How Does India Deal with The Protection of its Critical Information Infrastructures?

by Ish Dutt

Abstract

This piece aims to introduce the National Critical Information Infrastructure Protection Centre (“NCIIPC”) in terms of its role and functioning whilst deconstructing the need to establish the same in essence, it shows us how India deals with the protection of its Critical Information Infrastructures. It also emphasises the duties of the NCIIPC. Critical Information Infrastructure (“CII”) refers to critical resources stored on computers and serves which a nation withholds in highest security, such as sensitive information in the energy (nuclear) sector or banking sector.  This CII is the monolith the NCIIPC aims to protect thus there is also an analysis of the importance of identifying relevant CII, the sectors which would have CII and other salient features of a CII. As CII is of paramount importance to governments across the world in a digital era where cyberattacks and various threat actors with nefarious intentions are prevalent, the role of institutions such as NCIIPC are crucial in ensuring strong cybersecurity of a nation. This article therefore highlights the role, benefits brought forward by the NCIIPC and potential space for improvement in an attempt to create a discourse on cybersecurity in India.

Introduction

To begin, CII is essentially informational structures whose failure to function can cause severe disruption to essential sectors of a nation such as health, economy and national security. The NCIIPC was constituted under section 70A[1] of the Information and Technology Act (“IT Act”),and it acts as the national nodal agency for CII protection. Another entity is the Computer Emergency Response Team (“CERT”) which would be responsible for all non-critical systems.[2] The quintessential features of the NCIIPC revolve around providing a safe and secure ‘information infrastructure’ for the critical sectors in India in essence developing synergy and raising security awareness among all its stakeholders within critical industries such as financial sector, power & energy, public health and safety.[3] Information infrastructure refers to an intricate matrix of computer systems, communication networks and other technologies to form an accessible system of data. The NCIIPC works towards issuing different types of advisories (which has been elaborated on further in the article) related to protection of CII and also works in consultation with the stakeholders, while maintaining close coordination with CERT.[4] The onus of providing strategic leadership and coherence to respond to cybersecurity threats lies with the NCIIPC.

Identifying the Critical Information Infrastructures

It is pertinent to first understand what CIIs are in order to better understand the role and functioning of the NCIIPC. An amendment in 2008 to the IT inserted an explanation of CII which reads as “the computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety.”[5]  In addition to this, the amendment added Section 70A  for “all critical systems” and Section[6] 70B “for all non-critical systems” and assigning the responsibility of two separate agencies- one new and one old.[7][8] The Guidelines for Protection of Critical Information Infrastructure Version 2[9] (“Guidelines”) released by NCIIPC in 2015, provides methods on identifying CII, starting with identifying “critical businesses”.[10] Additionally networks which work in an interconnected manner are built on a system of nodes and links. Therefore, another way to streamline the identification of CIIs is by identifying and classifying nodes as critical using the following criteria: 

  • It has the ability to exert influence on other nodes which can result in disruption of governmental and societal infrastructure.[11]
  • It is an integral part of an ensemble of nodes, which if attacked, can have herd effect and influence others in a similar manner causing an aggregate malfunction.[12]

Although not included as a part of the NCIIPC’s purview as per Rule 3(4)[13], it is essential to point out while the defence forces and other intelligence agencies fall under the CII’s framework, the responsibility for the same has been tasked with the Defence Research and Development Organisation (“DRDO”).[14]

Understanding the role of NCIIPC

The NCIIPC operations have been streamlined to cover five broad areas namely: Power & Energy, Banking, Financial Institutions & Insurance, Information and Communication Technology, Transportation, E-governance and Strategic Public Enterprises.[15] Further to emphasise on the importance of the NCIIPC citing some examples of some relatively recent developments will help in comprehending its role and function.  

