Last month, around thirty two lakh debit cards of various banks in India were compromised through a large scale cyber malware attack. As the biggest security breach ever experienced by the financial sector in India, this attack has also been described as the “first major successful attack on a critical information infrastructure in India”. It is to be noted that the breach failed to be promptly identified despite governmental bodies like the Reserve Bank of India (RBI) and the Computer Emergency Response Team-India (CERT-In) having issued advisories to banks to secure their information infrastructures against cyber criminals. This incident highlights the ever increasing vulnerability of information infrastructures in general to cyber attacks. This post lays down the legal and institutional framework dealing with the protection of critical information infrastructures in India.
The financial sector is only one of the many sectors which are now critically reliant on information infrastructures. Information infrastructures including computers, servers, storage devices, routers, and other equipment support the functioning of critical national capabilities such as power grids, emergency communications systems, e-governance and air traffic control networks, to name only a few.Such infrastructures are considered “critical”- due to their contribution to the services delivered by the infrastructure providers, as well as on account of the potential impact of any sudden failure on the well being and security of the nation.
These information infrastructures are especially vulnerable to cyber attacks and breaches. This is because, firstly, critical information infrastructures (“CII” or “CIIs”) are deeply interconnected and complex by design and also geographically dispersed. These infrastructures are especially vulnerable to attacks, as dedicated weapons systems or armies are not necessary to disable these systems. Any delays or disruptions in the functioning of these critical information systems can potentially spread across other CII, resulting in political, economic, social or national instability. The increasingly high dependence of critical sectors on CIIs coupled with the wide variety of threats they are vulnerable to, necessitate the need for an effective policy and institutional framework to protect CIIs.
“Protected Systems” under the IT Act
The Information Technology Act, 2000 (“IT Act”) provides the legislative basis for the protection of critical information infrastructure in India. Section 70 of the IT Act defines “critical information infrastructure” to be “the computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety”. Under this provision, any computer resource which directly or indirectly affects the facility of CII may be declared to be a “protected system” by the appropriate Government. Securing or attempting to secure unauthorized access to such protected systems is punishable. The Central Government has been vested with the authority to prescribe the information security practices and procedures for such protected systems.
Various computer resources have been notified as “protected systems” by the Central Government and other State Governments. In 2010, the TETRA Secured Communication System Network, its hardware and software installed at various locations in New Delhi was notified as a “protected system” by the Central Government. In 2015, the Central Government notified “Unique Identification Authority of India’s (UIDAI) Central Identities Data Repository facilities, information assets, logistics infrastructure and dependencies installed at various locations” as a protected system. More recently, the Central Government declared the Long Range Identification and Tracking (LRIT) system under the Ministry of Shipping, its facilities, information, assets, logistics infrastructure and dependencies to be a protected system. State Governments including Tamil Nadu, Chattisgarh and Goa have also identified and declared different information infrastructures as protected systems. It is to be noted, however, that there is no exhaustive list of notified protected systems to be found in the public domain. Further, the indiscriminate declaration of information infrastructures as protected systems, as done by various State governments, is problematic. For instance, the “entire network of computer resources….including websites of the government and government undertakings” was declared to be “protected systems” by the Chattisgarh Government. Firstly, these infrastructures do not “directly or indirectly affect the facility of a critical information Infrastructure” and secondly, a high quantum of punishment can be meted out for an attempt to secure access to such protected systems. In light of this, the declaration of infrastructures as “protected systems” needs to be a calibrated and considered process, and should be clarified by the Government.
Institutional Framework for Protection of CII
Under Section 70A(1) of the IT Act, the Central Government is vested with the power to designate an organization of the Government as the national nodal agency in respect of the protection of CII. Towards this, in 2014, the Central Government notified the National Critical Information Infrastructure Protection Centre (NCIIPC), an organization under the National Technical Research Organization (NTRO) as the relevant nodal agency. Correspondingly, the Information Technology (National Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties) Rules, 2013 (“NCIIPC Rules”) were also notified. Under the NCIIPC Rules, a “critical sector” has been defined to mean sectors, which are critical to the nation and whose incapacitation or destruction will have a debilitating impact on national security, economy, public health or safety. On the NCIIPC website, these sectors have been classified into five main groups; (i) power and energy; (ii) banking, financial services and insurance (“BSFI”); (iii) ICTs; (iv) transportation and (v) e-governance and strategic public enterprises. Unlike the critical sectors identified under the Strategic Approach of the Ministry of Electronics and Information Technology, the sectors identified by the NCIIPC do not include the defence sector. The defence sector has also been excluded from its purview under the NCIIPC Rules (Rule 3(4)).
While the Guidelines for the Protection of CII (Version 2.0) issued by the NCIIPC provide a basic framework for the protection of CII, it is both urgent and necessary to consultatively evolve sector-specific guidelines for the protection of these infrastructures. In this regard, while guidelines for the BSFI sector have been issued by agencies like the RBI and SEBI, critical sectors such as power and energy or transportation are yet to be provided with specific guidelines for the protection of their information infrastructures. It has also been argued that the effectiveness of the NCIIPC is undermined by virtue of being inaccessible to the public. Thiscriticismis bolstered, for instance, by the very limited information made available to the public on the NCIIPC website. The opacity of the institutional framework can also prove to be a roadblock in the coordination of cybersecurity efforts, especially for effective public-private collaboration to protect CIIs. This is particularly important because of the large number of CIIs in the private sector. Further, standard operating procedures for the notification of CIIs and the identification of public private partnerships are yet to be issued. No doubt, the notification of the NCIIPC as the nodal agency for the protection of CII has been a commendable step ahead in the protection of CII in the country. However, much work remains to be done and both the NCIIPC and the Government must proactively work with the private sector to ensure that our CIIs are secure and resilient against cyber attacks.