Introduction
The defense of Critical Information Infrastructure (CII) against cyber threats depends significantly on the timely and secure exchange of threat intelligence among stakeholders. Threat intelligence refers to the data and insights gathered about potential or existing cyber threats, including attack vectors, indicators of compromise (IOCs), malware signatures, and attacker behaviors. Because most critical infrastructure systems—such as power grids, banking networks, telecom systems, and health services—are either privately owned or managed through public-private partnerships, legal frameworks play a vital role in regulating how this sensitive threat information is shared across entities.

This comprehensive explanation examines how legal instruments, institutional mandates, and national cybersecurity policies facilitate threat intelligence sharing in India and globally, with a specific focus on Critical Information Infrastructure. It also outlines the challenges, international cooperation mechanisms, and examples of legal enablers in practice.

1. Why Is Threat Intelligence Sharing Crucial for CII Protection?
CII systems are attractive targets for state-sponsored attacks, ransomware actors, and hacktivist groups. Because cyberattacks on one sector (e.g., telecom) can spill over into others (e.g., finance or healthcare), coordinated threat intelligence sharing becomes essential. Its benefits include:

• Early detection of emerging threats

• Rapid incident response

• Preventing threat propagation

• Building collective cyber resilience

• Enabling coordinated mitigation and recovery

However, this information is often sensitive, and sharing it raises concerns about liability, data privacy, national security, and competitive interests. Hence, strong legal frameworks are necessary to regulate and encourage secure sharing.

2. Legal and Policy Frameworks Supporting Threat Intelligence Sharing in India

a. Information Technology Act, 2000 (IT Act)
The Information Technology Act provides the backbone of cybersecurity regulation in India. Two sections are particularly relevant:

• Section 70: Empowers the central government to designate computer resources as “Protected Systems” if they constitute CII.

• Section 70A: Mandates the establishment of a National Nodal Agency—the National Critical Information Infrastructure Protection Centre (NCIIPC)—for the protection of CII. NCIIPC has the legal authority to collect, disseminate, and coordinate cyber threat intelligence related to CII.

b. CERT-In Rules (2022)
The Indian Computer Emergency Response Team (CERT-In), under the Ministry of Electronics and Information Technology (MeitY), has issued directives that require:

• Mandatory reporting of cyber incidents within six hours

• Synchronization of system clocks with NTP servers

• Log retention for 180 days

• Cooperation with CERT-In in sharing breach indicators and investigation data

These legal directives ensure real-time information flow between private entities and CERT-In, which shares aggregated threat intelligence with NCIIPC, sectoral CERTs, and law enforcement.

c. National Cyber Security Policy, 2013 (Update Pending)
Though under revision, the 2013 policy laid the foundation for threat intelligence sharing by:

• Promoting Public-Private Partnerships (PPPs)

• Encouraging the creation of sector-specific CERTs

• Supporting centralized threat intelligence repositories under NCIIPC and CERT-In

d. Digital Personal Data Protection Act (DPDPA), 2023
While focused on data privacy, the DPDPA also plays an indirect role. It mandates data fiduciaries to:

• Report personal data breaches

• Cooperate with the Data Protection Board and government agencies

During such breach investigations, threat intelligence is often shared between CII operators and security agencies.

e. Telecom Regulatory Framework
The National Security Directive on the Telecom Sector (NSDTS) requires telecom operators to use trusted sources and share system vulnerability information with the Designated Authority, which in turn coordinates with NCIIPC.

3. Key Institutions Enabling Legal Threat Intelligence Exchange

a. NCIIPC (National Critical Information Infrastructure Protection Centre)
Legally designated under Section 70A of the IT Act, NCIIPC is the nodal agency for CII security. It:

• Gathers and analyzes threat intelligence related to CII

• Coordinates with sectoral regulators, CERT-In, and private operators

• Maintains classified advisories for critical sectors

• Conducts cyber drills and forensic reviews after incidents

NCIIPC uses both classified and unclassified channels to facilitate secure information exchange.

b. CERT-In
CERT-In is the national incident response agency. It:

• Issues threat advisories, vulnerability alerts, and mitigation steps

• Maintains real-time collaboration with global CERTs

• Works with ISPs, hosting providers, and government agencies

• Legally enforces compliance through its 2022 directions

c. Sectoral CERTs
India has developed several sectoral CERTs, such as:

• Fin-CERT (for banking and finance)

• Rail-CERT (for Indian Railways)

• Energy-CERT (for power sector)

These CERTs operate under legal mandates from their respective regulators (RBI, CEA, Ministry of Railways) and coordinate information sharing between public and private stakeholders.

