Critical Information Infrastructure (CII)

In News

• Recently, the Union Ministry of Electronics and IT (MeitY) has declared IT resources of ICICI Bank, HDFC Bank and UPI managing entity NPCI as ‘critical information infrastructure (CII)’.

Critical Information Infrastructure (CII)

• Definition: 
  • The Information Technology Act of 2000 defines “Critical Information Infrastructure” as a “computer resource, the incapacitation or destruction of which shall have debilitating impact on national security, economy, public health or safety”.
• Power of the Government: 
  • The government, under the Act, has the power to declare any data, database, IT network or communications infrastructure as CII to protect that digital asset.
• Violation: 
  • Any person who secures access or attempts to secure access to a protected system in violation of the law can be punished with a jail term of up to 10 years.
• Why is CII classification and protection necessary?
  • IT resources form the backbone of countless critical operations in a country’s infrastructure, and given their interconnectedness, disruptions can have a cascading effect across sectors. 
  • An information technology failure at a power grid can lead to prolonged outages crippling other sectors like healthcare, banking services.
  • Global: 
    • In 2007, a wave of denial-of-service attacks, allegedly from Russian IP addresses, hit major Estonian banks, government bodies, ministries and parliament, and media outlets. 
    • It was cyber aggression of the kind that the world had not seen before.
    • It came in the wake of Estonia’s decision to move a memorial to the Soviet Red Army to a location of less prominence. 
    • The attacks played havoc in one of the most networked countries in the world for almost three weeks.
    • Since then CII protection gained prominence world over.
  • India: 
    • In October 2020, as India battled the pandemic, the electric grid supply to Mumbai suddenly snapped hitting the mega city’s hospitals, trains and businesses. 
    • Later, a study by a US firm that looks into the use of the internet by states, claimed that this power outage could have been a cyber attack, allegedly from a China-linked group, aimed at critical infrastructure. 
    • The incident underlined the possibility of hostile state and non-state actors probing internet-dependent critical systems in other countries, and the necessity to fortify such assets.

National Critical Information Infrastructure Protection Centre (NCIIPC)

• Nodal Agency: Created in January 2014, the NCIIPC is the nodal agency for taking all measures to protect the nation’s critical information infrastructure.
• Mandate: It is mandated to guard CIIs from “unauthorised access, modification, use, disclosure, disruption, incapacitation or distraction”.
• Function: It will monitor and forecast national-level threats to CII for policy guidance, expertise sharing and situational awareness for early warning or alerts. The basic responsibility for protecting the CII system shall lie with the agency running that CII.
• In case of threat: In the event of any threat to critical information infrastructure the NCIIPC may call for information and give directions to the critical sectors or persons serving or having a critical impact on Critical Information Infrastructure.

What are the reasons for increasing Cyber attacks?

• Adverse relations with China: China is considered one of the world leaders in information technology. Therefore, it is expected to have capabilities to disable or partially interrupt the information technology services in another country. 
• Asymmetric and covert warfare: Unlike conventional warfare with loss of lives and eyeball to eyeball situations, cyber warfare is covert warfare with the scope of plausible deniability, i.e. the governments can deny their involvement even when they are caught. Therefore, cyber warfare has increasingly become the chosen space for conflict between nations.
• Increasing dependency on technology: As we grow faster, more and more systems are being shifted to virtual space to promote access and ease of use. However, the downside to this trend is the increased vulnerability of such systems to cyber-attacks. 

Government steps to ensure Cyber Security

• Institutional Structure: India has a well-organised structure to regulate and strengthen the national information technology systems across the country. This includes the National Cyber Security Council as well as Computer Emergency Response Team – India (CERT-In).
• Banning of potentially unsafe apps: Recently, India had banned many apps (mostly of Chinese origin), which were found to be unsafe for usage by the Indian citizens. The apps were allegedly transferring data to the servers located outside India and did not have proper safeguards to ensure that the private data of Indian citizens was protected from unauthorised access.
• Personal Data Protection Bill: The bill mandates strengthening of data infrastructure by the private companies to safeguard the data of individuals. Therefore, there is a focus on including the private companies in the ambit of data protection, rather than restricting it to the government only.
• Upcoming Cyber Security Strategy: Cyber Security Strategy aims to prepare a comprehensive document on preparing for and dealing with the cyber-attacks and securing the cyberspace in the country. For e.g. the strategy identifies three stages in the arena of cyber-attacks:
  • Pre attack or Preparatory Phase: In this stage, the systems’ gaps are identified and they are plugged in. The focus is on strengthening the defence mechanism and the firewalls and keeping the system up to date so that any potential threat is averted and the system is not compromised.
  • During the Attack: At the time of the attack, the focus is on stopping it as soon as possible and minimising the damage to the system. Also, it is to be ensured that the critical assets and data are not lost to the attack. When the attackers have been pushed out of the system, the focus shifts to restoring the services so that the consumers do not face long outages.
  • Post-Attack Phase: After the attack is over and the system is restored to normalcy, the focus is on identifying the loopholes or gaps in the system, understanding how the reaction could have been more swift and creating Standard Operating Procedure (SOPs) in case of similar future attacks.

Challenges with Cyber Security

• Low digital literacy among the general public: The general level of awareness in India about internet etiquette is low. It is often reported that people are duped easily by click-baiting them into clicking interesting content, which often has malware attached to itself. 
• Vulnerable points in the system: There is a need to find and address the vulnerable points in the system, which might allow unauthorised entry into the system. For e.g. it is expected that the sensitive nuclear data is protected by heavy encryption, but the users may be vulnerable to human errors while accessing the systems. 
• State-sponsored Cyber Attacks: The problem with such state-sponsored attacks is the unlimited funding received by the hackers to break into the foreign systems. This means that to counter such threats from China or other countries, we need to allocate sufficient resources, which can proportionately deter the systems from being compromised. 

Way Ahead

• Increased awareness and monitoring: In the era of cyber wars, the only thing which has the potential to prevent vulnerability is information control. There is a need to enhance the general awareness levels of the government installations as well as the general public to counter such threats.
• Strengthening the policy and ecosystem: The need of the hour is to come up with a futuristic National Cyber-Security Policy which allocates adequate resources and addresses the concerns of the stakeholders. 
• Pre-empting the cyber-attacks: There is a need to invest in the right tools and technologies apart from the human resources, which can predict and detect the cyber attacks early, so that preventive steps could be taken while the time is still on our side. 
• Capacity Building: Unlike other sectors requiring huge machinery and equipment, information technology is one sector which is highly dependent upon the skill level of human resources more than anything else.
• Continuous Testing: There is a need to conduct regular and frequent checks of the existing system by bringing in ethical hackers and other experts on board so that if there are chinks in the system, they can be addressed swiftly before they are exploited by the hackers.
• Partnership with the private sector: There is a need to collaborate and cooperate in erecting defences against outside intruders, who try to gain unauthorised entry into the system.
• Classification and prioritisation of the assets: Although all sectors are important and need to be protected from outside intrusion, there is a need for classification of assets and systems in such a way that the core systems have multiple layers of protection. This includes power and energy systems, which might lead to a cascading effect on the economy as the supply of power is critical for the proper functioning of the dependent systems.
• Sharing the Best Practices: Cyber systems are extensive in nature. Also, they are staggered across the spectrum. Therefore, it makes sense to collate the experience of the different entities together to form a comprehensive knowledge base, which can be utilised in case of future incidents.

Source: IE