How to strengthen cyber security the right way

Context: On 28th April, the Indian Computer Emergency Response Team (CERT-In) issued “directions” under Section 70-B(6) of the IT Act 2000 relating to information security practices, procedure, prevention, response and reporting of cyber incidents.

These directions have expanded the scope of obligations of the above requirements compared to the IT (The Indian Computer Emergency Response Team and Manner of performing functions and duties) Rules, 2013 (Rules).

Some of the provisions in the absence of clarification from CERT-In have raised concerns amongst industry observers and cyber security experts.

What are the obligations under the new directions?

Among the activities in which compliance is sought by service providers, intermediaries, data centres and body corporates are the  –

– Synchronisation of computer clocks to the network time protocol set at the National Physical Laboratory and National Informatics Centre (NIC)

– Mandatory reporting of all cyber incidents within six hours of noticing or being brought to their notice in the prescribed format

– Designating point of contact and notifying CERT-In and undertaking to perform such actions for cybersecurity mitigation when notified by CERT-IN

– Maintaining all logs of all ICT systems up to 180 days within Indian jurisdiction and for data centres, virtual private network service providers, cloud service providers and virtual private server providers to maintain all records of their users and usage for a minimum of five years.

What are the concerns with the new directions?

The directions do not differentiate between the scales and nature of the incident. Some cyber incidents are far more common and occur regularly. An organisation might receive hundreds of phishing emails and the effort to notify each would drastically increase their compliance cost.

A window of 60 days has been provided before implementation of these compliances begins. Given the scale of the revamp, this might be too short a window. The government must look at the concerns that arise from such directions and work out a realistic timescale. In this case, there will be multiple companies even from the MSME sector that will take time to set up systems for compliances.

At present, most entities maintain logs for around 30 days, and in order to maintain logs for 180 days, the additional data storage device cost would be huge.

– Similarly, data centres, virtual private server providers, cloud service providers and virtual private network service providers will need to retain additional information for five years or more after the cancellation or withdrawal of registration.

– The virtual asset industry too will have to maintain all KYC records and details of all financial transactions for five years.

The compliance cost in each case is going to rise substantially.

Many of the entities will have to shift their servers geographically as well as add excess storage capacity. Most importantly, the recruitment of additional manpower for compliance may take far longer. A realistic timeline would be six months, which would allow the entities to effectively migrate to the new regime.

The penalty for non-compliance is stiff (including up to one year of imprisonment and monetary fines). But it is also unfair to create unrealistic deadlines for industry.

Privacy concerns: With VPNs and virtual asset wallets being asked to store and share KYC and transaction data, these concerns become evident. In the absence of legislative backing for data protection in India, the question is: How will the user have any say on which information can be held back or how his sensitive personal information is being protected?

Way forward

While CERT-In has been proactive in recognising the changing frontiers of technology and trying to deal with unknown cyber threats, it is wanting in terms of a graded approach to ensuring compliance.

Source: This post is based on the article “How to strengthen cybersecurity the right way” published in The Indian Express on 17th May 22.