Report breach within six hours: Govt frames cybersecurity norms

The ministry of electronics and information technology on Thursday underlined its first ever cybersecurity policy, asking service providers, intermediaries, data centres, body corporates and government organisations to mandatorily report any breaches or leaks within six hours of them being flagged.

“Any service provider, intermediary, data centre, body corporate and government organisation shall mandatorily report cyber incidents as mentioned in Annexure I to CERT-In (Computer Emergency Response Team) within six hours of noticing such incidents or being brought to notice about such incidents,” the policy said. CERT-In is the government’s nodal agency for detecting and responding to cyber incidents.

The policy will come into effect within 60 days. It will have far-reaching ramifications as to how the entities mentioned above collect and store, the period for which it will be stored and the mandatory need to share it with the government in case of a breach.

Parallel to this, the government is also working on a new cybersecurity policy, which has been in the works for over two years and proposes a multi stakeholder framework to check propaganda, deception, disinformation and “adversarial narratives” being peddled on websites of social media companies, people familiar with the matter said.

The policy has been pending with the government for over a year now and is being conceptualized by the National Security Council Secretariat of India headed by Lt General Rajesh Pant. Called National Cyber Security Strategy, 2021, the policy stresses on the need for a legislative framework to address the emerging challenges in the technology space.

Incidents that will be reported under CERT-in policy will include targeted scanning/probing of critical networks/systems, compromise of critical systems/information, unauthorised access of IT systems/data, defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to external websites, malicious code attacks such as spreading of virus/worm/Trojan/Bots/Spyware/Ransomware/Cryptominers, attack on servers such as Database, Mail and DNS and network devices such as routers, identity Theft, spoofing and phishing attacks.

The National Informatics Centre, that runs most government servers, has in itself been a target of several phishing attacks, wherein email ids of senior officials were compromised.

Moroever, for the purposes of cyber incident response, protective and preventive actions related to cyber incidents, the service provider, intermediary, data centre, body corporate is mandated to take action or provide information or any such assistance to CERT-In, which may contribute towards cyber security mitigation actions and enhanced cyber security situational awareness. They have also been asked to appoint a point of contact officer.

The above-mentioned entities have also been asked to enable logs of all their information and communications technology systems and maintain them securely for a rolling period of 180 days within the Indian jurisdiction. If needed, these will have to be shared along with reporting of any incident or when ordered/directed by it.

Aside from this, “virtual private server (VPS) providers, cloud service providers and virtual private network service (VPN service) providers, have been asked to register the following accurate information to be maintained for a period of five years or longer duration as mandated by the law”. The information includes validated names of subscribers/customers hiring the services, period of hire including dates, IPs allotted to/being used by the members, email address and IP address and time stamp used at the time of registration/on-boarding, purpose for hiring services, validated address and contact numbers and ownership pattern of the subscribers/customers hiring the services.

As far as the virtual asset service providers, virtual asset exchange providers and custodian wallet providers (as defined by ministry of finance from time to time) are concerned, they shall “mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions for a period of five years so as to ensure cyber security in the area of payments and financial markets for citizens while protecting their data, fundamental rights and economic freedom in view of the growth of virtual assets”.

“This circular appears to be a knee jerk reaction to the persistent travails of CERT - IN due to non-compliance of the mandatory reporting mechanism. Provisions such as the mandatory synchronization of time with NPT and NIC and the time frame for reporting is indicative of trust deficit with industry. A deeper study is needed to evaluate if this circular meets the triple test affirmed in Puttaswamy judgment i.e. the need for a law, legitimate state aim and proportionality. The CERT-In rules were themselves a bit disproportionate and excessive but it has not come up for judicial review till date. With this circular there is strong possibility that not only the circular but also the CERT- IN Rules may come under judicial scrutiny,” N.S. Nappinai, an advocate at the Supreme Court of India and founder of Cyber Saathi Foundation, said.