The IT ministry designated ICICI Bank, HDFC Bank, and NPCI, which manages UPI, as “critical information infrastructure” and their IT resources as such. Any unauthorised user who accesses these materials is subject to a 10-year prison sentence under the CII banner. But who safeguards the “critical information infrastructure” and what exactly is it?
In a notice dated June 16, the Ministry of Electronics and IT (MeitY) called ICICI Bank, HDFC Bank, and NPCI IT resources were alleged to be “critical infrastructure” under Section 70 of the IT Act of 2000.
Section 70
- Any computer resource that directly or indirectly affects the operation of critical information infrastructure can be named a protected system by the right government. This is done by putting a notice in the Official Gazette.
For the purposes of this section, a “critical information infrastructure” is a computer resource whose loss or destruction would hurt national security, the economy, public health, or safety.
- The appropriate government can tell people who are allowed to access the protected systems listed in the subparagraph by giving them a written order.
- Anyone who gets access to a protected system or tries to get access to a protected system in a way that goes against the rules of this section will be fined and put in jail for up to ten years, depending on the type of offense.
- The Central Government will set the rules and practices for information security for these protected systems.
The notification said that the central government had “hereby declared the computer resources related to the Core Banking Solution, Real Time Gross Settlement, and National Electronic Fund Transfer, including Structured Financial Messaging Server, as critical information infrastructure of the ICICI Bank, and the computer resources of its associated dependencies to be protected systems for the purposes of the said Act.”
MeitY designated the IT resources of HDFC Bank HDFC Bank, and NPCI UPI-controlling organisation National Payments Corporation of India (NPCI) as critical infrastructure in two additional notifications with identical wording.
The notification lets designated employees, authorised team members of contractual managed service providers, third-party vendors with need-based access, and any consultant, regulator, government official, auditor, or stakeholder who has been given specific-case authorization by the notified entities access to the IT resources of the notified entities.
Because of the recent sophisticated cyberattacks, all banks and financial institutions must learn about them so they can protect their systems.
Triveni Singh, SP, Cyber Crime, Uttar Pradesh Police, and a certified cyber expert, said that the control systems for all power, oil, airports, trains, metros, and transportation networks are important infrastructure and should be marked as a protected system.
CII stands for Critical Information Infrastructure.
According to the Information Technology Act of 2000, a “critical information infrastructure” is a “computer resource that, if disabled or destroyed, would have a materially negative effect on national security, the economy, public health, or safety.”
According to the Information Technology Act of 2000, the Union Ministry of Electronics and IT (MeitY) has the power to designate any data, database, IT network, or communications infrastructure as CII to protect that digital asset.
Why is it important to protect critical information infrastructure (CII)?
Interconnections: IT resources are the backbone of many important parts of a country’s infrastructure. Because they are connected to each other, problems in one area can spread to other areas.
Governments all over the world are moving quickly to protect their critical information infrastructure.
Taking Care of Infrastructure: A problem with the IT of a power grid can cause long-lasting outages that hurt other areas like healthcare and banking.
To protect against threats from outside the country, the Critical Information Infrastructure (CII) needs to be protected. This is because hostile state and non-state actors could check out critical systems in other countries that use the internet, and because these assets need to be strengthened.
One example is that India was fighting the pandemic on October 12, 2020, when the electric grid in Mumbai suddenly broke. This affected hospitals, trains, and businesses in the huge city.
Later, a US company that studies how states use the internet said that this power outage could have been a cyberattack on critical infrastructure from a group with ties to China.
But the Indian government said that there was no attack.
Who in India is in charge of safeguarding India’s critical information infrastructure (CII)?
The National Critical Information Infrastructure Protection Centre (NCIIPC) is in charge of keeping the country’s critical information infrastructure safe.
The National Critical Information Infrastructure Protection Center (NCIIPC) is in charge of keeping CIIs safe from “unauthorized access, change, use, disclosure, interruption, incapacitation, or distraction.”
In order to provide policy direction, knowledge exchange, and situational awareness for early warning or alerts, NCIIPC will track and anticipate risks to CII at the national level. The organisation that manages the CII system has primary responsibility for keeping it secure.
If there is a threat to the critical information infrastructure, the NCIIPC could ask for information from the critical sectors or people who serve or have a big impact on it.