1. Policy and Strategy

The NCIIPC is driven by the mission statement:

 “To take all necessary measures to facilitate the protection of Critical Information Infrastructure from unauthorised access, modification, use, disclosure, disruption, incapacitation or destruction through coherent coordination, synergy and raising information security awareness among all stakeholders.[16]

Thus, it is pertinent to mention the guiding principles to achieve the aforementioned, i.e. the principle framework of the NCIIPC.

The development of mechanisms and protection of CIIs through risk mitigation is one of the principle frameworks that acts as the backbone of guiding principles for the NCIIPC. In furtherance of the same, ensuring compliance of NCIIPC policies, guidelines and advisories by the CIIs whilst facilitating sharing information on emerging threats, cyber-attacks and vulnerabilities by developing capabilities for real warning systems is also an essential aspect.[17] The responsibility of developing international linkages is not limited to the domestic front but is amplified by establishing international initiatives including Research and Development (“R&D”). Domestically, the promotion of indigenous R&D including modelling and simulation of complex CII are some of the finer focus areas of the NCIIPC. [18]

Additionally, the development and training of manpower has also become an essential aspect from a human resources perspective for the purposes of improved career development systems, training programs and productivity within critical sectors. The NCIIPC works towards conducting thematic workshops and Information Security Awareness and Training Programmes[19] i.e. capacity building by creating a network of highly skilled workforce by engaging with premier institutes like IISc and NITTs on a consistent basis.[20]

2. Instance of CII breach

In 2016 India’s banking sector was breached compromising by a cyber malware attack in some ATM systems.[21] According to reports, “All affected banks have been alerted by card networks that a total card base of about 3.2 million could have been possibly compromised”.[22] The National Payments Corporation of India (“NPCI”), the umbrella body for all retail payment systems in India, stated that out of the total breached amount, 0.6 million were RuPay cards.[23]  Such an instance is an example of the vulnerability of some of the critical sectors and the threat to a nation’s economy if it is left vulnerable. In the aforementioned case, the security lapse took place even after advisories from the Reserve Bank of India (“RBI”) and the CERT. More recently the NCIIPC has initiated advisories regarding the ‘Vulnerability in Python’, and the ‘Multiple vulnerabilities in Drupal’ such as those related to information disclosure, access bypass and cross-siting among others, as of September 2020. These notices further shed light on the potential sectors which fall under the purview of NCIIPC.[24]  

The Paradox of Public vs Private   

The NCIIPC framework has a good understanding of the trend that has prevailed whenever there has been an intersection of interests between the private and the public infrastructure. This has predominantly resulted in ‘unsteady nerves’ among private entities as the Government takes up the role of the “strict regulator” while private sectors constantly seek freedom to conduct business. The framework adopted by NCIIPC has consciously taken cognisance of the same and has made efforts not to follow this prevailing trend.[25]The approach taken is thus based on the principle that cybersecurity is a common problem, irrespective of private-public division, and thus the responsibility for it must be shared.[26] The NCIIPC ‘Functions and Duties on their site homepage, include two integral aspects that shed more clarity on the same,

  • NCIIPC role to coordinate, share, monitor, collect, analyse and forecast, national-level threat to CII for policy guidance, expertise sharing and situational awareness for early warning or alerts.[27], read with
  •  “the basic responsibility for protecting CII system shall lie with the agency running that CII.[28]

The aim of NCIIPC is therefore to strengthen the agency or critical business entity that runs the CII systems. For this purpose, they have embarked on a formal private sector interface that will move towards establishing joint partnerships of NCIIP and private firms in order to spread awareness on the same in the coming years.[29]

