Strengthening Cybersecurity for Critical Infrastructure: A Call for Regulatory Action
Last Updated on July 30, 2024 by Administrator
The recent Microsoft cloud outage, disrupting various essential services, underscores the world’s dependency on private companies and highlights the urgent need for a robust regulatory framework to mitigate such risks.
Critical infrastructure encompasses systems vital to a nation’s public health, safety, security, and economic stability. Disruptions, such as the Microsoft outage, which affected aviation, healthcare, banking, and federal agencies, expose the vulnerability of relying on cloud-based systems. This incident is not isolated; similar disruptions in recent years demonstrate the inherent risks.
Currently, operations are governed by service-level agreements focused on business development rather than security. System failures result in significant financial losses for clients and end-users, yet penalties for outages are minimal unless they stem from cyberattacks or terrorism. This lack of accountability emphasizes the need for comprehensive regulations to ensure corporations take necessary precautions to protect critical infrastructure.
Preventive measures must include data localisation, which restricts data storage and processing within a country’s borders. Existing Indian regulations, like the Public Records Act 1993, and directives from bodies like the Insurance Regulatory and Development Authority and the Reserve Bank of India, already mandate data localisation for certain sectors. Expanding these laws to the private sector would enhance security.
Governments should enforce best-in-class security standards and risk management protocols for critical infrastructure operators. Regular security audits, multi-cloud strategies, multiple data centres, regular backups, and mandatory off-site storage can diminish disaster recovery time. Blue/green deployment, mandatory load balancing, and beta testing can further protect against potential outages.
To ensure compliance, the National Critical Information Infrastructure Protection Centre could impose sanctions and penalties for regulatory breaches. Companies handling critical infrastructure should face absolute liability, similar to those dealing with hazardous substances. This would align with international law principles, holding corporations accountable for disruptions.
Governments should mandate appropriate insurance coverage, compensation policies, and termination clauses to empower affected clients. Dispute resolution clauses would enable clients to seek damages for business interruption losses.
Policymakers must prioritize the security of critical information infrastructure through comprehensive legal and technical measures. By reducing the vulnerability of critical systems, nations can ensure the stability of their digital ecosystems and mitigate the impact of potential data outages.
Written by — Athi Venkatesh AVD
