The Indian Computer Emergency Response Team (CERT-in) issued “Directions” relating to information security practices, procedure prevention, response, and reporting of cyber incidents for Safe & Trusted Internet (“Directions”) on 28.04.2022. The said directions will become effective on 27.06.2022.
“Cyber Security Incident” means “any real or suspected adverse event concerning cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes in data, information without authorisation.”
The CERT-In has issued these directions in consonance with its powers provided under Section 70-b of the Information Technology Act of 2000. Section 70B (6) of this Act states that the agency (CERT-In) is empowered to call for information and give direction to “the service providers, intermediaries, data centres, body corporate and any other person”.
The “Directions” consist of several mandatory compliances for different types of entities, including service providers, intermediaries, data centres, virtual private service providers, cloud service providers, as also other entities such as “virtual asset service providers” and “virtual asset exchange providers”.
Interestingly, the Direction also imposes a strict timeline of 6 hours after notice of the incident for reporting such incidents to CERT-In. A summary of these directions is provided below for your reference:
A. General directions applicable to “all service providers, intermediaries, data centres, body corporate and governmental organisations”.
Time Synchronization: Connect to the network time protocol servers of the National Informatics Centre or National Physical Laboratory or with NTP servers traceable to these NTP servers for synchronisation of all their ICT system clocks.
Incident Reporting: mandatorily report all cyber incidents mentioned in Annexure I to the directions to CERT-IN within 6 hours of noticing such incidents or being brought to notice about such incidents. However, the FAQs (Question 30 of FAQs) clarify that the Identified Entities
Provision of Information and Assistance: Take action or provide information or any such assistance, which may contribute toward cyber security mitigation actions and enhanced cyber security situational awareness.
Point of Contact: Point of Contact: Entities are required to designate a Point of Contact (POC) to interface with CERT-IN. This informations must be shared with CERT-In per Annexure-II.
Maintenance of Logs: The entities must enable logs of all their ICT systems and maintain them securely within India for a rolling period of 180 days.
B. Specific directions for data centres, cloud services, virtual private network service providers and virtual private servers. Such entities are to register and store information on their subscribers for at least 5 years. These details include:
C. Specific directions applicable to “virtual asset service providers, virtual asset exchange providers and custodian wallet providers”.
It is pertinent to note that considering the wide wording of these newly introduced Directions, it is likely to apply to almost every type of business operating within India.
How do Organizations Comply?
One question that is hovering over the minds of everyone is related to incident reporting. So, what do organisations need to do to comply with the “CERT-In Directions”? For reporting a cyber security incident, organizations need to follow these steps:
a. The incident is to be reported on the following channels:
b. The contents of the incident reporting should include, Time of occurrence of the incident, information regarding affected system/network symptoms observed and relevant technical information like security systems deployed, actions that were taken to mitigate
c. After you’ve reported the incident on any of the aforementioned channels, the CERT-In will verify the authenticity of the report.
d. CERT-In will then analyse the information provided by the reporting authority and identify the existence of the incident. In case it is found that the incident has occurred, a “tracking number” will be assigned. Accordingly, the report will be acknowledged and reporting authority will be provided with the assigned number.
e. After the tracking number is assigned, the CERT-In will provide a support team to the System Administration for handling the said incident. This will include:
Identification: to determine whether the incident has occurred and if so analyse the nature of such incident, identification and protection of evidence and reporting of the same.
Containment: Limiting the scope of the incident in order to minimize the damage caused.
Eradication: This includes the removal of the cause of the incident.
Recovery: These include steps to restore normal operation
Note: Please stay informed that CERT-In will not physically deploy or send any member for attending the incident response activity. The CERT-In has the discretion to decide the priority in assisting response activity to incidents keeping in view the severity of the occurrence and availability of resources.
The aforementioned steps are to be conducted in a prescribed format as provided in the said Directions in annexure-11. The Incident Reporting Form can be accessed here: https://www.cert-in.org.in/PDF/certinirform.pdf
Applicability to Foreign Companies
The confusion regarding the applicability of 2022 CERT-In Directions on Foreign Entities continues to persist among readers. In this regard, one must peruse Section 1 and Section 75 of the IT Act of 2000. Section 1 (2) of the Act clearly states that the IT Act also applies to an offence or contravention committed outside India by any person. Section 75 further clears the situation by specifying that the Act shall apply to “any offence or contravention committed outside India by any person if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India.”
Therefore, based on the FAQs, it can be inferred that the Direction intends to only cover such foreign entities which have a computer, computer system or computer network in India. This means that foreign companies that do not have the technological infrastructure within India, may not be subject to the Direction.
Now, you may ask the question that what will be the process of reporting a cyber incident for such foreign entities, having a technological infrastructure within India. Well, it’s logical. Because they are governed by the IT Act of 2000 and fall within the ambit of these Directions, the process of reporting is the same as mentioned in the Directions. However, one must check the official website of CERT-In for more updates.
What are the Consequences of Non-Compliance?
The CERT-IN Directions apply to service providers, intermediaries, data centres, body corporate, Virtual Private Server (VPS) providers, cloud service providers, VPN Service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and Government organisations. However, Individual citizens are not covered by these Directions. The law governing these directions is the Information Technology Act of 2000.
As for the non-compliance with these newly introduced directions, the law imposes a hefty penalty. As the directions are mandatory in nature, non-compliance with the said directions will result in imprisonment for a period up to 1 year or a fine up to INR 100,000 or both. It is pertinent to note that this penalty will be in addition to the penalties prescribed under the IT Act for failure to furnish information (where required) and to comply with the provision of the IT Act and its rules and regulations.
In the case of foreign entities, non-compliance with any provision of the Direction with respect to a computer, computer system or computer network located in India, could be considered to be in contravention of Section 70B of the IT Act.
Many entities and individuals are agitating against the CERT-in directions that become effective from 27.06.2022. For instance, if a company gets 10 phishing emails in a day, then do they need to send 10 separate reports every six hours? Well, the guidelines lack clarity in such questions.
Moreover, people are asking for the removal of certain parts of the directions like requirements to register VPN users, and linking of identification to IP addresses et al as they say they should be allowed to use such tools. Some say that it hits the Right To Privacy enshrined under the Constitution of India. Well, we hope the CERT-in provides some clarity on these aspects. What do you suggest? Share your thoughts with us on these directions.
A. Ministry of Electronics and Information Technology, CERT-In Direction bearing no 20(3)/2022-CERT-In, Available at: https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf
B. FAQs on Cyber Security Directions of 28.04.2022, Available at https://www.cert-in.org.in/PDF/FAQs_on_CyberSecurityDirections_May2022.pdf