CRITICAL INFORMATION INFRASTRUCTURE

Disclaimer: Copyright infringement not intended.

Context

The government has declared the IT resources of ICICI Bank, HDFC Bank and UPI managing entity NPCI as ‘critical information infrastructure,’

What is critical information infrastructure?

The Information Technology Act of 2000 defines “Critical Information Infrastructure” as a “computer resource, the incapacitation or destruction of which shall have debilitating impact on national security, economy, public health or safety”.
The government, under the Act, has the power to declare any data, database, IT network or communications infrastructure as CII to protect that digital asset.
Any person who secures access or attempts to secure access to a protected system in violation of the law can be punished with a jail term of up to 10 years.

Why is CII classification and protection necessary?

IT resources form the backbone of countless critical operations in a country’s infrastructure, and given their interconnectedness, disruptions can have a cascading effect across sectors.
An information technology failure at a power grid can lead to prolonged outages crippling other sectors like healthcare, banking services.

Case Studies

In 2007, a wave of denial-of-service attacks, allegedly from Russian IP addresses, hit major Estonian banks, government bodies – ministries and parliament, and media outlets. It was cyber aggression of the kind that the world had not seen before, and it came in the wake of Estonia’s decision to move a memorial to the Soviet Red Army to a location of less prominence. The attacks played havoc in one of the most networked countries in the world for almost three weeks.
On October 12, 2020 as India battled the pandemic, the electric grid supply to Mumbai suddenly snapped hitting the mega city’s hospitals, trains and businesses. Later, a study by a US firm laimed that this power outage could have been a cyber attack, allegedly from a China-linked group, aimed at critical infrastructure. The Indian government, however, denied any cyber attack in Mumbai. But the incident underlined the possibility of hostile state and non-state actors probing internet-dependent critical systems in other countries, and the necessity to fortify such assets.

How are CIIs protected in India?

Created in January 2014, the National Critical Information Infrastructure Protection Centre (NCIIPC) is the nodal agency for taking all measures to protect the nation’s critical information infrastructure.
It is mandated to guard CIIs from “unauthorized access, modification, use, disclosure, disruption, incapacitation or distraction”.
NCIIPC will monitor and forecast national-level threats to CII for policy guidance, expertise sharing and situational awareness for early warning or alerts.

CRITICAL INFORMATION SECTORS

NCIIPC

National Critical Information Infrastructure Protection Centre (NCIIPC) is an organisation of the Government of India created under the Section 70A of the Information Technology Act, 2000 (amended 2008), in 2014. Based in New Delhi, it is designated as the National Nodal Agency in terms of Critical Information Infrastructure Protection. It is a unit of the National Technical Research Organisation (NTRO) and therefore comes under the Prime Minister's Office (PMO).

Its objective is to facilitate safe, secure and resilient Information Infrastructure for Critical Sectors of the Nation; To take all necessary measures to facilitate protection of Critical Information Infrastructure, from unauthorized access, modification, use, disclosure, disruption, incapacitation or destruction.

https://epaper.thehindu.com/Home/ShareArticle?OrgId=GSO9UIA70.1&imageview=0&utm_source=epaper&utm_medium=sharearticle