Critical Information Infrastructure : Daily Current Affairs

Relevance:GS-3: Challenges to security through communication networks, basics of cyber security.

Key Phrases: critical information infrastructure, Information Technology Act of 2000, WannaCry and Petya ransomware attacks, denial-of-service attacks, National Critical Information Infrastructure Protection Centre Section 70A of the Information Technology Act, National Technical Research Organisation.

Context:

  • The Union Ministry of Electronics and IT (MeitY) has declared IT resources of ICICI Bank, HDFC Bank and UPI managing entity NPCI as ‘critical information infrastructure’. The notification to this effect was issued on June 16, 2022.

What is critical information infrastructure?

  • The Information Technology Act of 2000 defines “Critical Information Infrastructure” as a “computer resource, the incapacitation or destruction of which shall have debilitating impact on national security, economy, public health or safety”.
  • The government, under the Act, has the power to declare any data, database, IT network or communications infrastructure as CII to protect that digital asset.
  • The Guidelines for Protection of Critical Information Infrastructure released by National Critical Information Infrastructure Protection Centre in 2015, provide methods and criteria for identifying CII:
    • It has the ability to exert influence on other nodes which can result in disruption of governmental and societal infrastructure.
    • It is an integral part of an ensemble of nodes, which if attacked, can have herd effect and influence others in a similar manner causing an aggregate malfunction.
  • Any person who secures access or attempts to secure access to a protected system in violation of the law can be punished with a jail term of up to 10 years.

Why the protection of CIIs is necessary?

  • World over governments have been moving with alacrity to protect their critical information infrastructure because of the following reasons:
    • IT resources form the backbone of countless critical operations in a country’s infrastructure, and given their interconnectedness, disruptions can have a cascading effect across sectors.
    • An information technology failure at a power grid can lead to prolonged outages crippling other sectors like healthcare, banking services.
    • Recent attacks on various infrastructure and businesses like 2017 WannaCry and NotPetya ransomware attacks, the 2015 attack on Ukrainian power grids and 2010 Stuxnet attack on Iranian nuclear reactor.
    • Cyber Wars: States are deploying cybersecurity attacks in order to have geo-political gains.

Some Incidents which brought Importance of Critical Information Infrastructure

  • In 2007, a wave of denial-of-service attacks, allegedly from Russian IP addresses, hit major Estonian banks, government bodies – ministries and parliament, and media outlets. It was cyber aggression of the kind that the world had not seen before, and it came in the wake of Estonia’s decision to move a memorial to the Soviet Red Army to a location of less prominence. The attacks played havoc in one of the most networked countries in the world for almost three weeks.
  • On October 12, 2020 as India battled the pandemic, the electric grid supply to Mumbai suddenly snapped hitting the mega city’s hospitals, trains and businesses. Later, a study by a US firm that looks into the use of the internet by states, claimed that this power outage could have been a cyber attack, allegedly from a China-linked group, aimed at critical infrastructure. The government, however, was quick to deny any cyber attack in Mumbai.
  • Both incidents underlined the possibility of hostile state and non-state actors probing internet-dependent critical systems in other countries, and the necessity to fortify such assets.

Protection of Critical Information Infrastructures in India

  • National Critical Information Infrastructure Protection Centre (NCIIPC) is the nodal agency for taking all measures to protect the nation’s CII.
  • It is mandated to guard CIIs from “unauthorised access, modification, use, disclosure, disruption, incapacitation or distraction”.
  • NCIIPC monitors and forecasts national-level threats to CII for policy guidance, expertise sharing and situational awareness for early warning or alerts.
  • As per NCIIPC, the basic responsibility for protecting the CII system shall lie with the agency running that CII.
  • NCIIPC provide Guidelines for Protection of Critical Information Infrastructure in India.
  • In the event of any threat to critical information infrastructure the NCIIPC may call for information and give directions to the critical sectors or persons serving or having a critical impact on Critical Information Infrastructure.

National Critical Information Infrastructure Protection Centre

  • It is an organisation of the Government of India created under the Section 70A of the Information Technology Act, 2000 (amended 2008), in 2014
  • It is designated as the National Nodal Agency in terms of Critical Information Infrastructure Protection.
  • It was created in January 2014.
  • It is a unit of the National Technical Research Organisation (NTRO) and therefore comes under the Prime Minister’s Office (PMO).
  • NCIIPC has broadly identified the following as ‘Critical Sectors’:
    • Government.
    • Strategic & Public Enterprises
    • Power & Energy.
    • Banking, Financial Services & Insurance.
    • Telecom.
    • Transport.

Way Forward:

  • Cybersecurity remains an arena with a plethora of stakeholders and constantly evolving technology. Thereby, while the guidelines for the protection of CII provide a basic framework for the protection of the CII, there will be a need to constantly evolve sector-specific guidelines in order to protect these infrastructures. There is also need of cybersecurity professionals to partner with the NCIIPC in order to cover significant portions of the sector.
  • To strengthen its cybersecurity, India should see the National Cyber Security Strategy as a key opportunity to articulate how international law applies to cyberspace.
  • The synergy between the private and the public is also necessary taking cognisance of the fact that a large number of CIIs are private thus the Government must work towards forging meaningful partnerships with the best interest of protecting our CIIs.

Source: Indian Express 

Mains Question:

Q. What are the critical information infrastructures in India? Why the protection of CIIs is important for India? (250 words).