With data leaks, ransomware attacks and other cyber security incidents becoming increasingly rampant and around 18% (eighteen per cent) of Indians being victims of such cyber security incidents1, one would expect the Indian Computer Emergency Response Team ("CERT-In") - "the trusted referral agency for cyber users in India for responding to cyber security incidents2" to be major part of the discourse on cyber security in India. On the contrary, thus far, the CERT-In has not been nearly as conspicuous or pro-active as other Indian governmental agencies in exercising its powers until recently when it issued 'Directions relating to information security practices, procedure, prevention, response, and reporting of cyber incidents' ("the Directions") and explanatory FAQs thereunder ("the FAQs")3.
This article seeks to unwind the role of CERT-In, the Directions and the path ahead for affected stakeholders.
Key Features
What is CERT-In, its roles and functions?
The CERT-In has been functional under the Ministry of Electronics and Information Technology, Government of India ("MEITY") since January, 2004.4 CERT-In was designated as the nodal agency for responding to computer security incidents as and when they occur through an amendment to the Information Technology Act, 2000 ("IT Act") in 2008.5 Accordingly, the designated functions of CERT-In is to be the national agency for (i) collection, analysis and dissemination of information on cyber incidents6; (ii) forecast and alerts of cyber security incidents7; (iii) coordination of cyber incidents response activities; (iv) issue guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents; and (v) such other functions relating to cyber security as may be prescribed by MEITY8 .
In light of the aforesaid functions, MEITY has issued the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 ("CERT-In Rules"). The CERT-In Rules inter alia provides for the requirement to mandatorily report certain cyber security incidents, the manner of responding to such incidents by CERT-In, the collection, analysis and disclosure of information relating to such cyber security incidents along with the power of CERT-In to issue directions and ensuring its compliance. The said reporting obligations however is mandatory for service providers, intermediaries, data centers and body corporates under the CERT-In Rules9. It is under the CERT-In Rules read with Section 70B (6) of the IT Act that the Directions have been issued.
Highlights of the Directions and Stakeholder Concerns
The Directions mandate 6 (six) requirements to be adhered to by all service providers, intermediaries, data centres, body corporate and Government organisations, however, certain requirements prescribed under the Directions are more specifically applicable to Virtual Private Servers ("VPS"), Cloud Service Providers ("CSP"), Virtual Private Network ("VPN") service providers, virtual asset service providers, virtual asset exchanges and custodian wallets. (collectively "Stakeholders")10. The highlights of these requirements have been provided hereinbelow:
a. Synchronization with National Time Protocol - All Stakeholders have been mandated to synchronise their Information and Communication Technology ("ICT") system clocks with the National Time Protocol ("NTP") server of the National Informatics Centre ("NIC") or the National Physical Laboratory ("NPL"). An exception has been carved out in the FAQs for Stakeholders with ICT infrastructure across multiple geographies wherein they are free to use accurate and standard time source other than NPL and NIC provided that the time source relied on by such Stakeholders do not deviate from NPL or NIC. MEITY in the FAQ has clarified that the intention of introducing this requirement in the Directions is to ensure that only standard time facilities are used across all entities11. Although, several concerns have been raised in this regard by Stakeholders stating that concerns regarding latency could be extenuated given that the most Stakeholders already use higher quality servers that are already available to them. Questions have also been raised regarding the reliability of NIC and/or NPL servers which may be easily overwhelmed.12 Further, in the FAQs, the MEITY has also clarified that, there is no need to mandatorily set system clocks in Indian Standard Time (IST) and the current directive requires uniform time synchronisation across all ICT systems irrespective of time zone.
