Information Security Policy
As is clear from Snowden’s revelations, India’s cyber space is almost unprotected. Till now, we only have very basic security features. We have started considering advanced features only after the Snowden revelations. All our vital institutions, installations and critical infrastructure need to be protected from cyber-attacks.
The future war will target crucial areas like:
- Defence installations
- Sensitive documents related to both internal and external security
- Communication networks, including satellites
- ATC management
- Railway traffic control
- Financial, services
- Premier institutions of science, technology and research
Critical infrastructure (CI) and Critical Information Infrastructure (CII):
In general, critical infrastructure (CI) can be defined as:
‘Those facilities, systems, or functions, whose incapacity or destruction would cause a debilitating impact on national security, governance, economy and social well-being of a nation.’
It broadly includes the following sectors:
- Transportation (air, surface, rail and water)
- Banking and finance
- Law enforcement, security and intelligence
- Sensitive government organisations
- Public health
- Water supply
- Critical manufacturing
Across the world, critical information infrastructure (CII) is broadly defined as including ‘those networks which are interrelated, interconnected and interdependent’. In India, the guidelines would initially include information and communications, transportation, energy, finance, technology, law enforcement, security and law enforcement, government, space and sensitive organisations.
Critical Information Infrastructure (CII) are those ICT infrastructure upon which the core functionality of critical infrastructure is dependent.
India’s new guidelines are an extension of the legislative recognition under the IT Act 2000.
Section 70 of the Act defines critical information infrastructure (CII) as:
‘Those computer resource and incapacitation or description of which, shall have debilitating impact on national security, economy, public health or safety.’ CII is highly complex, distributed, interconnected and interdependent.
Threats to CII:
Threats to CII are classified as:
- Internal Threat:
It is defined as ‘one or more individuals with the access and/or inside knowledge of a company, organisation or enterprise that would allow them to exploit the vulnerabilities of that entity’s security, systems, services, products or facilities with the intent to cause harm’.
Insider betrayals cause losses due to IT sabotage, fraud and theft of confidential or proprietary information. This may be intentional or due to ignorance.
- External Threat:
This threat arises from outside of the organisation, by individuals, hackers, organisations, terrorists, foreign government agents, non-state actors, and pose risk, like crippling CII, espionage, cyber/electronic warfare, cyber terrorism, etc.
Threat may be caused by individuals, including disgruntled or former employees, rivals (industrial espionage), hackers, script kiddies, crackers, cyber criminals (organised as well as unorganised), cyber mercenaries, terrorist groups (cyber jehadis), non-state actors and hostile states.
Effects of Cyber-Attacks on CII:
- Damage or destruction of CII
- Disruption or degradation of services
- Loss of sensitive and strategic information
- Widespread damage in short time
- Cascading effects on several CII
Information Technology Act 2000 (Amended in 2008):
Information technology Act 2000 consists of 94 sections segregated into 13 chapters. The Act was amended in 2008 which has now 124 sections.
Salient features of the IT Act are as follows:
- The Act provides legal recognition to e-commerce, which facilitates commercial e-transactions.
- It recognises records kept in electronic form like any other documentary record. In this way, it brings electronic transactions at par with paper transactions in documentary form.
- The Act also provides legal recognition to digital signatures which need to be duly authenticated by the certifying authorities.
- Cyber Law Appellate Tribunal has been set up to hear appeal against adjudicating authorities.
- The provisions of the IT Act have no application to negotiable instruments, power of attorney, trust, will and any contract for sale or conveyance of immovable property.
- The Act applies to any cyber offence or contravention committed outside India by a person irrespective of his/her nationality.
- As provided under Section 90 of the Act, the State Government may, by notification in ‘Official Gazette’, make rules to carry out the provisions of the Act.
- Consequent to the passing of this Act, the SEBI had announced that trading of securities on the internet will be valid in India, but initially there was no specific provision for protection of confidentiality and net trading. This lacuna has been removed by the IT (Amendment) Act, 2008.
Offences under the IT Act:
Sec-65. Tampering with Computer Source Documents:
Whoever knowingly or intentionally conceals, destroys, or alters any computer source code used for a computer, computer program, computer system or computer network, when the source code is required to be kept or maintained by law, shall be punishable with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.
Sec 66. Hacking with Computer System:
- Whoever with the intent of cause or knowing that is likely to cause, wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hacking.
- Whoever commits hacking shall be punished with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.
Sec-66 A. Sending Offensive Messages through Communication Service, etc. (Introduced Vide Amendment in 2008):
Any person who sends, by means of a computer resource or a communication device:
(a) Any information that is grossly offensive or has menacing character; or
(b) Any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently makes by making use of such computer resource or a communication device, or
(c) Any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages shall be punishable with imprisonment for a term which may extend to three years and with fine.