Why in the news?
Recently, the Union Ministry of Electronics and IT (MeitY) designated ICICI Bank, HDFC Bank, and NPCI (National Payments Corporation of India) IT (Information Technology) resources as ‘vital information infrastructure.’
What exactly is Critical Information Infrastructure (CII)?
- The Information Technology Act of 2000 defines Critical Information Infrastructure as a computer resource whose incapacity or destruction would have a crippling effect on national security, the economy, public health, or safety.
- Under the IT Act of 2000, the government has the authority to declare any data, database, IT network, or communications infrastructure as CII in order to protect that digital asset.
- Anyone who secures or attempts to secure access to a protected system in contravention of the law faces up to ten years in prison.
What is the need for CII classification and protection?
- Governments all across the world have been working feverishly to safeguard their key information infrastructure.
- IT resources are the backbone of innumerable vital functions in a country’s infrastructure, and interruptions can have a cascading effect across sectors due to their interconnection.
- IT failure cripples other industries: A power grid information technology failure might cause long-term disruptions in other areas such as healthcare and banking.
- In Estonia, for example, there has been a wave of denial-of-service attacks. A series of denial-of-service assaults, purportedly from Russian IP addresses, struck major Estonian banks, government organisations – ministries and parliament – and media sites in 2007. It was unprecedented cyber aggression in the history of the world. For nearly three weeks, the attacks wreaked havoc in one of the world’s most networked countries.
- A Denial-of-Service (DoS) attack is an attempt to bring a machine or network to a halt, rendering it unreachable to its intended users. DoS attacks achieve this by flooding the target with traffic or transmitting information that causes it to crash.
- In October 2020, while India battled the pandemic, the electric grid supply to Mumbai abruptly failed, affecting the megacity’s hospitals, railroads, and businesses.
- Later, a study conducted by a US business claimed that the power outage was caused by a cyber-attack on critical infrastructure, purportedly by a China-linked gang. However, the government was quick to deny any cyber-attack in Mumbai.
- However, the incident highlighted the risk of hostile state and non-state actors investigating internet-dependent critical systems in other countries, as well as the need to fortify such assets.
In India, how are CIIs protected?
Nodal Agency: NCIIPC
- The National Critical Information Infrastructure Protection Centre (NCIIPC), established in January 2014, is the nodal entity in charge of protecting the nation’s critical information infrastructure.
- NCIIPC’s mandate is to protect CIIs from illegal access, modification, usage, disclosure, disruption, incapacity, or distraction.
- It will track and forecast national-level threats to CII in order to provide policy guidance, expertise sharing, and situational awareness for early warning or alarms.
- In the event of a critical information infrastructure threat, the NCIIPC may request information and provide guidance to critical sectors or individuals serving or having a critical influence on critical information infrastructure.
- The agency running the CII system bears the primary responsibility for protecting the CII system.