2. Mandatory Reporting of Certain Cyber Security Incidents - All Stakeholders mandatorily have to report cyber incidents mentioned in Annexure-I of the Directions within 6 (six) hours of noticing such incidents. It is to be noted that Annexure-I of the Directions adds 10 (ten) new types of cyber incidents that are mandatorily required to be reported in addition to the 10 (ten) types of cyber incidents that were already prescribed under the Annexure to the CERT-In Rules. The new additions inter alia include (a) data breaches; (b) data leaks; (c) attacks through malicious mobile apps; (d) attacks or incidents affecting digital payments; (e) unauthorised access of social media accounts; (f) Attacks or malicious/ suspicious activities affecting systems/ servers/ networks/ software/ applications related to cloud computing, blockchain, virtual assets etc.MEITY has clarified in the FAQs that the burden of reporting such cyber security incidents has been placed on any entity that notices it and that such obligation cannot be passed down to any other entity contractually. Additionally, given that this requirement has been widely debated and criticised, MEITY has, in the FAQs clarified that the requirement for reporting within 6 (six) hours is limited to the provision of information available to the Stakeholder at such time and that additional information could be reported to CERT-In later within 'reasonable time'13. Additionally, given that there is ambiguity on the meaning of the types of cyber security incidents to be reported to CERT-In (as listed in the Annexure I of the Direction), MEITY has provided an illustrative list of explanations on the types of cyber security incidents required to be reported in Annexure-I of the FAQs14. That said, Stakeholders have raised concerns stating that the types of cyber security incidents required to be mandatorily reported are numerous and have broad connotations. It is feared that this requirement may not only be onerous to Stakeholders but also may worsen the situation for cyber security in India as the capacity of CERT-In to effectively respond to the sheer number of the cyber security incidents that it would receive would be greatly reduced15.
3. Mandatory maintenance of logs by all Stakeholders - The Directions require all Stakeholders to mandatorily enable logs of all their ICT systems securely on a rolling basis for a period of 180 (one hundred and eighty) days and maintain the same within Indian jurisdiction. Such logs are required to be produced when ordered by CERT-In. However, MEITY has clarified in the FAQs that such logs can be stored outside India also if the obligation to produce the same to CERT-In is adhered to by the entities in a reasonable time16. MEITY has also clarified in the FAQs that the requirement to maintain and produce such logs is not only on Indian entities but also on any entity that offers services to users in India. Several concerns pertaining to privacy and protection of personal information of users, especially data subjects of foreign jurisdictions such as Europe and the USA and its long term impact on the free transferability of data have been raised by Stakeholders17 although they seem to have gone unaddressed in the FAQs18.
4. Registration of certain information by VPS, VPN and CSP - VPS, VPN and CSPs have been mandated to collect and maintain information its respective subscribers/customers for a period no less than 5 (five) years. The information required to be collected and stored as per the Directions include (a) validated names, address, and contact details of the subscribers/ customers; (b) period of hire/engagement; (c) email id and IP address used during registration among others. Additional clarification on the type of data sought to be collected and stored by VPS, VPN and CSP has been given in the FAQs wherein it has been clarified that the Directions apply to VPN service providers who provide "internet proxy like services" and not to enterprise/corporate VPNs19. This directive has seen the sharpest criticism by far from affected Stakeholders and has also led to the exodus of VPN service providers out of India effectively being a death knell for quality VPN services in India20.
5. Appointment of a Point of Contact - The Directions require all Stakeholders to appoint a point of contact to interface with the CERT-In much like the nodal officer envisioned in Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 ("Intermediary Rules"). Further clarifications in this regard have been provided in the FAQs wherein it has been confirmed that even those entities which do not have a physical presence in India but offer services to users in India would have to appoint a point of contact. The far reaching consequences of this requirement especially from a tax residence, permanent establishment etc. may have to be examined.
6. Maintenance of Know Your Customer Records - All virtual asset service providers, virtual asset exchange providers and custodian wallet service providers have been directed to maintain all Know Your Customer ("KYC") records obtained by them for a period of 5 (five) years. While the competence of CERT-In to issue directions regarding KYC records in itself has been questioned by some, there is excessive regulatory uncertainty vis-à-vis virtual assets and virtual asset exchanges even with regard to the applicability of the KYC norms prescribed by the Reserve Bank of India, the Securities and Exchange Board of India ("RBI") and the Department of Telecom (all referenced in the Directions) to entities dealing with virtual assets. In such a scenario, one may argue that CERT-In neither has the legislative competence nor is it prudent for it to interfere in sectors that have already been well regulated by more efficient sectoral regulators such as the RBI.
