The NCIIPC & Its Evolving Framework

Only eight years after India passed the Information Technology Act, did the term cybersecurity appear in a statute through a series of amendments to the Act approved by the Indian Parliament. In 2008, the amendments recognised the need for a focussed approach to cybersecurity and divided it into two segments: Critical and Non Critical.

The amendment defined ‘Critical Information Infrastructure’ (CII) as “those facilities, systems or functions whose incapacity or destruction would cause a debilitating impact on national security, governance, economy and social well-being of a nation.”[1] The law also added two sections – 70 (A) for all  ‘Critical’ systems and section 70 (B) for all non-critical sections and assigning the responsibility to two separate agencies – one new and one old.

The National Critical Information Infrastructure Protection Centre (NCIIPC) was deemed to be created by a gazette notification with specific responsibilities for protecting all CII. The Computer Emergency Response Team – India (CERT-IN) would be responsible for all non-critical systems, but would continue to be responsible for collecting reports on all cyber attacks / incidents. While the law was amended in 2008, it would take six years before NCIIPC was formally created through a Government of India gazette notification in January 2014.[2]

The NCIIPC started off with several sectors, but has now truncated them into five broad areas[3] that cover the ‘critical sectors’. These are:

  • Power & Energy
  • Banking, Financial Institutions & Insurance
  • Information and Communication Technology
  • Transportation
  • E-governance and Strategic Public Enterprises

While defence and intelligence agencies have also been included under the CII framework, these have been kept out of the purview of the NCIIPC’s charter. Instead, the Defence Research and Development Organisation (DRDO) has been tasked with protecting these bodies.

A key point that has been factored in while identifying CII is the inter-dependencies that they have, to determine which are the ‘most critical’. Therefore, using this matrix, NCIIPC settled on the Power Sector as the most critical followed by the Energy Sector. However, these inter-dependencies are likely to change and could evolve into a more complex model at a later stage to decide the criticality of systems.

However, NCIIPC has also been mindful of the fact that even though some systems are isolated, the accelerated developments of the IT sector and the advent of Internet of Things (IOT) will increase the complexity of protecting CII. NCIIPC’s guidelines states “Presently many of these critical systems may relatively be isolated or the complementarities may be progressing at a snail’s pace and thus considered relatively secure from intrusion. However, with the accelerated pace of development within the IT sector it will be difficult for these critical systems to isolate themselves from the outside world, and to maintain the boundaries between “inside” and “outside”.[4]

Over time, NCIIPC has been able to sharpen its charter to ensure better “coherence”[5] across the government to respond to cyber threats against CII. This also means that it will provide the strategic leadership to the government’s efforts to “reduce vulnerabilities…against cyber terrorism, cyber warfare and other threats[6]”. This also includes identification of all CII systems for “approval by the appropriate government for notifying them” as “protected systems”. This is a critical element in NCIIPC’s charter and helps it embrace the private sector and work with them.

The Benefits of Identifying CII

Under its charter, NCIIPC has been working towards recognizing many of the Government of India’s systems as ‘protected systems’, which has several positive consequences. Under the current laws, any IT (Information Technology) or Supervisory Control and Data Acquisition (SCADA) systems that lie at the heart of the CII can only seek three years imprisonment for any cyber attack. However, after the NCIIPC has undertaken an elaborate Vulnerability, Threat and Risk (VTR) assessment, the system is forwarded for notification by the “appropriate government authority.”[7]

Once notified as a “protected system” the CII is immediately placed under the ambit of section 66 (F) of the IT Act (Amended) 2008, which defines any cyber attack as an act of Cyber terrorism. This increases the quantum of punishment from three years imprisonment to life imprisonment, increasing the deterrence levels of attacking CII. Furthermore, it also ensures that NCIIPC is able to offer its services to a post-incident risk mitigation as well as investigation process. As per the existing protocol, the Chief Information Security Officer (CISO) of the designated CII entity is also given access to the intelligence on cyber threats and vulnerabilities gathered by NCIIPC.

The agency has also started approaching various sectors to create guidelines that can set standards for private and public sector entities across the board. To achieve this, NCIIIPC began a process of interfacing with various stakeholders in several sectors to understand their IT and SCADA systems, along with normative practices such as vendor selection, patch management, legal contracts, etc that are particular to a given sector. Working with these stakeholders, NCIIPC managed to create the first sector-specific draft guidelines of the Power sector, which was submitted to the Ministry of Power in May 2016. If accepted, this will be the first set of national sector-specific guidelines to be promulgated by the Government of India.

NCIIPC has also been instrumental in declaring two major entities as protected – systems of the Aadhar unique identification project and the Long Range Identification and Tracking (LRIT) system of the Ministry of Shipping[8].

