Experts say mere compliance with an international cyber security standard does not ensure that a product being used in a CII is protected from invasion. Threat analysis, mitigation systems and assessment practices need to be adopted to attain total protection of CII.
According to Section 70 of the Information Technology Act, 2000 (IT Act), Critical Information Infrastructure (CII) means a "computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety." The Indian government has already identified many sectors including energy, finance, defence and public health as critical. The National Technical Research Organisation (NTRO) has also released guidelines for the protection of CII. Many questions, however, still remain about how these aims are to be realised.
Critical Information Infrastructure Protection
On June 17, 2015, Observer Research Foundation organised a panel discussion on Critical Information Infrastructure Protection. The discussion, which followed the Chatham House Rule, focused on systems, technologies and practices around the protection of CII. It comprised of a number of experts from the industry, government and intelligence. The panel deliberated upon the adequacy of existing cyber security protection in the country, the nature of private sector involvement and lessons to be learnt from international experiences.
The opening address of the panel focused on the importance of infrastructure and the need for clear delineation of CII. It also highlighted the importance of private sector involvement in the process. The nature of partnership between the government and the private sector is decisive in ensuring that research and development in cyber security keeps up with evolving technology. The panel began with the acknowledgement that cyber security is not just an Indian concern, it is global. Businesses in transportation, communication, gas and electricity sectors have seen increased phishing and malware attacks in the last few years. In Germany, last year, a steel manufacturing plant suffered debilitating damage from a spear-phishing cyber-attack. In the same year India also moved up five places to become the 16th most affected country by botnet attacks. At this juncture it is essential for countries to cooperate with each other to develop the most efficient regulatory structures. Another essential aspect is increased cooperation between governments and the private sector. Both the government and private players have their own particular expertise to help create a secure environment for CII protection. Their relationship should transcend that of the regulator and the regulated and become that of partners. In this respect, the panel emphasised that the key element for successful cooperation is trust. One of the panellists recalled that in the US, one of the ways in which this had been achieved had been through regular cyber security exercises involving all stakeholders. The government also needs to conduct extensive education and awareness programs, both for the industry as well as the public.
The panel believed that a proper structure of public private partnerships (PPPs) would help address sector specific risks attached with the cyberspace. One panellist pointed out that the National Institute of Standards and Technology (NIST) in the US had developed a unified cyber security framework. While this was a good starting point, particular sector-specific expertise from the industry was also essential. For these PPPs to be successful they would need to be flexible, constantly evolving and subject to periodic assessment. Industries would have to ensure compliance to security standards by themselves. However, some degree of oversight from the government was also desirable. The panel, citing the example of the telecommunications sector in India that had developed with little interference from the government, believed that that case was unique and would not apply to other industries. Instead the panel proposed that mandating compliance with established standards (like the NIST’s) would perhaps be more effective than PPPs. Other panellists however pointed out that the current set up suffers from a lack of coordination between the government and the private sector. Private entities often remain unclear about which government agency to turn to for assistance in case of the detection of a threat. Another prevalent problem is the lack of clarity on where the financial resources for compliance will come from. It was claimed that the government often does not involve the private sector in the planning process; instead it only notifies them of the costs to be borne. This creates a lack of trust and a loss of agency and dissuades the private sector from taking proactive steps to protect CII.
The panel then turned its attention to the issue of the severe lack of skilled personnel to mitigate cyber security threats. The panel agreed that expertise in the information technology industry should not be conflated with the expertise in cyber security. The current capacity building and skill development centres are run on traditional structures. These are archaic and unhelpful when it comes to CII protection. The new millennium has witnessed many countries scrambling to develop human resources for cyber security. The United States’ National Security Agency has even recruited experts from DefCon - an annual convention that attracts hackers from around the globe. The panel believed that India has a vast amount of human capital that, with proper training, could be used to counteract cyber security threats. The panel also optimistically noted that in India CII protection is slowly but surely turning into a priority for the government. Under Section 70A of the IT Act, a National Critical Information Infrastructure Protection Centre has been set up under the aegis of the NTRO. In 2015, the government also appointed a National Cybersecurity Coordinator. It is also expected that the government will set up indigenous cyber security certifying labs to decrease dependency on international standards and harmonise the process of compliance. The government has also been proactive in setting up a Joint Working Group at the national level to address issues of cyber security.
The panel, however, also cautioned that all the measures that have been taken so far only represent a first step towards securing cyberspace. One panellist noted that nearly all IT systems have either been breached or have been proven to be vulnerable. At this stage it is not enough to look only at prevention and protection. Instead the government and industry must also explore options for recovering data because these systems could be destabilized at any time. It was also cautioned that supply chain management needs to be more carefully examined. Mere compliance with an international cyber security standard does not ensure that a product being used in a CII is protected from invasion. In this regard the NTRO guidelines have proven useful as an indicator of which issues industries in the CII sector need to address. But it is not enough. More thorough threat analysis, mitigation systems and assessment practices need to be adopted to attain total protection of CII.
(This report is prepared by Bedavyasa Mohanty, Junior Fellow, Observer Research Foundation, Delhi)
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.