The cyber security threat to national security has set the government in action mode. The government has formulated a five year plan for mapping and covering every single critical information infrastructure (CII) across the country. To start with, it has CII under 17 sub sectors- including nuclear power plants, security organisations and space.

National critical information infrastructure protection centre (NCIIPC), the agency which has formulated the five year plan, will soon set up a cyber security operation centre with a control room functional 24x7. The centre will have a web portal and a help desk for offering round the clock assistance to the critical assets. NCIIPC is body under national technical research organisation, NTRO- the technical intelligence arm of the government.  

The government also plans to open a training centre - national institute for critical information infrastructure protection - which would help in regular capacity building of government personnel in cyber security.

The announcement comes from Muktesh Chander, head of cyber centre at NTRO at a conference of chief information security officers (CISO) organised by NCIIPC on Monday in the national capital.

Under the section 70A of Information Technology (Amendment) Act, 2008, CII has been defined as those sectors whose incapacitation or destruction would have a “debilitating effect” on national security, economy, public health or safety.

Addressing the gathering of CISOs, national security advisor Shivshankar Menon said, “We have so far been fortunate in cyber security despite our low levels of network connectivity. Since networks were physically and logically separated, interdependence was limited. That situation is changing fast and our vulnerability is growing rapidly.”

“Since your network is as secure as all other networks that you are linked to, it is for this reason that the (role of) NCIIPC is essential,” he added.

He informed the gathering that NCIIPC is setting up a joint working group under professor N Balakrishnana, associate director, Indian institute of science (IISc), with representatives of industry associations to bring out guidelines for the protection of CII in the country. These guidelines will be aligned with international best practices.

Speaking about the threat assessment on critical and non critical sectors, Ajit Seth, cabinet secretary, said, “In the dynamically evolving cyber environment, the boundaries between critical and non critical sectors can change very fast. It will, therefore, be absolutely essential to have an interface between the framework and structures of the two sectors. It will help in comprehensive and persistent threat assessment and also provide cues and triggers to each other.”

“NCIIPC must leverage inputs from Indian computer emergency response team (CERT-IN) and sectoral CERTs for this purpose,” he noted. 

Principal scientific advisor to prime minister R Chidambaram emphasised on the need for indigenous manufacturing of hardware, including electronic and telecom equipments, harnessing “gifted” youngsters in ethical hacking and increasing research and development in advanced technologies to ensure cyber security. He asked NTRO to work in close coordination with other sectors in these areas.

He lauded the smart and secure environment project carried out by NTRO with the help of eight national academic institutions. The project provided insights on strengthening cyber security. He said such R&D projects must be substantially expanded.

Chidambaram suggested that the collaboration can be done with the help of national knowledge network (NKN), a $ 1.2 billion project being implemented by national informatics centre (NIC), connecting universities and other academic institutions across the country.

Speaking on challenges in cyber security, chief executive officer of data security council of India (DSCI) K Bajaj said, “Security is seen as cost intensive in most organisations. They need to adopt multi-departmental approach towards security.” 

He said of all cyber security factors, including technology and process, human element is the most important factor. However, according to a DSCI research, almost 68 percent of employees are not aware about cyber security measures. He said that a lot of IT companies have been doing fairly well in cyber security. Owing to the pressure from clients’ side, IT companies ensure cyber and information security in their operations. “Can we do the same when it comes to security of critical information infrastructure?” he asked. 

Laying emphasis on working together with the private sector, Bajaj said, “The critical infrastructure is increasingly getting into private sector.  In telecom sector, for example, 90 percent of infrastructure is with private sector.”  He said absence of intelligence and information sharing mechanism between and within sectors and lack of capability in law enforcement agency and judiciary acts as challenges too.

Talking about DSCI’s recommendations, Bajaj said, “To start with, government must have an inventory of critical information infrastructures across sectors. Americans have taken 12 years to do that.”

He advocated that the government should develop lawful interception capabilities, implement best practices and audit. He said the country should have the ability to identify and find Trojans or malware embedded in the equipment. He feared that cases like leaks of classified document of Indian navy to China might happen again. 

Alok Vijayant, director, NTRO made an elaborate presentation on national security database (NSD) - a database of certified ethical hackers who will come to government’s rescue in times of crisis. “The idea of NSD came after 26/11. Resources (cyber security professionals) exist but how do we tap it. Terrorists are using all kind of advanced communication and cyber technologies and devices. So here is a readymade database of professionals who can handle such situation,” he said. 

He said that NSD is a prestigious impalement program wherein credible and trustworthy information security experts will come together to protect CII.