Why in the news? 

Recently, the Union Ministry of Electronics and Information Technology (MeitY) has declared the IT (Information Technology) assets of ICICI Bank, HDFC Bank, and NPCI (National Payments Corporation of India) as "critical information infrastructure". 

What is a critical information infrastructure? 

  • The Information Technology Act of 2000 defines a critical information infrastructure as a computer resource whose deactivation or destruction has a debilitating impact on national security, economy, public health or security. 
  • Under the IT Act  2000, the government has the authority to declare  data, databases, IT networks, or communications infrastructure as CII and protect these digital assets. 
  • Anyone who illegally accesses or attempts to  access  a protected system  can be sentenced to up to 10 years in prison. 

Why do you need CII classification and protection? 

  • Global Practices: Governments around the world have endeavored to protect  critical information infrastructure.  
  • Backbone of Countless Important Operations: IT resources form the backbone of countless important operations in a country's infrastructure. Due to its interconnected nature, disruption can have a chain effect on the sector. IT failures lead to paralysis in other sectors: Power grid information technology failures can lead to long-term outages that cripple other sectors such as healthcare and banking services. 

Example: Wave of denial of service attacks in Estonia: In 2007, a wave of denial of service attacks allegedly from Russian IP addresses attacked major Estonian banks, government agencies (ministries, parliaments), and the media. This was a cyberattack like never before in the world. For almost three weeks, the attack caused havoc in one of the most connected countries in the world. A denial of service (DoS) attack is an attack that aims to shut down a computer or network so that it cannot be accessed by the intended user. DoS attacks do this by flooding the target with traffic or sending  information that triggers a crash to the target. 

Indian Example: 

In October 2020, when India was fighting a pandemic, power to Mumbai suddenly collapsed, damaging hospitals, trains and businesses. Later, according to a study by a US company, it was revealed that the power outage could be a cyberattack by a related group in China targeting critical infrastructure. Though the government rejected any such theory, the incident emphasised the possibility that hostile states and non-state actors would breach important systems in other countries, so there is a need to strengthen such assets.  

How is CII protected in India?  

  • NCIIPC is the nodal agency established in January 2014, the National Center for Important Information Infrastructure Conservation (NCIIPC) is a central agency that takes all steps to protect the national critical information infrastructure. 
  •  It is intended to protect CII from unauthorized access, modification, use, disclosure, interference, incapacity, or distraction. Monitor and anticipate threats to CII at the national level, provide policy guidance, share expertise, and provide early warning or alert situational awareness.
  • In the event of a threat to a critical information infrastructure, NCIIPC requests information and directs key sectors or individuals serving a critical impact on Critical Information Infrastructure.. 

Basic responsibility: 

  •  The basic responsibility for protecting the CII system lies with the entity that operates this CII.