The Indian Computer Emergency Response Team, commonly referred as CERT-In was established in 2004 as the national agency responsible for acting in the face of cyber incidents, including making forecasts, undertaking emergency measures for handling such incidents, and issuing guidelines for infosec practices. Historically, CERT-In has been often criticized for its inaction on reported cyber security incidents. However, since 2021, it has taken a seemingly pro-active stance to seek more information and require reporting of incidents to affected individuals, as the lack of adequate and relevant information on cyber incidents significantly impacts the risk assessment and mitigation exercises. On April 28, 2022, CERT-In has notified a new set of directions relating to information security practices, procedures, prevention, response and reporting of cyber incidents for safe & trusted internet (Directions) under Section 70B(6) of the Information Technology Act.1
These Directions will become effective within 60 days i.e., June 27, 2022 and are likely to have far-reaching implications on IT service providers, intermediaries, data centres, and body corporates (Covered Persons). The blog aims to provide an overview of the new norms under the Direction and its impact for stakeholders.
1. Objectives: The Directions aim at augmenting and strengthening India's cyber security resilience and have twin-fold objectives – (i) bridge the cyber incident information flow gap that is essential to carry out analysis, investigation and coordination on occurrence of a cyber incident, and (ii) preserve sovereignty or integrity of India, defence, state security, friendly relations with foreign states, public order as well as preventing commission of any offence using computer resource. The overall flavour of the Directions is to allow CERT-In to exercise better control over cyber incidents and require Covered Persons, and in certain instances, government organisations to comply with the Direction's infosec measures, mandatorily report certain incidents, and fully cooperate with the information discovery and analysis process.
2. ICT clock synchronisation: Covered Persons and government organisations are obligated to connect to Network Time Protocol (NTP) server of the National Informatics Centre (NIC), or the National Physical Laboratory (NPL), or to servers traceable to these NTP servers for synchronisation of all their information and communications technology (ICT) system clocks. If operations spread across multiple geographies, Covered Persons can use other accurate and standard time sources, as long as their time source does not deviate from NTP of NIC or NPL. Time servers or NTP is a protocol that helps ICT system clock times to be synchronised in a network. The protocol acquires and uses time from an external source to maintain time within its local internal clock, and then, relay to connected network. It is essential for purposes of time stamping and this is key to determine the chain of events that occurred on the network. Hence, time servers or protocols are essential infosec requirements and have been relied to diagnose cyber incidents. However, the NTP server capacities of NIC or NPL could be limited due to the multiple roles it serves, and mandating a direct or indirect nexus with them could result in capacity strains, unless those are augmented.
3. 6 hours reporting window: All Covered Persons and government organisations must mandatorily report cyber incidents as listed in Annexure 1 of the Directions within 6 hours of noticing such incident or receiving knowledge about them. Annexure 1 enlists 20 incidents inter alia including targeted scanning of critical network/systems, compromises of critical systems, unauthorised access of IT systems and data assets, malicious code attacks, attach on servers, identity theft, fake apps, spoofing and phishing attacks, data beach incidents, data leakages, attacks on applications, incidents affecting digital payment systems, unauthorised access to social media accounts, attacks or suspicious activities affecting cloud computing, big data, blockchain, virtual assets, custodian wallets, etc.2 The listed events can be reported over e-mail (email@example.com), phone (1800-11-4949) and fax (1800-11-6969). Formats and details required for reporting incidents are available on CERT-In website and get updated from time to time.3
Earlier, the requirement was to report as early as possible and there were certain incidents which were mandatorily reportable. The Directions limit the time frame to 6 hours which could turn out to be a short time span for Covered Persons to prepare for such reporting. Apart from the tightened timeline, the reportable incidents have been expanded to add 10 new items4 and there is lack of clarity on the actual nature of incidents in terms of their frequency, periodicity, impact evaluation, as well as the manner of their reporting. For instance, it is possible that on a given day, a Covered Person receives multiple phishing e-mails, and as per the Directions, each one of them must be reported separately within 6 hours. Similarly, unauthorised access to social media could be an unintended internal incident, and these happen multiple times within organisations, but now, will have to be reported to CERT-In mandatorily. The new reporting requirement highlights the need for organisations to have robust incident management and disaster recovery mechanisms in place, and is particularly rigorous for small organisations to adapt and implement.
