The IT resources of ICICI Bank, HDFC Bank and UPI management company National Payments Corporation of India (NPCI) have been declared “critical information infrastructure” by the Ministry of Electronics and Information Technology (MeitY).
“The central government hereby declares the computer resources related to the core banking solution, real-time gross settlement and NEFT (National Electronic Fund Transfer), which includes a structured financial news server, as critical information infrastructure of ICICI Bank,” MeitY said in a June 18 statement. According to MeitY, the computer resources of the associated units must also be “protected systems”.
In two similar reports, MeitY declared the IT resources of HDFC Bank and NPCI as critical infrastructure.
What is critical infrastructure?
The Information Technology Act, 2000, defines “critical information infrastructure” as “a computer resource whose failure or destruction will have a debilitating effect on national security, economy, public health or security”.
The government has the power under the law to declare any data, database, IT network or communication infrastructure critical to the protection of this digital asset. Any unauthorized person accessing critical information infrastructure can be punished with up to 10 years in prison.
How is it different from a protected system?
A protected system is when the government announces that an entity’s digital network/IT resources have an enhanced protected status, meaning that any harm to them is a matter of national security.
“In view of sophisticated cyber attacks, it is high time that all banks and financial institutions have themselves notified as a protected system. Likewise, the control systems of all power, oil, airport, railway, metro and transportation systems are critical infrastructure and must be declared as protected systems,” said Triveni Singh, SP, Cyber Crime, Uttar Pradesh Police.
Rakshit Tandon, cybersecurity expert and cybersecurity advisor to the Internet and Mobile Association of India (IAMAI), also said that every bank and financial institution should fall into the critical infrastructure space.
“With critical IT assets interconnected across a country, disruptions can have a cascading impact across sectors. However, the government has its own parameters for declaring an infrastructure critical. The NSE should also be declared a protected system. The country could face a financial crisis if an attack on NSE’s infrastructure were to take place,” Tandon said.
Who can access a protected system?
The IT law authorizes access to IT resources of these bodies:
According to Cybercrime and Privacy Advocate Prashant Mali, this notification means that any ethical hackers, bug bounty hunters or other hackers must stay away from ICICI Bank, HDFC Bank and NPCI servers, otherwise they will be subject to cyberterrorism charges would be prosecuted, which is a non-bond crime.
The need to secure critical infrastructure
Mali also said the requirement to designate critical infrastructure as a protected system has been in law since 2009. However, with the higher number of cyber attacks on these infrastructures, the government is now taking action to declare some of these protected systems.
“I think a lot more systems should be declared protected and national law enforcement. If they take any action against hackers, they should host their names and case details on public authority websites for everyone to take note of. This is important to put an end to the jungle raj of these hackers in cyberspace,” Mali said.
First published: IS