Why in news?
- As per the media reports, the government has drawn up a guiding policy called the National Cybersecurity Reference Framework (NCRF) to help manage cybersecurity better.
- The framework is based on existing legislations, policies and guidelines. It outlines implementable measure with clear articulation of roles and responsibilities for cybersecurity.
What’s in today’s article?
- National Critical Information Infrastructure Protection Centre (NCIIPC)
- National Cybersecurity Coordinator (NCSC)
- News Summary
National Critical Information Infrastructure Protection Centre (NCIIPC)
- NCIIPC is a government organization that protects critical information infrastructure (CII) for the public. It was established in 2014 and is based in New Delhi.
- The NCIIPC's mission is to protect critical information infrastructure from unauthorized access, modification, use, disclosure, disruption, incapacitation, or destruction.
- It also provides advice to reduce the vulnerabilities of critical information infrastructure from cyber terrorism, cyber warfare, and other threats.
- The NCIIPC defines CII as computer resources whose incapacitation or destruction would have a debilitating impact on national security, economy, public health, or safety.
National Cybersecurity Coordinator (NCSC)
- The NCSC provides guidance and support to state governments and private industry to help formulate policies.
- They also provide guidance on internet governance, network management, and response strategies for cyberattacks.
- It works under National Security Council Secretariat (NSCS) and coordinates with different agencies at the national level for cyber security matters.
News Summary: Overhaul of cybersecurity framework
- The government has drawn up the National Cybersecurity Reference Framework (NCRF), with clear articulation of roles and responsibilities for cybersecurity.
National Cybersecurity Reference Framework (NCRF)
- Background
- The NCRF was shared privately with companies and other government departments for consultation in May 2023, but is yet to be made public.
- Apart from the main policy document, at least three supporting compendiums detailing global cybersecurity standards, products and solutions have also been formulated.
- In June 2023, former National Cyber-Security Coordinator Lt. General Rajesh Pant had said that the NCRF will be released for the public soon.
- About
- NCRF is a framework that sets the standard for cybersecurity in India.
- The NCRF can serve as a template for critical sector entities to develop their own governance and management systems for strong cyber-security systems.
- The government has identified telecom, power, transportation, finance, strategic entities, government entities and health as critical sectors.
- Institutions involved in framing the framework
- The framework has been drawn up by the National Critical Information Infrastructure Protection Centre (NCIIPC) with support from the National Cybersecurity Coordinator (NCSC).
- Key highlights
- Non-binding in nature
- The NCRF is a guideline, meaning that its recommendations will not be binding.
- Separate budget allocation
- It recommends that enterprises allocate at least 10 per cent of their total IT budget towards cybersecurity.
- Such allocation is to be mentioned under a separate budget head for monitoring by the top-level management / board of directors.
- Evolution of ways to use machines to analyse data from different sources
- The framework might suggest that national nodal agencies evolve platforms and processes for machine-processing of data from different entities.
- This would help check if audits are done properly and rate auditors based on their performance.
- Greater powers to the regulators
- The NCRF might suggest that regulators overseeing critical sectors can:
- set rules for information security;
- define information security requirements to ensure proper audit.
- Effective Information Security Management System (ISMS)
- The regulators may also need to access sensitive data and deficiencies related to the operations in the critical sector.
- Hence, they also would need to have an effective Information Security Management System (ISMS) instance.
- Common but Differentiated Responsibility (CBDR)
- The policy is based on a CBDR approach, recognising that different organisations have varying levels of cybersecurity needs and responsibilities.
Need for National Cybersecurity Reference Framework (NCRF)
- Growing cyberattacks and lack of an overarching framework on cybersecurity
- India faces a barrage of cybersecurity-related incidents which pose a major challenge to New Delhi’s national security imperatives.
- E.g., A high-profile attack on the systems of AIIMS Delhi in 2022.
- Many ministries feel hamstrung by the lack of an overarching framework on cybersecurity when they are formulating sector-specific legislations.
- Emergence of threat actors backed by nation-states and organised cyber-criminal groups
- In recent years many threat actors backed by nation-states and organised cyber-criminal groups have attempted to target Critical Information Infrastructure (CII) of the government and enterprises.
- In addition, availability of cyber-attacks-as-service has reduced the entry threshold for new cyber criminals, thus increasing the exposure to individuals and organisations.
- National Cybersecurity Policy of 2013 is still guiding the cybersecurity of the nation
- The current guiding framework on cybersecurity for critical infrastructure in India comes from the National Cybersecurity Policy of 2013.
- From 2013 till 2023, the world has changed as new threats and new cyber organisations have emerged calling for new strategies.