A regulatory overload could weaken our cyber security

Source: This post is based on the article “A regulatory overload could weaken our cybersecurity” published in Livemint on 10th May 22.

Syllabus: GS3 – Information Technology

Relevance: Cybersecurity and related issues

Context: Most countries have comprehensive rules setting out the various steps that companies must follow from the moment they learn of a breach. These rules are designed to mitigate the privacy harms from a breach of personal data.

But, there is an absence of a full-fledged privacy law in India.

What is CERT-In?

In 2013, the Indian Computer Emergency Response Team (CERT-In) was established under rules issued under the Information Technology Act, 2000, to serve as a “trusted referral agency” that users could turn to in the event of a cyberattack.

The role of CERT-In was to provide technical assistance in the event of a breach, and as such it had no mandate to assess the privacy implications of such breaches.

What are the rules wrt reporting of cybersecurity incidents in India?

The 2013 Rules, issued under the IT Act 2000, largely left it up to individual users to decide whether or not they wanted to report a cybersecurity incident to CERT-In. However, in an annex at the end, it listed ten types of incidents that mandatorily had to be reported.

• Most incidents described in the annex had to do with attacks on critical infrastructure: the SCADA systems central to our national energy grid, the DNS servers that route internet traffic, and other such systems.
• However, the annex also required relatively benign incidents—“unauthorised access to IT systems/ data”, “defacement of websites” and “spoofing and phishing attacks”—to be reported to CERT-In.

Recently, the ministry of electronics and information technology (MeitY) extended the 2013 Rules by issuing a new set of Directions under the Information Technology Act, 2000. The new directions considerably expanded the list of mandatorily reportable incidents, doubling it to 20.

• It introduced new reporting requirements in relation to attacks on Internet-of-Things devices, unauthorized access to social media accounts, and for suspicious activities that could affect systems relating to big data, blockchain, virtual assets, robotics, 3D and 4D printing etc.
• Companies are now required to report cyber incidents to CERT-In within six hours of becoming aware of them, and in a form that has to be downloaded from the CERT-In website as a non-editable PDF. Firms are required to maintain (within the territory of India), logs of their ICT systems for a period of 180 days and ensure that their system clocks are synchronized with Network Time Protocol Servers of either the National Informatics Centre or the National Physical Laboratory. It even presumes to regulate virtual asset service providers, requiring them to maintain KYC information and records of their financial transactions for a period of five years.

Issues associated with the rules

Excessive burden on CERT-In: Requiring users to mandatorily report all such incidents, like —every phishing attempt, every attempt to gain unauthorized access to a computer —is excessive. It places an onerous reporting burden on companies that is unwarranted, considering that their IT departments are eminently capable of dealing with them. More importantly, it risks so thoroughly inundating CERT-In with trivial incidents that the agency may be left incapable of responding to serious incidents when they actually occur.

Classification of all “suspicious activity” relating to drones, blockchain and artificial intelligence as cybersecurity incidents under the new reporting requirements by MEITY, regardless of their likely consequences, does seems excessive.

Source: This post is based on the article “A regulatory overload could weaken our cybersecurity” published in Livemint on 10th May 22.