New Rules For Reporting Cybersecurity Breaches Ambiguous, Say Experts
Virtual asset service providers have also been included in the directions passed for cybersecurity response
Cybersecurity breaches will now need to be reported within six hours of the incident, as per the latest guidelines issued by the Indian Computer Emergency Response Team.
The national agency has now imposed this specific deadline compared to the "as early as possible" approach so far. The new set of directions also include government organisations among those who would have to report such incidents.
The CERT-In was set up under the Information Technology Act, 2000 and is responsible for coordinating and responding to cybersecurity breaches.
The agency has the powers to issue directions and call for information from service providers, intermediaries, data centres, and corporate entities, among others.
While the move to prescribe the six hours timeline is welcome, tech policy experts say certain directions under the revised rules are ambiguous and unnecessary.
Cybersecurity Incidents Have To Be Reported Within Six Hours
The new directions are aimed at addressing the gaps in responding to cybersecurity incidents. The government has expanded the scope of incidents which will now need to be reported, namely:
Targeted scanning/probing of critical networks/systems.
Compromise of critical systems/information.
Unauthorised access of IT systems/data.
Unauthorised changes to website like inserting malicious code, links to external website, etc.
Virus, bot, spyware, ransomware attacks.
Attacks on servers.
Data breach.
Data leaks.
Incidents affecting digital payment systems.
Fake mobile apps.
Unauthorised access to social media accounts.
The directions also require all entities to mandatorily maintain logs of all their information and communication technology systems within the Indian jurisdiction for a period of 180 days.
Any kind of activity on a computer can give rise to a log and it is not clear as to what comes under these logs which have to be maintained, cybersecurity expert Pranesh Prakash told BloombergQuint.
For example, you have logs generated from who all have accessed a particular computer. There is a log generated from a web server as to which all computers have requested access to this website. There is a log generated by this programme called SSH, the log of all the people who have logged in to a computer. So, it's unclear what the expectation is.Pranesh Prakash, Cybersecurity Expert
The Internet Freedom Foundation, too, finds this direction ambiguous.
Ambiguity over what is covered under “all their ICT systems” leads to various concerns, such as the government having access to or enterprises storing more data than necessary. Clarity over such a phrase would enable internationally recognised principles of purpose limitation and data minimisation.Tejasi Panjiar, Capstone Fellow, Internet Freedom Foundation
Directions Issued For VPN Providers
The agency has also asked Virtual Private Server providers and Virtual Private Network providers to record and maintain information of their subscribers for a period of five years.
The VPN service providers are required to collect information that includes:
Validated names of subscribers hiring the service.
Period of hire including dates.
IPs allotted to the user.
Email address and time stamp used at the time of registration.
Purpose for hiring services.
Validated address and contact numbers.
Ownership pattern of the subscriber hiring the service.
The mandate of keeping the information for a period of five years after the cancellation or withdrawal of the registration can be further extended.
The direction for VPN providers is ‘’meaningless bureaucracy and nothing more’’, said Prakash.
If I'm hiring a VPS in India, there is no reason for the VPS provider to know why I'm hiring that VPS — the purpose might change from time to time — nor does it benefit cybersecurity in any way for a record to be kept of this. The CERT-In is not empowered to seek this information as it is not relevant for the purposes of the agency.Pranesh Prakash, Cybersecurity Expert
The concerns around this are compounded by the absence of a data protection law, Panjiar said.
Concerns around storing of data beyond purpose or need are further exacerbated in the clause requiring “maintenance of data for 5 years or longer, as mandated by the law”. The ambiguity around the time frame along with the lack of reasoning behind extending it could lead to serious privacy violations.Tejasi Panjiar, Internet Freedom Foundation
Crypto-Service Providers Also Included In Cybersecurity Guidelines
The new directions also extend to virtual asset service providers, virtual asset exchange providers and custodian wallet providers who will have to maintain know-your-customer information for a period of five years. The information that has to be maintained also includes records of financial transactions which, if required, allow for identifying:
The relevant parties including IP addresses along with timestamps and time zones.
Transaction ID.
Addresses or accounts involved.
The nature and date of the transaction, and the amount transferred.
The directions issued by the CERT-In will come into effect within 60 days.