A few years after the 26/11 terror attack devastated Mumbai, the regional head of one of India’s largest private security companies told me during a discussion that in one of the two iconic hotels of Mumbai, where terrorists struck, two personnel from her agency were the first respondents at the lobby.
Had they been authorized to carry small arms, they could have created the first layer of resistance. But alas! It did not happen that way, because there are severe restrictions on the use of arms by private security agencies in India.
The eventual outcome in terms of casualties and mayhem in the hotels, unleashed by radically brainwashed Pakistan-based terrorists is known to all. In reality, the 26/11 terror attack targeted India’s financial hub, rail, and tourism infrastructure, and did not even spare hospitals.
Today India is far more resilient and bigger as an economy. It has invested considerably in capacity building of its counter-terror special units, both at central and state levels. Dedicated counter-terror investigation units like the National Investigation Agency (NIA) have been built up, and much has also been invested in India’s technical surveillance capabilities to preempt terror attacks.
The Present Context
Even though in the last 10 years, Modi Government has been successful in thwarting major terror attacks in its prime cities, in the larger context of things, threat to India critical infrastructures has not gone down. With time, as India would inch towards the $5 trillion economy mark by 2027-28 and possibly a $10 trillion economy in the next decade, the importance of protecting its critical infrastructures from all kinds of threats, be it cyber-attacks, or physical attacks by terror groups or rampage of such infrastructures by violent mobs orchestrated by anarchists, becomes even more profound.
To put things in perspective, it is a known fact that many sensitive sectors such as the banking system, telecom, defense and government organizations have been facing innumerable instances of cyber attacks on critical installations.
While Government of India has indeed created the National Critical Informational Infrastructure Protection Centre, followed by sector-specific Computer Emergency Response Teams (CERT-IN), and National Cyber Coordination Centre, to create situational awareness regarding cyber threats, it is imperative to examine whether this is enough or much more is needed to be done to secure India’s critical sectors from all kinds of disruptive activities, and not just cyber threats.
Dealing with Organized Mob Violence
Along with threats of terror attacks, one can also witness how key sectors such as India’s railway infrastructures are often targeted by arsonists and violent mobs, all in the name of protests. During the anti-CAA riots, as well as protests against Agniveer policy, one could witness how trains and stations were burnt down, stones were indiscriminately pelted at moving trains, and in certain places, protestors could even be seen uprooting railway tracks. Against such mobs on rampage, can security personnel do anything? Are they authorized to use firepower? There are no clear answers to that.
In the realm of hybrid war, as things stand today, one may instigate a mob through vested interests, on the pretext of any issue, and channelize their anger to burn down any major asset or infrastructure.
This phenomenon of attacking infrastructures of key sectors is not restricted to railways alone. During the anti-farm law protests, one could witness how mobile towers of Reliance JIO were targeted in Punjab. Almost 1500 such towers were ‘vandalised’. Targeting telecom infrastructure itself is a dangerous trend given its impact on communication and overall business, especially in today’s digital-dependent era.
Rail’s Contrast with Aviation Sector
One may wonder as to why railways infrastructure is often targeted by anarchists and protesting mobs, but not airports. The reason is simple.
The aviation sector is governed by global regulations, and therefore Governments are mandated to have the strictest of benchmarks in order to ensure highest level of safety and security for passengers. Or else, international flights to, and from the country, would be severely impacted. Rules of Engagement, therefore, are clear in case of protection of civil aviation assets.
But it cannot remain an exception forever. What India needs is to ensure that protection of all its critical infrastructures is taken to a similar level where it is adequately secured from all kinds of physical and cyber-attacks, from terror groups or arsonists. Herein therefore comes the indispensable necessity for India to legislate a Critical Infrastructure Protection Act
Defining Critical Infrastructure
USA’s Cybersecurity & Infrastructure Security Agency (CISA) has identified 16 critical infrastructure sectors, ‘whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof’.
The sectors identified are namely, Chemical Sector, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defence Industrial Base, Emergency Service, Energy, Financial Services, Food & Agriculture, Government Services & Facilities, Healthcare & Public Health Sector, IT Sector, Nuclear Reactors, Materials & Waste Sector, Transportation Systems and Water.
In the Indian context, while some of the above-mentioned sectors do have adequate security, given by the likes of CISF or state-level industrial security forces, not all the sectors, and not all entities even within critical sectors, get the same level of security.
Identifying the Problems and Lacunae
In the first place, there is a limitation to the number of installations that can be guarded by the likes of CISF.
