ICICI Bank, HDFC Bank Are Too Big To Fail, Declares Govt: Harm To IT Resources Can Impact National Security

The government has declared the IT resources of ICICI Bank, HDFC Bank and National Payments Corporation of India (NPCI)  as ‘critical information infrastructure’.

What is critical information infrastructure?

As per Section 70 of the IT Act, 2000 ‘critical information infrastructure’ refers to a computer resource which when incapacited or destroyed, will have a “debilitating impact on national security, economy, public health or safety.”

The government is empowered to declare any data, database, IT network or communications infrastructure as CII to protect that digital asset.

Anyone who gains or attempts to gain access to a protected system in contravention of the provisions will face imprisonment of a term which may extend to 10 years and shall also be liable for a fine.

What are the resources?

In particular, computer resources relating to the: Core Banking Solution, Real Time Gross Settlement and National Electronic Fund Transfer comprising Structured Financial Messaging Server have been declared critical information infrastructure of the ICICI Bank.

Who can access them?

The notification grants official access of IT resources of the notified entities by their designated employees, authorised team members of contractual managed service providers or third-party vendors who have been authorised by them for need-based access and any consultant, regulator, government official, auditor and stakeholder authorised by the entities on case-to-case basis.

Why is CII classification and protection necessary?

This is because IT resources form the backbone of numerous critical operations in a country’s infrastructure.

Given their interconnectedness, disruptions can have a cascading effect across sectors.

For example, an IT failure at a power grid can lead to prolonged outages crippling other sectors like healthcare, banking services.

Large-scale cyber attacks in the past

In 2007

Major Estonian banks, government bodies – ministries and parliament, and media outlets were hit by a wave of denial-of-service attacks, allegedly from Russian IP addresses.

It was an unprecedented cyber attack the likes of which the world had never seen before.

The attacks played havoc in one of the most networked countries in the world for almost three weeks.

On October 12, 2020

In the thick of the pandemic, the electric grid supply to Mumbai suddenly snapped, hitting the city’s hospitals, trains and businesses.

A study by a US firm that looks into the use of the internet by states claimed that this attack aimed at critical infrastructure could have come from a China-linked group.

These incidents highlighted the consequences that could happen in the wake of hostile state and non-state actors probing internet-dependent critical systems in other countries.

Protection against cyber attacks 

SP, Cyber Crime, Uttar Pradesh Police, and certified cyber expert Triveni Singh said keeping the recent sophisticated cyber attacks in mind,it is high time all the banks and financial institutions get themselves notified as a protected system.

The control system of all the electricity, oil, airports, railways, metros and transport systems are also critical infrastructure and must be declared as a protected system.