Mumbai Power Outage Could Have Been Cyber Attack

A recent power outage in Mumbai was speculated by Maharashtra Energy Minister Nitin Rout and the New York Times to have been the result of a cyber attack. The October 2020 outage caused a crisis in Mumbai hospitals, where COVID-19 was at its peak, prompting allegations that deliberate action from the Chinese government was behind it. More recent reports suggest that the blackout may have been due to human error.

After several months of indications that the blackout was a deliberate attack, Union Minister of Power RK Singh stated that two internal investigations had produced no evidence to support that claim. He did admit that a cyber attack had occurred on India’s northern and southern load dispatch centers, according to the Times of India, but that this did not contribute to the outage. Mumbai is located in the state of Maharashtra, controlled by the western load dispatch center, and the malware “could not reach the operating system.” Instead of an attack, Singh insisted that the blackout occurred due to human error.

The incident, and the coverage surrounding it, illustrates two related issues that we may face more of in the coming years. The first is the precarity of our power systems, many of which are outdated and are subject to failure in the cases of inclement weather (made more likely by the rapid onset of climate change), deliberate attacks on the power grid, or simple randomness. Recent events in Texas indicate that western countries are not immune to power failures, and may even be more vulnerable given our reliance on consuming massive amounts of power to sustain everyday life. Whether by accident or by malice, a long and large-scale power outage could have devastating effects on any society.

The second issue is the difficulty posed by covering issues of cybersecurity to the public. Most laymen have little to no understanding of cyber issues, and any electronic failure can be blamed on whoever is politically convenient. This brings us to the reporting of the New York Times, who published the headline, “China Appears to Warn India: Push Too Hard and Lights Could Go Out.” The article links the power outage to a skirmish between Chinese and Indian forces at the border between the two in the summer of 2020. The link between the two events is unsubstantiated, as is the link between the malware attack described in the article and the power outage. The New York Times cites the U.S.-based firm Recorded Future, who traced malware in the Indian electricity system to a Chinese government-backed organization called Red Echo. What the article does not mention is that, as reported in WIRED, Recorded Future itself received $10 million in seed funding from the CIA, and may be working extensively with U.S. intelligence.

How to effectively regulate cybersecurity reporting is no easy problem. Ideally, there would be a strong civil society of cyber experts who could push back on suspect narratives and prevent crises like the one in Mumbai from being unfairly politicized.

Whether China is responsible for the blackout or not, however, cyber could represent a new frontier of warfare in the 21st century and beyond. The power to shut down other countries’ power grids could present itself as another possibility for attack is more palatable than nuclear weapons or deployment of troops. People in every respective country must work to ensure that cyber warfare in the 21st century does not escalate in the way that nuclear warfare very nearly did in the 20th.