Paper: III
Topic: Information technology, Cyber security, Internet governance, CERT-IN, NCIIPC.
Relevance and use of the article in UPSC prelims and mains examination:Dear aspirants this article is about The National Critical Information Infrastructure Protection Centre (NCIIPC).Only eight years after India passed the Information Technology Act, did the term cybersecurity appear in a statute through a series of amendments to the Act approved by the Indian Parliament. In 2008, the amendments recognised the need for a focussed approach to cybersecurity and divided it into two segments: Critical and Non Critical. Let's see in this article that what needed to be done.
- Information Technology Act The amendment defined ‘Critical Information Infrastructure’ (CII) as “those facilities, systems or functions whose incapacity or destruction would cause a debilitating impact on national security, governance, economy and social well-being of a nation.” The law also added two sections – 70 (A) for all ‘Critical’ systems and section 70 (B) for all non-critical sections and assigning the responsibility to two separate agencies – one new and one old.
- The National Critical Information Infrastructure Protection Centre (NCIIPC) was deemed to be created by a gazette notification with specific responsibilities for protecting all CII. The Computer Emergency Response Team – India (CERT-IN) would be responsible for all non-critical systems, but would continue to be responsible for collecting reports on all cyber attacks / incidents. While the law was amended in 2008, it would take six years before NCIIPC was formally created through a Government of India gazette notification in January 2014.
- The NCIIPC started off with several sectors, but has now truncated them into five broad areas that cover the ‘critical sectors’. These are:
- Power & Energy
- Banking, Financial Institutions & Insurance
- Information and Communication Technology
- Transportation
- E-governance and Strategic Public Enterprises
- While defence and intelligence agencies have also been included under the CII framework, these have been kept out of the purview of the NCIIPC’s charter. Instead, the Defence Research and Development Organisation (DRDO) has been tasked with protecting these bodies.
Key issues:
- A key point that has been factored in while identifying CII is the inter-dependencies. Therefore, using this matrix, NCIIPC settled on the Power Sector as the most critical followed by the Energy Sector. However, these inter-dependencies are likely to change and could evolve into a more complex model at a later stage to decide the criticality of systems.
- However, NCIIPC has also been mindful of the fact that even though some systems are isolated, the accelerated developments of the IT sector and the advent of Internet of Things (IOT) will increase the complexity of protecting CII.
NCIIPC and its control:
- Over time, NCIIPC has been able to sharpen its charter to ensure better “coherence”across the government to respond to cyber threats against CII. This also means that it will provide the strategic leadership to the government’s efforts to “reduce vulnerabilities…against cyber terrorism, cyber warfare and other threats”.
- This also includes identification of all CII systems for “approval by the appropriate government for notifying them” as “protected systems”. This is a critical element in NCIIPC’s charter and helps it embrace the private sector and work with them.
The benefits of identifying CII
- Under its charter, NCIIPC has been working towards recognizing many of the Government of India’s systems as ‘protected systems’, which has several positive consequences.
- Under the current laws, any IT (Information Technology) or Supervisory Control and Data Acquisition (SCADA) systems that lie at the heart of the CII can only seek three years imprisonment for any cyber attack.
- This increases the quantum of punishment from three years imprisonment to life imprisonment.
- The agency has also started approaching various sectors to create guidelines that can set standards for private and public sector entities across the board.
- NCIIPC has also been instrumental in declaring two major entities as protected – systems of the Aadhar unique identification project and the Long Range Identification and Tracking (LRIT) system of the Ministry of Shipping.
Addressing the trust deficit
- It has been frequently noticed that any possible interface between the private sector and the government is usually fraught with risk. The government is essentially a regulator while the private sector seeks freedom to conduct business.
- Its approach is based on the principle that cybersecurity is a shared responsibility. NCIIPC’s charter includes its role to “…coordinate, share, monitor, collect, analyse and forecast, national level threat to CII for policy guidance, expertise sharing and situational awareness for early warning or alerts”. However, it also maintains that “the basic responsibility for protecting CII system shall lie with the agency running that.
conclusion/suggestions:
- However, that ecosystem is incomplete unless there are adequate cybersecurity professionals available to partner with NCIIPC to cover the whole sector. This calls for forging partnerships between public and the private entities, leveraging each other’s strengths by avoiding the traditional regulatory approach.
- This has created a cooperative framework that has served the US well and continues to strengthen its CII’s cyber security. This ensures the merging of the strengths of the private and public to not only create standardised operating procedures, but also build an ecosystem that is sensitive to each other’s lacunae and strengths.
