Overhaul of cybersecurity framework
Jan. 30, 2024

Why in news?

  • As per the media reports, the government has drawn up a guiding policy called the National Cybersecurity Reference Framework (NCRF) to help manage cybersecurity better.
  • The framework is based on existing legislations, policies and guidelines. It outlines implementable measure with clear articulation of roles and responsibilities for cybersecurity.

What’s in today’s article?

  • National Critical Information Infrastructure Protection Centre (NCIIPC)
  • National Cybersecurity Coordinator (NCSC)
  • News Summary

National Critical Information Infrastructure Protection Centre (NCIIPC)

  • NCIIPC is a government organization that protects critical information infrastructure (CII) for the public. It was established in 2014 and is based in New Delhi.
  • The NCIIPC's mission is to protect critical information infrastructure from unauthorized access, modification, use, disclosure, disruption, incapacitation, or destruction.
  • It also provides advice to reduce the vulnerabilities of critical information infrastructure from cyber terrorism, cyber warfare, and other threats.
  • The NCIIPC defines CII as computer resources whose incapacitation or destruction would have a debilitating impact on national security, economy, public health, or safety.

National Cybersecurity Coordinator (NCSC)

  • The NCSC provides guidance and support to state governments and private industry to help formulate policies.
  • They also provide guidance on internet governance, network management, and response strategies for cyberattacks.
  • It works under National Security Council Secretariat (NSCS) and coordinates with different agencies at the national level for cyber security matters.

News Summary: Overhaul of cybersecurity framework

  • The government has drawn up the National Cybersecurity Reference Framework (NCRF), with clear articulation of roles and responsibilities for cybersecurity.

National Cybersecurity Reference Framework (NCRF)

  • Background
    • The NCRF was shared privately with companies and other government departments for consultation in May 2023, but is yet to be made public.
    • Apart from the main policy document, at least three supporting compendiums detailing global cybersecurity standards, products and solutions have also been formulated.
    • In June 2023, former National Cyber-Security Coordinator Lt. General Rajesh Pant had said that the NCRF will be released for the public soon.
  • About
    • NCRF is a framework that sets the standard for cybersecurity in India.
    • The NCRF can serve as a template for critical sector entities to develop their own governance and management systems for strong cyber-security systems.
      • The government has identified telecom, power, transportation, finance, strategic entities, government entities and health as critical sectors.
  • Institutions involved in framing the framework
    • The framework has been drawn up by the National Critical Information Infrastructure Protection Centre (NCIIPC) with support from the National Cybersecurity Coordinator (NCSC).
  • Key highlights
    • Non-binding in nature
      • The NCRF is a guideline, meaning that its recommendations will not be binding.
    • Separate budget allocation
      • It recommends that enterprises allocate at least 10 per cent of their total IT budget towards cybersecurity.
      • Such allocation is to be mentioned under a separate budget head for monitoring by the top-level management / board of directors.
    • Evolution of ways to use machines to analyse data from different sources
      • The framework might suggest that national nodal agencies evolve platforms and processes for machine-processing of data from different entities.
      • This would help check if audits are done properly and rate auditors based on their performance.
    • Greater powers to the regulators
      • The NCRF might suggest that regulators overseeing critical sectors can:
        • set rules for information security;
        • define information security requirements to ensure proper audit.
    • Effective Information Security Management System (ISMS)
      • The regulators may also need to access sensitive data and deficiencies related to the operations in the critical sector.
      • Hence, they also would need to have an effective Information Security Management System (ISMS) instance.
    • Common but Differentiated Responsibility (CBDR)
      • The policy is based on a CBDR approach, recognising that different organisations have varying levels of cybersecurity needs and responsibilities.

Need for National Cybersecurity Reference Framework (NCRF)

  • Growing cyberattacks and lack of an overarching framework on cybersecurity
    • India faces a barrage of cybersecurity-related incidents which pose a major challenge to New Delhi’s national security imperatives.
      • E.g., A high-profile attack on the systems of AIIMS Delhi in 2022.
    • Many ministries feel hamstrung by the lack of an overarching framework on cybersecurity when they are formulating sector-specific legislations.
  • Emergence of threat actors backed by nation-states and organised cyber-criminal groups
    • In recent years many threat actors backed by nation-states and organised cyber-criminal groups have attempted to target Critical Information Infrastructure (CII) of the government and enterprises.
    • In addition, availability of cyber-attacks-as-service has reduced the entry threshold for new cyber criminals, thus increasing the exposure to individuals and organisations.
  • National Cybersecurity Policy of 2013 is still guiding the cybersecurity of the nation
    • The current guiding framework on cybersecurity for critical infrastructure in India comes from the National Cybersecurity Policy of 2013.
    • From 2013 till 2023, the world has changed as new threats and new cyber organisations have emerged calling for new strategies.