Addressing The Trust Deficit

It has been frequently noticed that any possible interface between the private sector and the government is usually fraught with risk. The government is essentially a regulator while the private sector seeks freedom to conduct business. Any interference by the government not only threatens its profitability, but can also prove to be an existential threat. This is a framework that NCIIPC has consciously chosen to not follow.

Its approach is based on the principle that cyber security is a shared responsibility. NCIIPC’s charter includes its role to “…coordinate, share, monitor, collect, analyse and forecast, national level threat to CII for policy guidance, expertise sharing and situational awareness for early warning or alerts”. However, it also maintains that “the basic responsibility for protecting CII system shall lie with the agency running that CII”[9].

The role of the entity holding the CII is clear and NCIIPC aims to strengthen the agency that runs the CII systems. To achieve this, it has embarked on a formal private sector interface that will establish joint partnerships to increase awareness on the kinds of threats that the CII owners are likely to face in the coming years. As a case in point, its close cooperation with a private power sector company was used as a base for drafting the national guidelines for the sector. This has also sensitised NCIIPC to the challenges that the private sector  faces, in terms of alignment with the management as well as budgetary support for acquiring the latest counter-measures against future cyber threats / attacks.

The Road Ahead

The Snowden revelations has revealed that as long as propriety software created by developed economies dominate the cyber landscape, systems will remain extremely vulnerable. This has prompted an initiative to ensure that India develops an eco-system that can support the development of indigenous software and hardware.

However, that eco-system is incomplete unless there are adequate cybersecurity professionals available to partner with NCIIPC to cover the whole sector. This calls for forging partnerships between public and the private entities, leveraging each other’s strengths by avoiding the traditional regulatory approach. While section 70 (A) and its sub clauses empower NCIIPC to take the regulatory route, it has drawn more on the US Critical Infrastructure Information Act 2002,[10] that emphasises ‘voluntary’ cooperation rather than enforcement and compliance-driven. This has created a cooperative framework that has served the US well and continues to strengthen its CII’s cyber security. This ensures the merging of the strengths of the private and public to not only create standardised operating procedures, but also build a eco-system that is sensitive to each other’s lacunae and strengths.

 

 

(This essay originally appeared in the third volume of Digital Debates: The CyFy Journal)



Endnotes
[1] Section 70, information technology Act, 2000

[2] Department of Electronics and Information Technology, Notification No. 9(16)/2004-EC http://meity.gov.in/sites/upload_files/dit/files/S_O_18(E).pdf

[3] National Critical Information Infrastructure Protection Centre, Sectors in NCIIPC, https://nciipc.gov.in/?p=sector (Accessed September 1, 2016)

[4] Guidelines for protection of CII Version 1.0, June 2013

[5] National Critical Information Infrastructure Protection Centre, Functions and Duties, https://nciipc.gov.in/?p=function (Accessed September 1, 2016)

[6] Ibid

[7] The appropriate government authority can be the federal or the state government, depending on the location of the CII. So far the only two systems identified by NCIIPC as CII has been notified by the federal government. NCIIPC is examining the efficacy of notifying CII through state governments, where appropriate.

[8] The notification for both these systems were notified by the Government of India earlier this year

[9] As articulated in the Functions and Duties of NCIIPC, Supra Note 5

[10] Title II—Information Analysis And Infrastructure Protection https://www.dhs.gov/sites/default/files/publications/CII-Act_508.pdf (Accessed September 1, 2016)

Comments

Leave a Reply

Be the First to Comment!

avatar
wpDiscuz
Author

Saikat Datta

Saikat Datta is a Visiting Fellow with ORF's National Security Programme. He has been a journalist... Read More

Most Viewed

The Changing Face of Internet Addresses and Online Identity

PRIVACY & DATA PROTECTION

Gajendra Upadhyay
12 September, 2016

A specialist neurology clinic in Japan has this revealing signage with its website  address prominently proclaiming its function (photo courtesy:... 

Protection of Critical Information Infrastructure: An Indian Perspective

CYBER SECURITY

R K Sharma
1 August, 2016

Abstract Critical information infrastructure (CII) is a pillar on which modern nations function. The revolution in information and communication technologies... 

What we need to talk about when we talk about Artificial Intelligence

FUTURE TECHNOLOGIES

Urvashi Aneja
7 March, 2017

No longer the subject of science fiction, Artificial Intelligence (AI) is profoundly transforming our daily lives. While computers have been... 

The NCIIPC & Its Evolving Framework

CYBER SECURITY

Saikat Datta
27 October, 2016

Only eight years after India passed the Information Technology Act, did the term cybersecurity appear in a statute through a... 

Under the UN’s Shadow: Internet Governance Forum & the Urgent Need for Reforms

INTERNET GOVERNANCE

Jyoti Panday
8 July, 2016

The creation of the Internet Governance Forum (IGF) was a watershed moment in the history of the Internet. This article...