Even though select private sector enterprises are now getting CISF cover, on most occasions, CISF only provides security to government installations.
The private sector is often left to fend for itself with the help of private security agencies, even though majority of critical infrastructures in some sectors, are now in realm of private sector. While many of the top-notch companies, operating in India, have indeed invested in quality surveillance capabilities and access control systems, in their perimeters, however, when it comes to first-response capacity building, there are severe gaps as there are no provisions of bulk licensing of arms for the private security agencies in India.
Even when private sector deploys armed guards, mostly comprising of former personnel of armed forces owning licensed guns, the rules of engagement for private security agencies in India, are so lopsided that even if by default they resort to use of their arms for self-defense or protection of assets, they are subjected to numerous legal cases and associated hassles. Most thus avoid the same.
In banks, for instance, armed guards with their archaic double-barrel shotguns, are no match when armed robbers attempt to loot a bank. Often, they fight just to ensure their guns don’t get stolen. Use of firearms to prevent robbery is the last thing in their mind, knowing well that they have no legal immunity if the perpetrators get killed by their bullets.
The moot question is this. Given the multidimensional threats India is besieged with, should India continue to remain hamstrung by its own old policies or reform them?
What India Needs are the Following
In the first place, India needs an overarching Critical Infrastructure Protection Act. This should include protection of critical assets from both cyber and physical attacks, from acts of terror by armed terrorists to acts of arson and rampage by violent mobs, as well as sabotage. Placing objects on rail tracks or covering railway signals with cloth should not be seen as acts of mischief but as serious acts of sabotage.
The Critical Infrastructure Protection Act should also make the Rules of Engagement (ROE) as well as the Standard Operating Procedures (SOP) for protection of critical assets very transparent. Use of firepower for protection of critical assets should be mandated, albeit with necessary checks and balances. Or else, in the future too, security forces would remain powerless when mobs go on a rampage and destroy critical infrastructures at will, as has been seen in the recent past.
Further, Critical Infrastructure Protection Act must mandate for a nominal cess collection for expenditure on capacity building in the same. Much like the aviation sector, railways and other major sectors may be allowed to collect a token amount from the end-users. This should go hand in hand with making it mandatory for every concerned sector to invest in building capacity for perimeter protection and cyber fencing of their physical and virtual assets.
The Need for National Critical Infrastructure Protection Agency
Along with Critical Infrastructure Protection Act, India must create a National Critical Infrastructure Protection Agency, and absorb NCIIPC into it. Its job should not just be advisory in nature but should ensure that critical infrastructure sectors are adequately protected in India. There should be severe punishments, including provisions for life imprisonment, for deliberately destroying critical infrastructures.
Revamping Private Security Industry
As India’s economy has grown manifold, with majority of the growth now being spearheaded by India’s robust private sector, it goes without saying that a significant proportion of India’s critical infrastructures have been built in private sector, which needs more protection than perhaps every run-of-the-mill state-run institution. Can that be effectively done without the right kind of reforms in India private security industry and laws that govern them?
India therefore, also needs a Private Security Agency Regulatory Authority, along with necessary changes in the rules of engagement for private security industry. There should be gradation of private security agencies, and only the top-notch ones, who clear certain well-defined criteria, should be certified to be in the business of critical infrastructure protection.
Limited License for Small Arms Procurement
Critical Infrastructure Protection Act should ideally allow certified private security agencies to acquire a limited number of small arms such as .32 caliber pistols and pump action shotguns, and keep them under safe custody of well-trained supervisors certified by CISF.
Only those who have had professional background in armed forces should be allowed to operate them, with stringent regulations in place, including that they can only be used against armed attacks or such violent attacks that are targeted at destruction of critical assets of the organization.
Rules should also be there to ensure that such weapon systems would never be used against employees and against generic protests. In other words, such agencies should be mandated only to protect the critical assets but not become tools of intimidation in the hands of managers or owners of organization.
Infrastructure Security Key to National Security
In a rapidly changing landscape of hybrid threats, India must take cue from USA on how private security agencies have been deployed to protect critical infrastructures there.
India need not reinvent the wheels but embrace the global best practices to secure its assets, because threats, much like economic growth are only going to go upward. Newly introduced BNS may take care of some of the challenges, but a separate Critical Infrastructure Protection Act is needed for an overarching legal mandate to deal with multidimensional threats.
Pathikrit Payne is a Senior Research Fellow with Dr. Syama Prasad Mookerjee Research Foundation