INDUSLAW View & The Path Ahead
The Directions has now come into force effective from June 27, 2022 except for micro, small and medium enterprises and for VPS, VPN and CSPs regarding the maintenance of validated information of users/customers as provided in the Directions. The effective date for such exempted Stakeholders has been extended to September 25, 2022. That said, all other Stakeholders have to comply with the Directions immediately if not already in compliance, especially given that the penalty applicable for noncompliance includes a punishment of imprisonment for a term of up to 1 (one) year or with fine which may of up to INR 1,00,000/- (one lakh rupees), (approximately USD 1,250/-) or both21. It is to be noted that by virtue of the extraterritorial applicability of the IT Act22, the Directions are not only applicable Stakeholders in India but is also applicable to foreign Stakeholders who serve customers in India. The same has also been reiterated in the FAQs23.
That being said, the path to compliance may be onerous and toilsome for all Stakeholders given the approach adopted by MEITY in addressing the concerns of the industry as is evident from its decision to keep the 6 (six) hour timeline for reporting of cyber security incidents unchanged despite representations from affected Stakeholders24 and its statements inviting Stakeholders who do not comply with the Directions to leave India25. In the current scenario, the most prudent course of action is to comply with the Directions on a best efforts basis and being transparent with government regarding the challenges that Stakeholders face in this regard.
Footnotes
2. See Rule 8 of CERT-In Rules
3. https://www.cert-in.org.in/s2cMainServlet?pageid=PRESSLIST
4. https://www.meity.gov.in/content/icert
5. https://www.meity.gov.in/writereaddata/files/itact2000/it_ amendment_act2008.pdf
6. The term "cyber incidents" has been defined under Rule 2(g) of the CERT-In Rules to mean "any real or suspected adverse event that is likely to cause or causes an offence or contravention, harm to critical functions and services across the public and private sectors by impairing the confidentiality, integrity, or availability of electronic information, systems, services or networks resulting in unauthorized access, denial of service or disruption, unauthorized use of a computer resource, changes to data or information without authorization; or threatens public safety, undermines public confidence, have a negative effect on the national economy, or diminishes the security posture of the nation."
7. The term "cyber security incident" has been defined under Rule 2(h) of the CERT-In Rules to mean "any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorized access, denial of service or disruption, unauthorized use of a computer resource for processing or storage of information or changes to data, information without authorization."
8. See Section 70B (4) of the IT Act
9. See Rule 12 of the CERT-In Rules
10. FAQs_on_CyberSecurityDirections_May2022.pdf (FAQs_on_CyberSecurityDirections_May2022.pdf (cert-in.org.in)
11. See questions 39 to 43 FAQs_on_CyberSecurityDirections_May2022.pdf.(cert-in.org.in)
12. https://www.medianama.com/2022/05/223-cybersecurity-directive-time-sync/
13. See question 30 of the FAQs; FAQs_on_CyberSecurityDirections_ May2022.pdf (cert-in.org.in)
14. See question 9 and Annexure-I of the FAQs; FAQs_on_ CyberSecurityDirections_May2022.pdf (cert-in.org.in)
16. See questions 35 to 38 of the FAQs; FAQs_on_ CyberSecurityDirections_May2022.pdf (cert-in.org.in)
18. See questions 20 and 32 of the FAQs; FAQs_on_ CyberSecurityDirections_May2022.pdf (cert-in.org.in)
19. See questions 20 and 32 of the FAQs; FAQs_on_ CyberSecurityDirections_May2022.pdf (cert-in.org.in)
21. See Section 70B (7) of the IT Act 22. See Section 1 and Section 75 of the IT Act
23. See question 26 of the FAQs; (FAQs_on_CyberSecurityDirections_May2022.pdf (cert-in.org.in)
24. https://inc42.com/buzz/meity-six-hour-cert-in-norm-report-cybersecurity-incidents/
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
