We missed this earlier: The Additional Secretary dealing with Cyber Laws is now authorised with approval powers to issue gazette notifications that declare computer resources as "protected systems", noted a March 22nd office memorandum from the IT Ministry. These decisions are based on recommendations received from the Indian government's ministries and departments, which follow "necessary evaluation" by the National Critical Infrastructure Protection Centre. The current Additional Secretary overseeing the Cyber Laws division is Amit Agrawal. What are protected systems?: To understand that, you first need to understand what Critical Information Infrastructure is. According to Section 70 of the Information and Technology Act, 2000 (IT Act), that's a "computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety". The government notifies computer resources directly or indirectly affecting the "facility of Critical Information Infrastructure" as protected systems. So, who can access protected systems?: The government authorises the people who can access these systems, which are protected by information security practices also prescribed by the government. Violating Section 70 can invite imprisonment of up to 10 years and a fine too. Why does it matter?: Disruptions to Critical Information Infrastructure via cyber attacks can damage a country's most important IT services and resources. That's something that the junior IT Minister acknowledged in parliament last year too, stating that "ransomware incidents have grown over time with attacks across multiple sectors, including commercial and critical infrastructure...Ransomware actors exploit known vulnerabilities, compromised credentials of remote access services and phishing campaigns…
