—By Charu Latha
According to the Global Forum on Cyber Expertise (GFCE), critical information infrastructure (CII) is that infrastructure which is essential for the maintenance of vital societal functions, such as health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have serious consequences.
Need to Protect Critical Information Infrastructure
IT resources are a part of several critical operations. Disruptions in them can have cascading effects across other sectors as well. It has become important for countries to protect CII, especially after some cyber attacks hit banks and government bodies nationally and internationally. IT failure in one sector could affect the economy and other sectors like healthcare and banking services adversely. Information leakage from any sector could have spillover effects on many sectors including government bodies. For instance, in 2007, Estonian banks and government bodies were attacked (denial-of-service attack) allegedly from Russian IP addresses. It made countries worldwide realise the importance of cyber security and information protection.
Status of CII in India
The IT Act of 2000 defines CII as “computer resource, the incapacitation or destruction of which shall have a debilitating impact on national security, economy, public health or safety.” The IT Act of 2000 empowers the government to declare any data as CII to protect it. Any person who violates the law shall be punished.
Recently, the IT resources of ICICI bank, HDFC bank, and UPI entity of NCPI have been declared as CII by the Union Ministry of Electronics and IT (MeitY).
In 2014, India formed the National Critical Information Infrastructure Protection Centre (NCIIPC) which is the nodal agency to protect critical information and protect it against unauthorised access, modification, use, disclosure, disruption, incapacitation, or destruction. All the organisations under it have to work according to the guidelines provided and over various aspects of cybersecurity. NCIIPC has identified power & energy, banking, financial services & insurance, telecom, transport, government, and strategic & public enterprises as critical sectors. India also has National Cyber Security Coordinator (NCSC) under the National Security Council Secretariat which coordinates with all the agencies for the protection of CII. Cyber and Information Security (CIS) formed under the Ministry of Home Affairs is also responsible for the coordination and effective implementation of threats. The NCIIPC website mentions that the organisation will protect and deliver advice to reduce the vulnerabilities of critical information, assist in the development of appropriate plans, sharing of best practices in the protection of CII. It also issues guidelines, advisories, and vulnerability notes relating to the protection of CII with stakeholders and other organisations working in similar fields.
Information being the major source with which the nations can attack and one of the major threats to national security, India must create a broader framework to protect and deal with the threats and challenges to CII.
The government needs to set up training and awareness programmes, and build the cyber workforce to execute the plan efficiently. The government should also expand its infrastructure with international cooperation, certification of protection mechanisms of CII, improve the supply chain of cyber security as well as improve operational efficiency. Apart from these, establishment of a Defence Cyber Agency would also help to deal with cyber security threats.
© Spectrum Books Pvt Ltd.