Science & Technology

According to Information Technology Act, 2000, Critical Information Infrastructures (CII) are vital computer resources that, if incapacitated or destroyed, will leave a debilitating impact on national security, economy, public health or safety across both public and private sectors. Their significance is well understood and hence they are also target of attacks by adversarial state and non-state actors. Broadly such attacks lead to information system compromise, control takeover, component destruction, and sensitive information extraction.

Reasons behind targeting of Critical Information Infrastructure (CII) by state and non-state actors

• Critical information: CII holds sensitive and confidential information about nuclear facilities, reactor designs etc, making it a potential target for state and non-state actors. For instance, the Stuxnet computer virus was unleashed against Iran’s enrichment program.
• New dimension to warfare: CII broadens the scope for combat, taking it a step ahead of conventional warfare. Additionally, disabling these systems takes a handful of skilled personnel compared to dedicated weapons systems or armies in conventional wars.
• National security: CII deals with physical and cyber systems that are essential to a nation in their capabilities to govern the broader security scenario and any damage to it has a devastating effect on national security, political, economic and social welfare domains of the nation.
• Sabotaging state apparatus: Critical infrastructure like power grid, reactors etc are far more interconnected today, both in terms of geography and across sectors. A small malfunction may spread across different segments, having a wide-ranging impact, which may or may not have been assessed.
• Create Mistrust: A cyber-attack on a specific component exposes vulnerabilities in the entire system, which negatively impact relations with allies and adversaries alike.

Challenges in protecting the CIIs

• Lack of Internal Resources: Many organizations including those that help to maintain Critical Infrastructure do not have enough trained security professionals to meet their security needs.
• Reluctance in Sharing Information: Fear of losing a competitive edge over rivals inhibits the private and public sector to share information about the vulnerability of their systems.
• Lack of coordination among agencies: Some of the agencies report to the Ministry of Home Affairs, while others report to the Prime Minister’s Office, Defence ministry, MeitY etc.
• Capability Asymmetry: India lacks indigenization in hardware as well as software cybersecurity tools. This makes India’s cyberspace vulnerable to cyberattacks motivated by state and non-state actors.

Steps taken by Govt to protect Critical information infrastructure

• National Critical Information Infrastructure Protection Centre (NCIIPC) to regulate and protect the nation’s CIIs.
• The Government has also notified Information Technology (National Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties) Rules, 2013 (“NCIIPC Rules”)
• Indian Computer Emergency Response Team (CERT-In): For responding to computer security incidents.
• National Cyber Security Coordinator (NCSC) under National Security Council Secretariat coordinates with different agencies at the national level for cyber security matters.
• National Cyber Coordination Centre to generate necessary situational awareness of cyber security threats and enable timely information sharing for proactive, preventive and protective actions.

There is a requirement for better understanding of vulnerabilities, including interdependencies between infrastructures. Hence, we need to evolve a comprehensive security policy to address the physical, legal, cyber and human dimensions of security.