Policy recommendations to strengthen critical information infrastructure (CII) security in India

Abstract

Introduction: - Information and Communication Technology (ICT) has brought about a revolution across the globe as it has reduced the intermediation in business and society, provided solution across sectors. ICT spreads across all sectors like banking, telecom, healthcare, power and energy and manufacturing to name important few. Thus it has increasingly become very crucial for national development. Critical Information Infrastructure under threat :-Estimates from the International Data Corporation suggest that there is around 1.3trillion gigabytes of information stored in the cyber space and that by 2020business transactions on the internet will reach 450 billion per day. Given the magnitude of importance it has attained, cyberspace has been a target to cyber attacks, cybercrime, cyber-theft, hacking, Trojans, computer viruses, computer worms, e-mail related crime etc. The discovery of the Stuxnet virus in 2010provided evidence of the growing sophistication of cyber threats and the potential damage they could cause to governments, organizations and critical infrastructure around the world. Thus, Government across the globe are rushing to protect their critical infrastructure including the provision of essential services such as water, gas, electricity, communications and banking etc. Cyber-attacks in India :- The 26/11 Mumbai attacks made the Indian Government to realize that the technology can be misused and could prejudicially impact the sovereignty, integrity and security of India. As reported by Indian Computer Emergency Response Team (CERT-In) a total number of 90, 119, 252 and 219 Government websites were defaced by various hacker groups in the year 2008, 2009, 2010 and January October 2011 respectively. India s CIIs include defence, finance, power, transport, communications, water supply which are intricately interrelated and interdependent. Any delay, distortion or disruption in the functioning of these CIIs can easily lead to political, economic, social or national instability. Existing policy paradigm :-The National Cyber Security Policy 2013 (NCSP-2013) released on 2nd July,2013 seeks to build a secure and resilient cyberspace for citizens, businesses and Government besides seeking to protect information and information infrastructure in cyberspace through a combination of institutional structures, people, process, technology and cooperation. The policy offers a starting point as it conceives of securing cyberspace as a more broad-based task and calls for the creation of several agencies, including a 24×7 National Critical Information Infrastructure Protection Centre (NCIIPC) along with CERT-In. The Guidelines for Protection of National Critical Information Infrastructure released by NCIIPC in June 2013 are the minimum number of controls recommended to be followed in each and every CII. NCIIPC and NTRO are working to get a policy which would give a mandate to protect the CII in the country. Dissertation approach:- This paper would have a two-pronged approach to arrive at policy recommendations for strengthening the CII security in India.1. Analyse the existing policies and guidelines on the basis of available documentation. An indicative list including but not limited to NCSP 2013, Guidelines for Protection of National Critical Information Infrastructure, Information Technology Act 2008 etc.2. Cyber world is highly inter-connected. Thus, it would benefit the policy if we are able to draw inferences and adapt policies from other countries like the framework of National Institute of Standards and Technology (NIST) United States of America and Centre for the Protection of Critical National Infrastructure (CPNI) United Kingdom Conclusion :- The dissertation aims to produce a final policy document which would be a set of recommended policies for protection of CII based on three approaches mentioned above. The author of the paper would be submitting these recommendations through various committees to concerned authorities in NTRO, NCIIPC, Joint Working Group on Cyber Security etc.