The Way Ahead

Cybersecurity remains an arena with a plethora of stakeholders and constantly evolving technology. Thereby, while the guidelines for the protection of CII provide a basic framework for the protection of the CII, there will be a need to constantly evolve sector-specific guidelines in order to protect these infrastructures.[30] There is also need for cybersecurity professionals to partner with the NCIIPC in order to cover significant portions of the sector.[31] Section 70A and its subclauses do empower the NCIIPC to take the regulatory approach, however on the contrary, the approach from the outset has been  towards creating an ecosystem that promotes more ‘voluntary’ cooperation, which stems from principles of the US Critical Infrastructure Information Act of 2002[32]. Thus, an effort to build and maintain an ecosystem based on the virtues of building and developing the public and private sector would lead to a symbiotically beneficial relationship for all the stakeholders involved. The synergy between the private and the public is also necessary taking cognisance of the fact that a large number of CIIs are private thus the Government must work towards forging meaningful partnerships with the best interest of protecting our CIIs.


BIBLIOGRAPHY

[1] Information Technology Act, § 70 (A), (2000).

[2] Datta, S., 2020. The NCIIPC And Its Evolving Framework | ORF. [online] ORF. Available at: <https://www.orfonline.org/expert-speak/nciipc-its-evolving-framework/> [Accessed 27 September 2020].

[3] National Critical Information Infrastructure Protection Centre, Sectors in NCIIPChttps://nciipc.gov.in/?p=sector (Accessed September 27, 2020)

[4] Ibid

[5] Information Technology Act, (2000).

[6] Information Technology Act, § 70 (A), (2000).

[7] Information Technology Act, § 70 (B), (2000).

[8] Please refer to chapter 4 NCIIPC: Policy and strategy pt. 4.3.11 at pg. 20 of the pdf here https://nciipc.gov.in/documents/NCIIPC_Guidelines_V2.pdf

[9] NCIIPC, Guidelines for Protection of Critical Information Infrastructure, (16th Jan. 2015) Available at: https://nciipc.gov.in/documents/NCIIPC_Guidelines_V2.pdf  [Accessed 27 September 2020].

[10] Ibid at pg. 5

[11] supra note 8

[12] supra note 9

[13] Karun, S., 2020. Protecting Critical Information Infrastructures In India. [online] The CCG Blog. Available at: <https://ccgnludelhi.wordpress.com/2016/11/11/protecting-critical-information-infrastructures-in-india/> [Accessed 27 September 2020]

[14] supra note 2

[15] supra note 8

[16] supra note 2

[17] Ibid

[18] Supra note 8

[19] Ibid.

[20] Ibid.

[21] India, P., 2020. Banks Recall 3.2 Mn Debit Cards As Data Security ‘Compromised’. [online] Business-standard.com. Available at: <https://www.business-standard.com/article/pti-stories/banks-recall-3-2-mn-debit-cards-as-data-security-compromised-116102001226_1.html> [Accessed 27 September 2020].

[22] India, P., 2020. Banks Recall 3.2 Mn Debit Cards As Data Security ‘Compromised’. [online] Business-standard.com. Available at: <https://www.business-standard.com/article/pti-stories/banks-recall-3-2-mn-debit-cards-as-data-security-compromised-116102001226_1.html> [Accessed 27 September 2020].

[23] Datta, S., 2020. The NCIIPC And Its Evolving Framework | ORF. [online] ORF. Available at: <https://www.orfonline.org/expert-speak/nciipc-its-evolving-framework/> [Accessed 27 September 2020].

[24] Ibid

[25] ibid

[26] ibid

[27] National Critical Information Infrastructure Protection Centre, Functions and Duties, https://nciipc.gov.in/?p=function [Accessed on September 27 2020.]

[28] ibid

[29] supra note 8.

[30] Karun, S., 2020. Protecting Critical Information Infrastructures In India. [online] The CCG Blog. Available at: <https://ccgnludelhi.wordpress.com/2016/11/11/protecting-critical-information-infrastructures-in-india/> [Accessed 27 September 2020].

[31] supra note 8

[32] supra note 8

About the Author

Ish is pursuing B.B.A. L.L.B (Hons.) degree from Jindal Global Law School. He is also an in-house Research Associate at The Digital Future in the ‘Cybersecurity’ team.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s