4. CERT-In powers: The Directions state that for purposes of cyber incident response, CERT-In can issue orders/directions to Covered Persons to undertake specific actions or provide information or any other assistance that CERT-In deems fit for cyber security mitigation actions and situational awareness.5 Further, every Covered Person and government organisation is now required to designate a Point of Contact (POC) with whom CERT-In shall interface for cyber incidents, information requisitions, and issuance of directions. Information about the POC must be provided in specified format which is contained as Annexure II to the Directions. The said Annexure requires Covered Person to provide name, designation, office address, e-mail ID, mobile number, phone and fax of POC, and basis this, it appears that the person should be employed with the Covered Person. It is unclear if this could be an official employed with a group entity outside India, but it is unlikely that CERT-In would acknowledge such officials as POCs considering the general approach of Information Ministry on such issues. Accordingly, it may no longer be possible to provide generic contact details and the degree of accountability has increased. This could also create a situation where personal liability is imposed on POC should there be a failure to comply with the Directions.
5. Log retention: All Covered Persons, and government organisations must mandatorily enable and retain logs of all their ICT systems for 180 days within India. These should be provided at the time of reporting any incident, or as and when directed by CERT-In. This requirement takes away a lot of flexibility from organisations who so far could structure their retention periods as per their requirements. Now, Covered Persons must maintain localised logs, even where they are not physically present in India but may be using computer and ICT systems, networks, etc. in India. This will result in additional financial burden on Covered Persons and specifically, medium and small enterprises if they decide to access paid log server and software facilities or adopt detailed security information and event management processes.
6. User data collection and retention: The Directions mandate data centres, virtual private server providers, cloud service providers, virtual private network service providers to mandatorily collect and retain certain subscriber related information in accurate manner, for a minimum period of 5 years after the subscriber is no longer availing the underlying services. These data sets include subscriber names, period of hire including dates, IPs allotted and used, e-mail address along with IP and time stamp used at time of registration, purpose of availing the services, verified address and contact numbers, and ownership patter of subscribers. Virtual asset service providers, virtual asset exchange providers and custodian wallet providers must also maintain KYC information and records of financial transactions for period of 5 years.6 Specific to transaction records, the Directions state that information must be maintained accurately in such a way that individual transaction can be reconstructed along with the relevant constituents such as IP addresses, time zones, transaction ID, public keys or equivalent identifiers, addresses or accounts involved, nature and date of transaction, amount transferred, etc.
There is no guidance on how the accuracy of the retained information should be maintained. If it is interpreted to mean as an ongoing obligation on organisations to constantly verify and upgrade the data, it will become an extremely financially burdensome and difficult threshold to fulfil. Further, retention of such important data sets for 5 years once the original purpose for their collection and processing has been fulfilled in an identifiable format does not really allow a meaningful choice to opt for data minimisation through limited retention periods, opt for deidentification and anonymisation techniques, or for that matter, exercise data subject rights at the free will of the subscriber. It will also require organisations to augment the existing infosec measures, so that integrity of retained data sets is maintained and protected from potential breaches and leakages, and to that extent, it may be counterproductive as the Directions aim to prevent such cyber security incidents.
Non-compliance with the Directions may result in punitive action under Section 70B(7) of the Information Technology Act which provides that Covered Persons can be punished with imprisonment for a term which may extend to 1 year or with fine up to INR 100,000 or both. However, similar penalty cannot be applied to government organisations due to absence of enabling language in the operative legal provision. The Directions will require Covered Persons to revaluate their existing infosec and data processing infrastructure and practices to align with the new rigors. Large-scale organisations may be required to create dedicated cells within their IT departments to handle compliances with these requirements, and for smaller organisations, there could be increased financial burden as they will have to align their existing practices from a reasonable protection threshold to what is stipulated under the Directions. The 60 days' transition period where organisations have to gear up may not be adequate and perhaps, the hurried implementation could expose organisations to more vulnerabilities on roll-out. Overall, while the intent of the Directions may be aligned with the need to rapidly investigate and remediate cyber security incidents, it is imperative that CERT-In issues clarifications and guidelines in a timely manner to aid and assist implementation.
1. Section 70B(6) authorises CERT-In to call for information and give directions to IT service providers, intermediaries, data centres, body corporate and any other person for the purposes of fulfilling its functions with respect to cyber incidents
2. The list can be accessed here https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf (last accessed on May 4, 2022)
4. These are data breach, data leak, attacks through malicious mobile applications, unauthorised access of social media accounts, attacks on IOT, digital payment systems, cloud computing, big data, blockchain, virtual assets, custodian wallets, virtual asset exchanges, robotics, 3D and 4D printing, additive manufacturing, drones, AI and machine learning
5. Such orders or directions can be issued by a CERT-In officer of the rank of Deputy Secretary to the Government of India or above
6. For purpose of KYC data, the Directions mandate compliance with directions issued by Reserve Bank of India, Securities and Exchange Board of India and Department of Telecommunications
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.