The Indian Computer Emergency Response Team ("CERT-In") is a national agency constituted under Section 70B of the Information Technology Act, 2000 ("IT Act") for performing following functions in the area of cyber security:1 (a) collection, analysis and dissemination of information on cyber incidents;2 (b) forecast and alerts of cyber security incidents;3 (c) emergency measures for handling cyber security incidents; (d) coordination of cyber incidents response activities; (e) issue guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents; (f) such other functions relating to cyber security as may be prescribed.
In accordance with the powers set out in Section 70B(6) of the IT Act, CERT-In on 28 April 2022 issued Directions relating to information security practices, procedure prevention, response and reporting of cyber incidents for Safe & Trusted Internet ("Directions").4 The Directions will become effective on 27 June 2022 (i.e. 60 days from the date of issue - 28 April 2022). Any non-compliance with the Directions will result in imprisonment for a period of up to 1 year or fine of up to INR 100,000 or both.5
Set out below is a list of the compliances issued as part of the Directions. The Directions are applicable to the following persons: (a) service provider (may include virtual asset service providers); (b) intermediaries6 (may include virtual assets exchange providers, custodian wallet providers); (c) data centres; (d) body corporate (include entities outside India); and (e) governmental organisations (collectively, the "Entities"), and certain other categories as identified in the table below:
|
|
Directions / Compliances |
Comments |
|
1. |
Match the Information and Communications Technology (ICT) infrastructure system of the Entities to a Network Time Protocol (NTP) server:
(a) of National Informatics Centre (NIC); or (b) of National Physical Laboratory's (NPL); or (c) traceable back to above.
In cases where an Entity has its ICT infrastructure located in multiple geographies, it may use accurate and standard time source other than NPL and NIC. However, it must be ensured that their time source should not deviate from NPL and NIC.
|
This has been heavily criticised particularly since NIC and NPL may be more vulnerable to cyber incidents in comparison to several other such servers/protocols.
Note: NTP is a protocol used to synchronise computers' internal clocks to a common time source. |
|
2. |
Report 'cyber incidents' (as mentioned in Annexure I to the Directions) within 6 hours from becoming aware of such incidents.
Report to CERT-In at (may be updated from time to time): Email: incident@cert-in.org.in Phone: 1800-100-4949 Fax: 1800-11-6969
|
No threshold or category has been identified for intimating such cyber incident. As a result every event which may fall within the ambit of 'cyber incident' will need to be reported within the given time frame.
This is in addition to the requirement of Rule 12 of the Information Technology (the Indian Computer Emergency Response Team and Manner of performing functions and duties) Rules, 2013 ("CERT-In Rules") which mandate reporting a 'cyber security incident' (refer: Footnote 1 for definition).7
It is worth noting that CERT-In had earlier issued Advisory CIAD-2021-0004 dated 20 January 2021 ("Advisory"), which among other things mandated relevant entities to promptly notify affected users/customers resulting from an information breach.
|
|
3. |
Entities are required to take action or provide information or any assistance to CERT-In as may be required by CERT-In in its order/direction.
The order/direction issued by CERT-In will provide the format of the information (including real-time), and a specified timeframe in which it is required.
|
The information sought / action requested (ideally) should be in the furtherance/purpose of incident response, protective and preventive actions relating to cyber incidents. |
|
4. |
Entities must designate a point of contact to interface with CERT-In (in the prescribed format as set out as Annexure II to the Directions).
|
This requirement has its origin in Rule 17 of the CERT-In Rules. |
|
5. |
Entities to enable and securely maintain logs of all their ICT systems for a rolling period of 180 days within Indian jurisdictions.
These logs will need to be provided to CERT-In along with reporting of the incident or as and when ordered / directed by CERT-In.
|
This will increase the costs towards storing the said data logs. This also mandates localisation of these logs /data within the Indian jurisdictions. |
|
6. |
Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network (VPN) service providers are required to register the following information and maintain the same for a period of 5 years or longer as mandated under law after cancellation or withdrawal of the registration:
(a) validated names of subscribers / customers hiring the services; (b) period of hire including dates; (c) IPs allotted to / being used by the members; (d) Email address and IP address and time stamp used at the time of registration / on-boarding; (e) Purpose of hiring services; (f) Validated address and contact numbers; and (g) Ownership pattern of the subscribers / customers hiring services.
|
In essence this could have significant cost implications on such service providers. Further, customers employ VPN services to maintain anonymity while they surf the internet. The requirement to retain and report these streams of data may conflict with the user's right to privacy (including right to be forgotten) and be potentially used for mass surveillance. |
|
7. |
Virtual assets service providers, virtual asset exchange providers and custodian wallet providers (as defined by Ministry of Finance) is required to maintain the following types of information, for a period of 5 years:
(a) know your customer (KYC) information collected (in compliance with the laws set out in Annexure III to the Directions); and
(b) accurate transaction records in such a manner so as to enable reconstruction of each individual transaction.8 |
This direction is particularly disconcerting (and overreaching) as CERT-In seeks to obtain data and information relating to KYC and financial transactions which may not have anything to do with cyber security.
The period of 5 years may need to be calculated from the date on which an account (pertaining to a trader) ceases to be operational and/or from the date on which a particular financial transaction takes place (as the case may be).
This also increases compliance and costs burden of the crypto exchanges and similar businesses in India which could be significant given the recent fall in trading volumes.
Presently, it is unclear whether this compliance will apply to foreign crypto exchanges and businesses having customer base in India. However, as far as the applicability of the IT Act is concerned, all the provisions of the IT Act applies to contraventions outside India as well so long as such contravention involved a computer, computer system or computer network located in India.
|
Footnotes
1. Section 2(1)(nb) of IT Act defines 'cyber security' as "protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorised access, use, disclosure, disruption, modification and destruction".
2. Rule 2(1)(g) of CERT-In Rules defines 'cyber incident' as "any real or suspected adverse event that is likely to cause or causes an offence or contravention, harm to critical functions and services across the public and private sectors by impairing the confidentiality, integrity, or availability of electronic information, systems, services or networks resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource, changes to data or information without authorisation; or threatens public safety, undermines public confidence, have a negative effect on the national economy, or diminishes the security posture of the nation".
3. Rule 2(1)(h) of CERT-In Rules defines 'cyber security incident' as "any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorized access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation".
4. Ministry of Electronics and Information Technology, CERT-In Direction bearing no 20(3)/2022-CERT-In, Available at: https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf
5. This penalty will be in addition to the penalties prescribed under the IT Act towards failure to furnish information (where required to) and to comply with the provisions of IT Act and its rules and regulations.
6. Section 2(1)(nb) of IT Act with respect to any particular electronic records defines 'intermediaries' as "any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes".
7. Available under the heading 'Reporting' on the left hand side at: https://www.cert-in.org.in; and the reporting form is available at: https://www.cert-in.org.in/PDF/certinirform.pdf
8. This includes storing relevant elements to a transaction such as: identification of relevant parties, IP addresses with timestamps and time zones, transaction ID, public keys, accounts involved in the transaction, nature and date of the transaction and the amount transferred.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
