‘Cooperate with CERT-In, give details about threat alerts’: IT Ministry to Apple

The ministry of electronics and information technology (MeitY) sent a notice to Apple on October 31, informing the Cupertino-based tech giant that the Indian Computer Emergency Response Team (CERT-In) will investigate the matter of Apple notifying Indian iPhone users that their devices may have been targeted in a “state-sponsored” attack.

“Given the sensitivity and the gravity of the case and the security breach related to high level dignitaries, an investigation into the serious issue will be taken up by CERT-In and related Government entities,” read the letter sent by the cyber laws division at MeitY.

“This raises a major cybersecurity concern about the services being offered by you,” the letter read.

Earlier on Thursday, MeitY Secretary S Krishnan confirmed that CERT-In is investigating the threat alerts issued by Apple.

In its letter, MeitY asked Apple to provide “relevant agencies” with more details about the attack, including identities of the state-sponsored attackers and their targets, along with “the vulnerabilities that have been exploited”.

“It is expected that Apple Inc. will provide fullest cooperation to the investigation into this serious matter and promptly take remedial actions, as applicable and to identify the perpetrators and to protect Indian users against such attacks targeting apps, operating system and the mobile phone as a whole,” the two-paragraph letter concluded.

In the letter, the ministry also reminded Apple that “such security breaches are required to be reported within six hours of occurrence” to CERT-In. The CERT-In directions of 2022 require all service providers, intermediaries, data centres, companies and government organisations to mandatorily report cyber incidents to CERT-In within six hours of noticing such incidents or being brought to their notice about such incidents.

In the threat notification sent to at least 10 members of the opposition, journalists and researchers, Apple warned that the recipients were potentially “being targeted by state-sponsored attackers who are trying to remotely compromise the iPhone” associated with their Apple ID. If the device is compromised, Apple cautioned, the attackers may have had remote access to the users’ “sensitive data, communications, or even the camera and microphone”.

Under CERT-In’s directions of 2022, Apple was required to inform the agency. “The CERT-In directions are framed broadly and apply to a broad range of ‘real or suspected’ cyber incidents --- including spyware attacks or unathorised access of data --- potentially requiring Apple to report them to authorities, even if at this stage they do not know the exact impact of the threat or the attack,” Vijayant Singh, principal associate at Ikigai Law, told HT.

What happens to Apple now? During its investigation, if CERT-In finds that Apple did not comply with the 2022 directions, it will issue a report to that effect to the director general of CERT-In, Singh explained. “If the director general decides to pursue it, the report will go to the review committee which consists of senior officials from ministries of information technology, home affairs, and law and justice, and department of telecommunications. If this review committee agrees with the report, they will direct DG CERT-In to file a complaint in court,” Singh said. This procedure is laid down in the CERT-In Rules, 2013, which also defines what constitutes a ‘cyber incident’.

“The final guilty verdict will need to be pronounced by the court,” he said. This can attract an imprisonment of up to one year or a fine of up to one lakh rupees or both.

At this stage, it is not known if Apple informed CERT-In about the issue either before or at the time of sending out the threat notifications. HT has sent Apple a detailed questionnaire about the notice. Apple’s response in awaited.