Last week, leading Virtual Private Network providers, Surfshark, NordVPN and ExpressVPN, withdrew their servers from India. The VPNs have alleged that cybersecurity directives issued on 28 April 2022 by the Indian Computer Emergency Response Team would render their privacy-oriented business model meaningless, as they require them to log details of all the persons who access their servers. These directives will come into effect on 28 June 2022. However, CERT-In’s directive has met with severe backlash from various other technological companies, since they feel that this is just the beginning, and the fallout will not be limited to the exit of VPNs.
Concern over incident reporting timeline
In May, 11 industry bodies wrote a joint letter to the Director General of CERT-In, expressing their concern over the detrimental impact of this directive on cybersecurity, and the difficulty it posed for companies trying to do business in India. The companies have specifically flagged the six-hour incident reporting timeline and an overbroad definition of reportable incidents, as problematic.
Globally, cybersecurity regulations provide a proportionate and graded incident reporting timeline. The more critical a sector is and more severe the incident, the higher the due diligence requirement will be. CERT-In’s directives, on the other hand, miss making this differentiation. For example, it takes a one-size-fits-all approach in requiring that all companies, such as intermediaries, cloud service providers, data centres, governments and corporations alike, to adhere to a uniform six-hour incident reporting timeframe.
Timely reporting of incidents allows cyber security agencies to quickly identify patterns that could be a part of larger systemic attacks. While short timelines are not unprecedented, most advanced countries prescribe such timelines for a narrow set of priority sectors like banking, finance and critical infrastructure.
In France, the financial sector has to report major cyber security incidents within four hours. The country has laid down detailed guidelines to identify what qualifies as a major incident, and it usually takes up to 24 hours to classify an attack. Other organisations have 72 hours to report an incident. Similarly, in the United Kingdom, financial institutions are supposed to immediately report only ‘material cyber incidents,’ that is, incidents resulting in significant data loss or loss of control over the information technology system. Other sectors are allowed up to 72 hours to report data breaches.
Also read: Interoperability affects platforms like WhatsApp, Signal, Telegram. EU can learn from India
Short timeframe unreasonable
Leading industry bodies, like the Information Technology Industry Council (ITI) and The Software Alliance (BSA) have argued that the prescribed timeline to report cybersecurity incidents is too short and may interfere with an organisation’s ability to deploy immediate defensive measures in the wake of an incident. Instead, they recommend that organisations be given a minimum of 72 hours to report such attacks.
A notable aspect of CERT-in’s directive is that organisations will have to report even attempted cyber-attacks within six hours. Such incidents range from phishing attacks, in which scamsters send fraudulent messages or emails to steal personal information, to denial-of-service attacks, in which unmanageable traffic is flooded onto a computer resource to make it inaccessible.
To clarify these issues, CERT-In issued a set of frequently asked questions (FAQs) in May. Through these FAQs, they limited the scope of reportable incidents to “incidents of severe nature”. However, it did not define the threshold of this severity, leaving it open to wide interpretation. Large digital platforms are subjected to a high volume of cyber-attacks on a daily basis. They face hundreds of thousands of cyber-attacks every day. In the absence of a clear, unambiguous stipulation, such a reporting requirement becomes onerous.
In some cases, premature reporting of cybersecurity incidents may cause more harm than good. If an affected organisation reports an incident before finding a solution, it allows other malicious actors to exploit the loophole, causing more attacks. This is particularly true in the case of zero-day exploits—attacks where threat actors exploit a vulnerability which was previously unknown to the victim organisation. In 2021, Microsoft Exchange servers were attacked as part of an espionage mission by Hafnium, a Chinese hacking group. While Microsoft took steps to address this vulnerability, the scale of attacks grew exponentially as soon as the incidents became public knowledge. Thus, while mandatory reporting is a crucial step towards a secure cyberspace, CERT-In may consider limiting the applicability of the six-hour timeline to a defined set of priority sectors.
Also read: Digital India dream and arbitrary internet shutdowns can’t go together. Just see the loss
Pre-requisites for a secure cyberspace
India was the third most cyber-attacked country in the Asia Pacific, according to IBM Security’s Threat Intelligence Index, 2022. The Ministry for Electronics and Information Technology stated that there were more than 1.6 million cybersecurity incidents reported in India as of February 2022, in response to a question in the Lok Sabha. A secure cyberspace is critical to India’s aspiration to be a $1 trillion digital economy. However, the country cannot achieve this objective without carefully crafting cybersecurity rules that respond to the evolving needs of an emerging technology sector.
The US Cyberspace Solarium Commission emphasised that seamless collaboration between the government and the private sector is a non-negotiable prerequisite for a secure cyberspace. Such partnerships can yield constructive results in India and ensure security and democratisation of the country’s technological sector.
India has shown goodwill in this regard. In a meeting between the government and the industry held on 10 June, MeitY offered certain concessions on these guidelines. It assured industry leaders that the directives will be reviewed after 90 days of their implementation. While an agile regulatory approach is always advisable in technology regulation, prior consultation with relevant stakeholders could mitigate points of friction and lead to seamless implementations.
This article is part of ThePrint-Koan Advisory series that analyses emerging policies, laws and regulations in India’s technology sector. Read all the articles here.
(Edited by Zoya Bhatti)