As technology continues to shape our world and networks, the need for robust measures to protect critical digital resources has never been more apparent. Especially in light of recent events, where financial institutions like ICICI Bank, HDFC Bank, and NPCI (National Payments Corporation of India) have been declared as ‘Critical Information Infrastructure’ (CII) by the Union Ministry of Electronics and IT (MeitY).
Understanding Critical Information Infrastructure
As defined by the Information Technology Act of 2000, CII is a computer resource whose incapacitation or destruction can severely impact national security, economy, public health, or safety. To safeguard digital assets, the government has the power under IT Act of 2000 to classify any data, database, IT network, or communication infrastructure as CII. Violation of this classification can result in up to 10 years imprisonment.
The Importance of CII Classification and Protection
Around the world, governments are acting swiftly to shield their CIIs because:
– CIIs play a crucial role in countless operations in a country’s infrastructure, and their interconnectedness means disruptions could have a widespread effect across sectors.
– IT failure can result in other sectors being crippled, such as healthcare and banking services. For instance, an IT failure at a power grid can cause extensive outages.
– With cyber aggression on the rise, such as the 2007 denial-of-service attacks on Estonian banks, ministries, parliament, and media outlets, the need to bolster such assets against threats is vital.
In 2020, as India battled the pandemic, it was claimed that a power outage in Mumbai, which impacted hospitals, trains, and businesses, could have been a cyber attack. The government denied this, but it highlighted the risk of hostile state and non-state actors probing internet-dependent critical systems in other countries.
Protecting CIIs in India
In India, the National Critical Information Infrastructure Protection Centre (NCIIPC), established in January 2014, is the primary agency responsible for protecting the nation’s CIIs. The agency is tasked with guarding CIIs against unauthorized access, modification, use, disclosure, disruption, incapacitation, or distraction. It also monitors and predicts national-level threats to CIIs for policy guidance, expertise sharing, and situational awareness to provide early warnings or alerts.
However, the agency running the particular CII holds the basic responsibility for its protection.
Legal Obligations for Reporting Cyber Security Incidents
According to section 70B of the Information Technology Act 2000, it is legally mandatory for service providers, data centers, and body corporate to report cyber security incidents. The appointed agency for handling incident response is the Indian Computer Emergency Response Team (CERTIn), established by the Union Government under section 70B of the IT Act, 2000. According to Rule 12(1)(a), these entities must report any cyber security incidents to CERT-In within a reasonable timeframe after the occurrence.
