Follow real-time updates on Union Budget 2023Catch exclusive videos on Union Budget 2023 from CNBC-TV18
The IT ministry declared IT resources of ICICI Bank, HDFC Bank and UPI managing entity NPCI as ‘critical information infrastructure’. Under the CII banner, any unauthorised person accessing these resources may be jailed for up to 10 years. But what is ‘critical information infrastructure’, and who protects it?
The IT resources of ICICI Bank, HDFC Bank, and UPI managing entity National Payments Corporation of India (NPCI) have been declared as "critical information infrastructure" by the Ministry of Electronics and Information Technology (MeitY).
Recommended ArticlesView All
World Cancer Day 2023: Early detection is crucial for reducing the global burden
Feb 4, 2023 IST5 Min(s) Read
World Cancer Day 2023: A way forward to better management of cancer this year!
Feb 4, 2023 IST6 Min(s) Read
Pakistan economy at alarming level as foreign reserves drop to $3.1 billion from $16.6 billion in a year
Feb 3, 2023 IST3 Min(s) Read
FM Nirmala Sitharaman speaks on inflation, taxes, GDP and more. Read the full interview here
Feb 3, 2023 IST37 Min(s) Read
"The central government, hereby, declares the computer resources relating to the core banking solution, real-time gross settlement, and NEFT (national electronic fund transfer), comprising structured financial messaging server, being critical information infrastructure of the ICICI Bank," MeitY said in a notification dated June 18. The computer resources of its associated units were also declared "protected systems" by MeitY.
In two similarly-worded notifications, MeitY declared the IT resources of HDFC Bank and NPCI as critical infrastructure.
What is critical infrastructure?
The Information Technology Act, 2000, defines “critical information infrastructure” as a “computer resource, the incapacitation or destruction of which shall have a debilitating impact on national security, economy, public health or safety”.
Also Read: Beware! That unpaid power, telecom bill payment message on your phone may be a scamster’s trick
The government, under the Act, has the power to declare any data, database, IT network or communications infrastructure as critical to protecting that digital asset. Any unauthorised person accessing critical information infrastructure may be jailed for up to 10 years.
How is it different from a protected system?
A protected system is when the government notifies that the digital network/IT resources of an entity is extended protected status, implying that any harm to them will be a matter of national security.
"Looking at sophisticated cyber attacks, it is high time all banks and financial institutions get themselves notified as a protected system. Similarly, the control system of all the electricity, oil, airports, railways, metros, and transport systems are critical infrastructure and must be declared as protected systems," said Triveni Singh, SP, Cyber Crime, Uttar Pradesh Police.
Rakshit Tandon, a cyber security expert and cyber security consultant to the Internet and Mobile Association of India (IAMAI), also said every bank and financial institution should come under the ambit of critical infrastructure.
"Given the interconnectedness of critical IT resources in a country, disruptions can have a cascading effect across sectors. However, the government has its own parameters to declare an infrastructure critical. The NSE, too, should be declared a protected system. The country could go into a financial crisis if an attack were to take place on NSE's infra," Tandon said.
Who can access a protected system?
The IT Act authorises access to IT resources of these entities:
According to cybercrime and privacy lawyer Prashant Mali, this notification means all ethical hackers, bug bounty hunters, or other hackers need to stay away from ICICI Bank, HDFC Bank, and NPCI servers or they would be prosecuted for cyber terrorism, which is a non-bailable offence.
The need for securing critical infrastructure
Mali also said that the provision of declaring critical infrastructure a protected system existed in law since 2009. However, given the higher number of cyber attacks on these infrastructures, the government is now getting into action to declare some of these protected systems.
"I feel many more systems should be declared protected and national law enforcement agencies. When they initiate any kind of action against hackers, they should host their names and case details on public government websites for everyone to take note of. This is important to end the jungle-raj of these hackers in cyberspace," said Mali.
First Published: Jun 22, 2022 10:06 AM IST