The Indian Government in order to strengthen the Indian Cyber Security, have issued a series of amendments/rules in recent times, which, one way or the other, have made the Government of India (GoI) the handler of data accessed in the Country and its agencies as the watchdog for studying, identifying and stopping any Cyber Security Incidents in India.
The CERT-IN Directions came into the picture through Information Technology Act, 2000 but it was formed in the 2004. With the Information Technology (Amendment) Act 2008, CERT-IN was designated as the National Agency in the Cyber Security Area. CERT-IN is responsible for Collecting, Analysing Information, Forecasting Alerts, Emergency Response and Measures for Handling, and issuing guidelines on Cyber Security Incidents. CERT-In, being the apex authority in India, on April 28, 2022 (effective from June 27, 2022) issued new directions to properly co-ordinate the response for Cyber Security Incidents along with emergency measures to be taken.
- Section 70B of the Information Technology (IT) Act, 2000 (IT Act, 2000) gives the power to Government to appoint the team of the Indian Computer Emergency Response Team (CERT-IN) and provides the manner to perform their duties, functions and penalties.
- Further, Rule 12 of Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2012 legally obligates the Service Providers, Intermediaries, Data Centres, Body Corporate and Government Organisations to provide the information as required and report cyber incidents to the CERT-IN.
IMPORTANT ASPECTS OF 2022 DIRECTIONS
This direction applies to all Service Providers, Intermediaries, Data Centres, Body Corporate and Government Organisations and further includes Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers.
- Reporting of Incidents
The Cyber Security Incident reporting was first introduced in the rules, 2012. However, at that time the list of Cyber Security Incidents was less and with the introduction of this direction, the GoI has just doubled the number of Incidents which are now recognised as the Cyber Security Incidents.
A list of Cyber Security Incidents which shall be reported to CERT-IN is:
- Targeted scanning/probing of critical networks/systems
- Compromise of critical systems/information
- Unauthorised access of IT systems/data
- Defacement of website or intrusion into a website and unauthorised changes such as inserting malicious code, links to external websites etc.
- Malicious code attacks such as spreading of Virus / Worm / Trojan / Bots / Spyware / Ransomware / Crypto miners
- Attack on servers such as Database, Mail and DNS and network devices such as Routers
- Identity Theft, spoofing and phishing attacks
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
- Attacks on Critical Infrastructure, SCADA and operational technology systems and Wireless networks
- Attacks on Applications such as E-Governance, E-Commerce etc.
- Data Breach
- Data Leak
- Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers
- Attacks through Malicious mobile Apps
- Fake mobile Apps
- Unauthorised access to social media accounts
- Attacks or malicious/ suspicious activities affecting Cloud computing systems / servers / software / applications
- Attacks or malicious/suspicious activities affecting systems / servers / networks / software / applications related to Big Data, Block chain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, Drones
- Timeline of Reporting:
As per 2022 directions, Cyber security occurrences must be reported to the CERT-IN within six hours of becoming aware of them or being made aware of them. The incidents can be reported to CERT-IN via email, at incident@CERT-In.org.in or by contacting via 1800- 11-4949 (Phone contact details) & 1800-11-6969(fax no.).
- Synchronization of Clocks
All Service Providers, Intermediaries, Data Centres, Body Corporate and Government Organizations shall connect to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with NTP servers traceable to these NTP servers, for synchronization of all their ICT (Information and Communication Technology) systems clocks.
- Requisition of Information
The Data Centres, Virtual Private Server (VPS) Providers, Cloud Service Providers and Virtual Private Network Service (VPN Service) Providers, shall register and maintain the following accurate information:
- Validated names of subscribers/customers hiring the services
- Period of hire including dates
- IPs allotted to / being used by the members
- Email address and IP address and time stamp used at the time of registration / on-boarding
- Purpose for hiring services
- Validated address and contact numbers
- Ownership pattern of the subscribers/customers hiring services.
- Designate a Point of Contact
It is binding on all Service Providers, Intermediaries, Data Centres, Bodies Corporate, And Government Organisations to appoint a Point of Contact (PoC) and share details of PoC with CERT-IN in a format as specified.
- Maintenance of Logs
All Service Providers, Intermediaries, Data Centres, Body Corporate, and Government Organizations shall enable logs on all of their Information and Communication Technology (ICT) systems and maintain them securely for a period of 180 days within Indian jurisdiction. These logs and their records shall be provided to CERT-IN along with reporting of any incident or when ordered/directed by CERT-IN.
- Maintenance of KYC and Transactional Information
The Virtual Asset Service Providers, Virtual Asset Exchange Providers and Custodian Wallet providers shall mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions for a period of five years.
- Information Requests
The CERT-In can seek information from regulated entities in defined formats and time frames for reacting to cyber incidents under CERT-IN Rules, however, only officers with the rank of Deputy Secretary or higher can use this function. The 2022 Directions, on the other hand, grant extensive authority to request information without any protection.
Update for MSME’S
MeitY has provided extension to MSMEs through directions issued on April 28, 2022, which were planned to come into effect 60 days from the date of its notice (April 28, 2022). However, as per the direction issued on June 27, 2022, for extension of timelines, the timetables for authorization of the Directions have been expanded till September 25, 2022, for Micro, Small, and Medium Enterprises (“MSMEs”) and partially for Data Centres, Virtual Private Server (“VPS”) providers, Cloud Service providers and Virtual Private Network (“VPN”) service providers with respect to enforcement of the requirement to register the customer and subscriber information.
The 2022 directions are another step of the Government of India to bring the virtual assets and transactions under the legal umbrella and through significantly expanding the compliance net for entities, the obligation to share information and report any incident has become unavoidable. The mandatory steps of syncing the ICT clocks, maintaining the logs and sharing the information of VPN users and maintaining KYC details of Virtual Asset and Wallet users are the steps that were required at this age of the internet.
The world has seen multiple examples of private companies holding virtual space and acting arbitrarily without the regulatory watch, which does not go well with Sovereign and the Democratic Nation’s policy. In the Rules of 2012, CERT-In mandated the process of reporting Cyber Security Incidents and appointing a Point of Contact for effective compliance. These directions have brought a panoramic change to the Rules of 2012. While India becomes home to 100 Unicorns and 83% of which are from the service sector shows the prerequisite of these directions. We can expect more stringent and obligatory duties through further amendments. As a result, while the directives provide for a 60-day implementation period following notification, it remains to be seen how the regulator and industry will react to the new reporting compulsion.