Understanding the role of CERT-In in India.
After the government notified the CERT-In directives CERT-No. 20(3)/2022-CERT dated 28.04.2022 (“the New Directives”), there have been intense discussions on what it brings to the table in terms of compliance for various stakeholders. The New Directives mandate that body corporates must report cyber incidents within six hours of noticing such incidents or being brought to notice about such incidents. This does not mean there were no mandates under the law previously to report cyber security incidents. Rule 12(1) (a) of the Information technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (“CERT-In Rules”) mandated that any individual, organization or corporate entity affected by cyber security incidents must report such an incident as early as possible to leave scope for timely action by CERT-In. Further the CERT-In Rules also specified that service providers, intermediaries, data centers and body corporates should report the cyber security incidents to CERT-In within a reasonable time of occurrence or noticing the incident to leave scope for timely action.
However, the New Directives clarify the timeline within which such incidents must be reported and broadened the scope of the incidents to be reported.
But what really is the CERT-In?
The Indian Computer Emergency Response Team [CERT-In] is a national agency constituted by the government to address cyber security incidents and constituted under section 70 (B) of the Information Technology Act, 2000 [IT Act, 2000].
Cyber incidents can mean adverse events (suspected or real) which causes harm to critical functions and services in private/public sectors by compromising on the confidentiality, integrity of information, systems, services or networks which results in unauthorized access, denial of service or disruption, unauthorized use of a computer resource, changes to data or information without authorization. It could also threaten public safety, undermine public confidence and have a negative effect on the national economy or diminish the security of the nation. On the other hand, if similar events occur, as against a business’s set security policies and process, then such an event constitutes cyber security breach. Hence, the law as it stands today makes a slight but significant distinction on what constitutes cyber incident and cyber security incident.
The CERT-In functions within the administrative precincts of the MEITY and is active 24 hours a day, including public holidays.=
Broadly, the functions of CERT-In have been laid down in the IT Act, 2000 and in addition to it, the Government has been vested with sufficient powers to decide the functions and duties of CERT-In. It is responsible to respond to cyber security incidents, production and prevention of cyber security incidents, scanning of cyber space with respect to cyber security vulnerabilities, breaches and malicious activities among such other activities.
CERT-In can also interact with stakeholders to collect and disseminate information and for this purpose it may seek assistance from intermediaries, security and law enforcement agencies, Department of Telecommunications and technically anyone in the industry for that matter. It is tasked with the responsibility of both mitigating cyber security incidents and also assisting the general public in preventing and addressing all issues of cyber incidents or cyber security incidents. So, if an entity is suspecting any untoward incident targeting its digital infrastructure, it may approach CERT-In to seek assistance to prevent or mitigate such an incident. However, the CERT-In rules specify that the level of support will depend on multiple factors such as the severity of the incident and the entity being affected. Thus, it is in CERT-In’s sole discretion to decide as to who and how it will assist in case of an incident.
Yet another interesting position is with respect to how the agency should ensure the confidentiality of individuals/body corporates who disclose any information with respect to any incident. CERT-In should prevent any action which may lead to the identification of individual, group of individuals or organizations affected by cyber security incidents unless such individuals or organizations explicitly consent in writing to be identified. The extent to which this provision is observed is debatable, given that data breaches as a result of cyber security incidents in India become public news and leave no scope for the national agency to ensure anonymity.
What does the New Directive mandate?
The intent of issuing the New Directive seems to be to tighten the compliance of various stakeholders and ensure there is strict and timely reporting of cyber incidents and security breaches. Individuals however are exempted from the ambit of the New Directives. A few major rules brought into effect by way of the New Directive are:
- Any service provider, intermediary, data centre, body corporate and Government organization should mandatorily report cyber incidents of the nature specified in the New Directives, within 6 hours of noticing such incidents.
- CERT-In can call for information or assistance from the service provider/intermediary/data centre/body corporate to address issues of cyber security incidents. Logs of all ICT systems must be maintained for a rolling period of 180 days and such logs may be maintained within India and if it is maintained outside, then it should be produced when required within a reasonable time. These records are subject to CERT-In’s scrutiny.
- Data centres, Virtual Private Server (VPS) providers, Cloud Service and Virtual Private Network Service (VPN Service) providers are mandated to have in place a KYC system which must be maintained for a period of 5 years. They must specifically record details of the IP addresses, purposes for hiring and ownership pattern of the subscribers/customers.
- The virtual asset service providers, virtual asset exchange providers and custodian wallet providers must also adhere to the KYC norms. Additional diligence must be exercised by entities dealing in virtual assets to the extent that accurate information relating to e- identification of the relevant parties including IP addresses along with timestamps and time zones, transaction ID, the public keys (or equivalent identifiers), addresses or accounts involved (or equivalent identifiers), the nature and date of the transaction, and the amount transferred must be recorded.
This comes as a major move by the Government to regulate the Cyber space and it will be interesting to note how the developments will pan out.