Monday, March 27, 2023
HomeOpinionExit of VPNs just the beginning. CERT-In’s cybersecurity rules will affect many...

Exit of VPNs just the beginning. CERT-In’s cybersecurity rules will affect many players

Forcing companies to report cyber-attacks within a mere six hours is an onerous requirement.

Text Size:

Last week, leading Virtual Private Network providers, Surfshark, NordVPN and ExpressVPN, withdrew their servers from India. The VPNs have alleged that cybersecurity directives issued on 28 April 2022 by the Indian Computer Emergency Response Team would render their privacy-oriented business model meaningless, as they require them to log details of all the persons who access their servers. These directives will come into effect on 28 June 2022. However, CERT-In’s directive has met with severe backlash from various other technological companies, since they feel that this is just the beginning, and the fallout will not be limited to the exit of VPNs.

Concern over incident reporting timeline

In May, 11 industry bodies wrote a joint letter to the Director General of CERT-In, expressing their concern over the detrimental impact of this directive on cybersecurity, and the difficulty it posed for companies trying to do business in India. The companies have specifically flagged the six-hour incident reporting timeline and an overbroad definition of reportable incidents, as problematic.

Globally, cybersecurity regulations provide a proportionate and graded incident reporting timeline. The more critical a sector is and more severe the incident, the higher the due diligence requirement will be. CERT-In’s directives, on the other hand, miss making this differentiation. For example, it takes a one-size-fits-all approach in requiring that all companies, such as intermediaries, cloud service providers, data centres, governments and corporations alike, to adhere to a uniform six-hour incident reporting timeframe.

Timely reporting of incidents allows cyber security agencies to quickly identify patterns that could be a part of larger systemic attacks. While short timelines are not unprecedented, most advanced countries prescribe such timelines for a narrow set of priority sectors like banking, finance and critical infrastructure.

In France, the financial sector has to report major cyber security incidents within four hours. The country has laid down detailed guidelines to identify what qualifies as a major incident, and it usually takes up to 24 hours to classify an attack. Other organisations have 72 hours to report an incident. Similarly, in the United Kingdom, financial institutions are supposed to immediately report only ‘material cyber incidents,’ that is, incidents resulting in significant data loss or loss of control over the information technology system. Other sectors are allowed up to 72 hours to report data breaches.

Also read: Interoperability affects platforms like WhatsApp, Signal, Telegram. EU can learn from India

Short timeframe unreasonable

Leading industry bodies, like the Information Technology Industry Council (ITI) and The Software Alliance (BSA) have argued that the prescribed timeline to report cybersecurity incidents is too short and may interfere with an organisation’s ability to deploy immediate defensive measures in the wake of an incident. Instead, they recommend that organisations be given a minimum of 72 hours to report such attacks.

A notable aspect of CERT-in’s directive is that organisations will have to report even attempted cyber-attacks within six hours. Such incidents range from phishing attacks, in which scamsters send fraudulent messages or emails to steal personal information, to denial-of-service attacks, in which unmanageable traffic is flooded onto a computer resource to make it inaccessible.

To clarify these issues, CERT-In issued a set of frequently asked questions (FAQs) in May. Through these FAQs, they limited the scope of reportable incidents to “incidents of severe nature”. However, it did not define the threshold of this severity, leaving it open to wide interpretation. Large digital platforms are subjected to a high volume of cyber-attacks on a daily basis. They face hundreds of thousands of cyber-attacks every day. In the absence of a clear, unambiguous stipulation, such a reporting requirement becomes onerous.

In some cases, premature reporting of cybersecurity incidents may cause more harm than good. If an affected organisation reports an incident before finding a solution, it allows other malicious actors to exploit the loophole, causing more attacks. This is particularly true in the case of zero-day exploits—attacks where threat actors exploit a vulnerability which was previously unknown to the victim organisation. In 2021, Microsoft Exchange servers were attacked as part of an espionage mission by Hafnium, a Chinese hacking group. While Microsoft took steps to address this vulnerability, the scale of attacks grew exponentially as soon as the incidents became public knowledge. Thus, while mandatory reporting is a crucial step towards a secure cyberspace, CERT-In may consider limiting the applicability of the six-hour timeline to a defined set of priority sectors.

Also read: Digital India dream and arbitrary internet shutdowns can’t go together. Just see the loss

Pre-requisites for a secure cyberspace

India was the third most cyber-attacked country in the Asia Pacific, according to IBM Security’s Threat Intelligence Index, 2022. The Ministry for Electronics and Information Technology stated that there were more than 1.6 million cybersecurity incidents reported in India as of February 2022, in response to a question in the Lok Sabha. A secure cyberspace is critical to India’s aspiration to be a $1 trillion digital economy. However, the country cannot achieve this objective without carefully crafting cybersecurity rules that respond to the evolving needs of an emerging technology sector.

The US Cyberspace Solarium Commission emphasised that seamless collaboration between the government and the private sector is a non-negotiable prerequisite for a secure cyberspace. Such partnerships can yield constructive results in India and ensure security and democratisation of the country’s technological sector.

India has shown goodwill in this regard. In a meeting between the government and the industry held on 10 June, MeitY offered certain concessions on these guidelines. It assured industry leaders that the directives will be reviewed after 90 days of their implementation. While an agile regulatory approach is always advisable in technology regulation, prior consultation with relevant stakeholders could mitigate points of friction and lead to seamless implementations.

Aditi Chaturvedi is the Head of Legal at Koan Advisory. She is an engineer and a lawyer with expertise in technology policy. She tweets @aditi_chaturved. Priyesh Mishra is a Senior Associate at Koan Advisory. He is a former LAMP fellow and has served as a policy advisor to an Indian Member of Parliament. Views are personal.

This article is part of ThePrint-Koan Advisory series that analyses emerging policies, laws and regulations in India’s technology sector. Read all the articles here.

(Edited by Zoya Bhatti)

Subscribe to our channels on YouTube & Telegram

Support Our Journalism

India needs fair, non-hyphenated and questioning journalism, packed with on-ground reporting. ThePrint – with exceptional reporters, columnists and editors – is doing just that.

Sustaining this needs support from wonderful readers like you.

Whether you live in India or overseas, you can take a paid subscription by clicking here.

Support Our Journalism