraj Bommai presented in February 2023, he proposed to set up a Cyber Security Operation Centre (CSOC) at a cost of ₹20 crore. This followed a proposal by the Karnataka State Police and was on the lines of I4C and NCIIPC. However, Bommai was voted out in May, and incumbent Chief Minister Siddaramaiah junked the February Budget and presented a new one in July in which the CSOC proposal was dropped.
Tobby Simon of Synergia Foundation said most of the organisations set up by the governments tended to be “post-facto” crisis management groups but said what was needed was a “thinking organisation” that doesn’t work to solve the problem at hand but thinks ahead of the curve and tries to anticipate and solve the next issue. “The key thing in this cat-and-mouse game is thought leadership,” he said. “For instance, all our cyber security is based on encryptions and passwords. The advent of artificial intelligence and quantum computing has made decryption so much easier and fast. We now need to prepare for a post-AI and quantum age cyber security,” he said.
The E-Governance Department is now working on initiating “purple teaming”, where government teams ethically hack their critical information infrastructure to expose the chinks to fix them, among a host of other initiatives. Cyber Security Policy 2023 in the offing is expected to give a big fillip for the government’s cyber security culture. However, many in the field pointed out the need for more collaboration between the e-Governance Department and Karnataka State Police in the State.
Schools pick up the pieces
“Schools and colleges are easy targets for people deliberately trying to disrupt peace and harmony. But we cannot take even a single thing lightly. As schools, we have maximum security, and we even have strong firewalls for cyber security. Yet, we cannot control emails,” said Mansoor Ali Khan, trustee and member of the management board, Delhi Public School. One of the group’s branches had also received a threat on the day.
“Once such threats come in, schools take two to three days to return to normalcy, and children start panicking. These things greatly impact students, especially as it is the second or third time something like this has happened in the last few months. It affects their confidence. We have to counsel and talk to them patiently,” Khan said.
The management from some other schools reported that while the students were mature enough to understand that the threats were a hoax, the security on the premises was beefed up, nevertheless. “We already had 20 security guards and around 400 cameras on campus. We have never let anyone come to the campus without prior appointments and ID verification. Now, after this incident, we have employed three additional security guards, a few night guards, and also installed extra night lights,” said Nooraine Fazal, co-founder, CEO, and managing trustee, Inventure Academy, also a school that received a bomb threat on December 1.
Following these events, the Department of School Education and Literacy also recently issued a circular, reiterating an earlier regulation that the school premises, including the playgrounds attached to them, only be used for educational purposes and not be rented out. Additionally, the private schools in the city also demanded that the State government roll out a ‘School Safety Policy’ which provides legal security to students, staff, management, and the school’s property.