{"id":183872,"date":"2022-05-11T20:16:08","date_gmt":"2022-05-11T14:46:08","guid":{"rendered":"https:\/\/blog.forumias.com\/?p=183872"},"modified":"2022-05-11T20:16:08","modified_gmt":"2022-05-11T14:46:08","slug":"a-regulatory-overload-could-weaken-our-cyber-security","status":"publish","type":"post","link":"https:\/\/forumias.com\/blog\/a-regulatory-overload-could-weaken-our-cyber-security\/","title":{"rendered":"A regulatory overload could weaken our cyber security"},"content":{"rendered":"\n<p><strong>Source<\/strong>: This post is based on the article \u201c<strong>A regulatory overload could weaken our cybersecurity<\/strong>\u201d published in <strong>Livemint<\/strong> on <strong>10th May 22<\/strong>.<\/p>\n<p><strong>Syllabus<\/strong>: GS3 &#8211; Information Technology<\/p>\n<p><strong>Relevance<\/strong>: Cybersecurity and related issues<\/p>\n<p><strong>Context<\/strong>: Most countries have comprehensive rules setting out the various steps that companies must follow from the moment they learn of a breach. These rules are designed to mitigate the privacy harms from a breach of personal data.<\/p>\n<p>But, there is an absence of a full-fledged privacy law in India.<\/p>\n<h5>What is CERT-In?<\/h5>\n<p>In 2013, the Indian Computer Emergency Response Team (CERT-In) was established under <strong>rules issued under the Information Technology Act, 2000<\/strong>, to serve as a \u201ctrusted referral agency&#8221; that users could turn to in the event of a cyberattack.<\/p>\n<p>The role of CERT-In was to provide<strong> technical assistance in the event of a breach<\/strong>, and as such it had no mandate to assess the privacy implications of such breaches.<\/p>\n<h5>What are the rules wrt reporting of cybersecurity incidents in India?<\/h5>\n<p>The 2013 Rules, issued under the IT Act 2000, largely <strong>left it up to individual users to decide whether or not they wanted to report a cybersecurity incident<\/strong> to CERT-In. However, in an annex at the end, it listed <strong>ten types of incidents<\/strong> that mandatorily had to be reported.<\/p>\n<ul>\n<li>Most incidents described in the annex had to do with attacks on critical infrastructure: the SCADA systems central to our national energy grid, the DNS servers that route internet traffic, and other such systems.<\/li>\n<li>However, the annex also required relatively benign incidents\u2014\u201cunauthorised access to IT systems\/ data&#8221;, \u201cdefacement of websites&#8221; and \u201cspoofing and phishing attacks&#8221;\u2014to be reported to CERT-In.<\/li>\n<\/ul>\n<p>Recently, the ministry of electronics and information technology (MeitY) extended the 2013 Rules by <strong>issuing a new set of Directions under the Information Technology Act, 2000<\/strong>. The new directions considerably <strong>expanded the list of mandatorily reportable incidents<\/strong>, doubling it to 20.<\/p>\n<ul>\n<li>It introduced new reporting requirements in relation to attacks on Internet-of-Things devices, unauthorized access to social media accounts, and for suspicious activities that could affect systems relating to big data, blockchain, virtual assets, robotics, 3D and 4D printing etc.<\/li>\n<li>Companies are now <strong>required to report cyber incidents to CERT-In within six hours<\/strong> of becoming aware of them, and in a form that has to be downloaded from the CERT-In website as a non-editable PDF. Firms are required to maintain (within the territory of India), logs of their ICT systems for a period of 180 days and ensure that their system clocks are synchronized with Network Time Protocol Servers of either the National Informatics Centre or the National Physical Laboratory. It even presumes to regulate virtual asset service providers, requiring them to maintain KYC information and records of their financial transactions for a period of five years.<\/li>\n<\/ul>\n<h5>Issues associated with the rules<\/h5>\n<p><strong>Excessive burden on CERT-In<\/strong>: Requiring users to mandatorily report all such incidents, like \u2014every phishing attempt, every attempt to gain unauthorized access to a computer \u2014is excessive. It places an onerous <strong>reporting burden on companies<\/strong> that is unwarranted, considering that their IT departments are eminently capable of dealing with them. More importantly, it risks so thoroughly <strong>inundating CERT-In with trivial incidents<\/strong> that the agency may be left incapable of responding to serious incidents when they actually occur.<\/p>\n<p>Classification of all \u201csuspicious activity&#8221; relating to drones, blockchain and artificial intelligence as cybersecurity incidents under the new reporting requirements by MEITY, regardless of their likely consequences, does <strong>seems excessive.<\/strong><\/p>\n<p><strong>Source<\/strong>: This post is based on the article \u201c<strong>A regulatory overload could weaken our cybersecurity<\/strong>\u201d published in <strong>Livemint<\/strong> on <strong>10th May 22<\/strong>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Source: This post is based on the article \u201cA regulatory overload could weaken our cybersecurity\u201d published in Livemint on 10th May 22. Syllabus: GS3 &#8211; Information Technology Relevance: Cybersecurity and related issues Context: Most countries have comprehensive rules setting out the various steps that companies must follow from the moment they learn of a breach.&hellip; <a class=\"more-link\" href=\"https:\/\/forumias.com\/blog\/a-regulatory-overload-could-weaken-our-cyber-security\/\">Continue reading <span class=\"screen-reader-text\">A regulatory overload could weaken our cyber security<\/span><\/a><\/p>\n","protected":false},"author":10328,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"footnotes":""},"categories":[1230,9],"tags":[216,10501],"class_list":["post-183872","post","type-post","status-publish","format-standard","hentry","category-9-pm-daily-articles","category-public","tag-gs-paper-3","tag-live-mint","entry"],"jetpack_featured_media_url":"","views":{"total":0,"cached_at":"","cached_date":1704946178},"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/forumias.com\/blog\/wp-json\/wp\/v2\/posts\/183872","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forumias.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forumias.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forumias.com\/blog\/wp-json\/wp\/v2\/users\/10328"}],"replies":[{"embeddable":true,"href":"https:\/\/forumias.com\/blog\/wp-json\/wp\/v2\/comments?post=183872"}],"version-history":[{"count":0,"href":"https:\/\/forumias.com\/blog\/wp-json\/wp\/v2\/posts\/183872\/revisions"}],"wp:attachment":[{"href":"https:\/\/forumias.com\/blog\/wp-json\/wp\/v2\/media?parent=183872"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forumias.com\/blog\/wp-json\/wp\/v2\/categories?post=183872"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forumias.com\/blog\/wp-json\/wp\/v2\/tags?post=183872"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}