4. Mechanisms Facilitated by Law for Threat Intelligence Exchange

a. Information Sharing and Analysis Centres (ISACs)
Inspired by the US model, India has Energy ISAC, Banking ISAC, and others. These are legally endorsed forums where:

• Members (CII operators) can share incident data anonymously

• NCIIPC and CERT-In participate in facilitating structured knowledge exchange

• Legal MoUs and NDAs ensure confidentiality

b. Reporting Portals and Compliance Dashboards
CERT-In has launched a Vulnerability Coordination Portal and Incident Reporting Portal. Sectoral regulators also have portals for regulated entities to report attacks or anomalies in real time. Legal mandates ensure:

• Obligatory registration

• Timely data submission

• Audit logs for regulators

c. Inter-Governmental Agreements and MLATs
India has signed Mutual Legal Assistance Treaties (MLATs) with several countries, enabling lawful access to transnational cybercrime evidence. Through such treaties, threat intelligence is exchanged with global CERTs, INTERPOL, and cybersecurity agencies.

5. Examples of Legal Threat Intelligence Collaboration

a. 2020 Power Grid Incident (Chinese Malware)
Suspected state-sponsored malware targeted power infrastructure in Maharashtra. Legal frameworks enabled:

• Incident reporting by the operator

• Investigation coordination between CERT-In, NCIIPC, and NTRO

• Secure intelligence sharing with the PMO and MHA

b. 2022 AIIMS Ransomware Attack
The AIIMS Delhi breach prompted a national-level response. Legal mandates ensured:

• Reporting to CERT-In within hours

• Cyber forensic support from NIC and MHA

• Information-sharing with other government hospitals to prevent attack replication

c. RBI’s Cyber Security Framework (2016)
RBI has issued detailed guidelines requiring banks to:

• Report cyber incidents to RBI, CERT-In, and Fin-CERT

• Share threat signatures and logs

• Cooperate with forensic auditors and cybersecurity investigators

Legal backing allows RBI to impose penalties on non-compliance.

6. Challenges in Legal Threat Intelligence Sharing

a. Lack of Legal Immunity for Sharing Entities
Private firms often hesitate to share threat data due to fear of:

• Reputational harm

• Regulatory scrutiny

• Legal liability in case of breach disclosures

Unlike the U.S. Cybersecurity Information Sharing Act (CISA), India lacks a specific legal immunity clause for good-faith intelligence sharing.

b. Confidentiality and Data Classification
CII-related threat intelligence may be classified. Legal frameworks do not clearly define:

• Who can declassify information

• How it may be anonymized for public dissemination

• Penalties for accidental leakage

This leads to hesitation and delays in collaborative responses.

c. Absence of Binding Information Sharing Agreements
Many Public-Private Partnerships (PPPs) for cybersecurity operate on voluntary or MoU-based terms. The absence of statutorily binding SLAs (Service-Level Agreements) hampers real-time collaboration.

d. Cross-border Legal Limitations
Threat actors often operate outside India. While MLATs exist, delays in legal cooperation with foreign governments limit the utility of threat intelligence.

7. Recommendations for Strengthening Legal Information Sharing

• Enact a Cybersecurity Information Sharing Act: India could benefit from a statute offering legal protections for companies sharing intelligence with government agencies.

• Create Legal Templates for PPP Agreements: Standardize NDAs, SLAs, and joint working arrangements under NCIIPC.

• Mandate Information Sharing in Sectoral Laws: Energy, healthcare, transport, and telecom regulations should clearly require operators to share cyber threat intelligence with NCIIPC and CERT-In.

• Develop a National Cyber Intelligence Grid: Legally backed centralized repository accessible to vetted agencies and operators.

• Enable Real-Time Sharing APIs with Legal Safeguards: Allow continuous sharing of threat feeds through APIs, with end-to-end encryption and audit trails.

Conclusion
Legal frameworks are the foundation upon which secure, timely, and effective cyber threat intelligence sharing can occur—particularly when it comes to Critical Information Infrastructure. In India, instruments like the IT Act, CERT-In rules, sectoral regulations, and institutional roles of NCIIPC and CERT-In have created a robust but still evolving structure for information sharing. While progress has been made through public-private partnerships, ISACs, and reporting mandates, legal gaps persist—especially around immunity, standardization, and enforcement. Strengthening the legal regime for cyber intelligence sharing will not only bolster the security of India’s CII but also ensure national cyber sovereignty in an era of growing digital threats.