In today’s digital era, safeguarding Critical Information Infrastructure (CII) is a top priority for governments globally. Sections 70, 70A, and 70B of the legislation outline measures to protect CII in India.
SECTION 70: DECLARATION OF PROTECTED SYSTEMS
The foundation of CII protection is laid in Section 70 of Information Technology(IT) Act,2000 which vests the appropriate Government with the authority to designate certain computer resources as protected systems. This designation is conferred through an official notification published in the Official Gazette. Central to this provision is the definition of Critical Information Infrastructure, which encompasses computer resources whose compromise, incapacitation, or destruction would inflict severe repercussions on national security, economy, public health, or safety.
Under subsection (2) of Section 70 of Information Technology (IT) Act,2000, the appropriate Government is empowered to authorize individuals for accessing protected systems through written orders. However, any unauthorized access or attempted access to such systems contravenes the provisions of this section and attracts severe penalties, including imprisonment for up to ten years and fines.
Moreover, subsection (4) mandates the Central Government to prescribe information security practices and procedures tailored to the protection of these designated systems. This proactive approach aims to enhance the resilience of CII against evolving cyber threats and vulnerabilities.
SECTION 70A: ESTABLISHMENT OF NATIONAL NODAL AGENCY
Section 70A of Information Technology (IT) Act,2000 addresses the imperative of institutionalizing a dedicated entity tasked with overseeing CII protection. The Central Government is vested with the authority to designate any governmental organization as the national nodal agency responsible for this crucial mandate. Once designated, the national nodal agency assumes responsibility for formulating and implementing a comprehensive framework encompassing various measures, including Research and Development initiatives aimed at bolstering the resilience of CII.
Additionally, the manner of performing the agency’s functions and duties is subject to prescription by relevant authorities. This ensures a standardized approach to CII protection across different sectors and entities.
SECTION 70B: ROLE OF INDIAN COMPUTER EMERGENCY RESPONSE TEAM (CERT-IN)
Section 70B of Information Technology (IT) Act,2000 underscores the pivotal role played by the Indian Computer Emergency Response Team (CERT-IN) in serving as the national agency for incident response in the realm of cybersecurity. The Central Government is mandated to appoint CERT-IN through an official notification, thereby entrusting it with a spectrum of functions aimed at mitigating cyber threats and vulnerabilities.
CERT-IN’s mandate encompasses crucial tasks such as the collection, analysis, and dissemination of information on cyber incidents, issuance of forecasts and alerts pertaining to cybersecurity threats, and coordination of emergency measures in response to such incidents. Furthermore, CERT-IN is empowered to issue guidelines, advisories, and vulnerability notes aimed at fostering robust information security practices and procedures.
Importantly, CERT-IN possesses the authority to call for information and issue directives to various entities, including service providers, intermediaries, and data centers, to ensure compliance with cybersecurity protocols. Non-compliance with these directives may result in penalties, including imprisonment and fines which may extend to one year or with fine which may extend to one crore rupees or with both as stipulated under subsection (7) of Section 70B.
Moreover, the legislation accords CERT-IN the exclusive authority to initiate legal proceedings against offenders under this section, thereby streamlining the enforcement mechanism and ensuring accountability in matters pertaining to CII protection.
EXAMPLE AND ANALYSIS
Example: Securing critical information infrastructure involves protecting vital systems, like government databases, from cyber threats to ensure national security.
Analysis: Sections 70, 70A, and 70B of the Information Technology (IT) Act,2000 exemplify India’s commitment to protecting Critical Information Infrastructure from cyber threats. Through these provisions and the establishment of a national nodal agency and CERT-IN, India aims to safeguard its vital computer resources, ensuring national security and economic stability in a digital era.
In conclusion,India’s Information Technology Act Sections 70, 70A, and 70B establish measures to protect Critical Information Infrastructure (CII), emphasizing national security. These provisions designate protected systems, establish a national nodal agency, and empower CERT-IN to mitigate cyber threats, reflecting India’s commitment to safeguarding vital computer resources in the digital age.
RECENT UPDATE
In August 2022, CERT-In, as per section 70B(6) of the Information Technology Act, 2000, introduced updated guidelines which stipulate:
- Prompt reporting of any cyber security incident to CERT-In within a 6-hour window of detection.
- Implementation of targeted scanning protocols for systems.
- Distribution of advisories to Critical Information Infrastructure (CII) and Protected System (PS) entities.
Reference
- Protected systems and networks-THE ECONOMIC TIMES
- Census, NPR databases and websites declared ‘protected system’ under IT Act-THE HINDU
- LEGAL GLOSSARY-Unauthorized access
- LEGAL GLOSSARY-cybersecurity