CERT-IN Direction on Information Security Practices and Reporting of Cyber Incidents

The Indian Company Emergency Response Team (“CERT-In”) is a national nodal agency established by the Central Government using its powers under section 70 B of the Information Technology Act, 2000. CERT-In is entrusted with the task of protecting and maintaining the cybersecurity in the country. CERT-In has been granted with the power for calling out information and providing directions to the service providers, intermediaries, data centres, body corporates and government organisations.

Pursuant to this power CERT-In has issued the Direction on Information Security Practices, Procedure, Prevention, Response and Reporting of Cyber Incidents for Safe & Trusted Internet (the “Direction”). The Direction was issued on April 28th 2022 and has come into force on June 27th 2022. This Direction is issued to augment and strengthen the cyber-security in the country and to enable CERT-In to take emergency measures.

APPLICABILITY OF THE DIRECTION

The Direction shall apply to all the following entities (“Entities”):

• Service providers,

• Data centres,

• Body corporates[1] (defined under the Information Technology Act,2000)

• Government organisations,

• Intermediaries

• Virtual Private Server (VPS) providers,

• Cloud service providers,

• VPN service providers,

• Virtual asset service providers,

• Virtual asset exchange Providers,

• Custodian pallet Providers.

The Direction has extra territorial applicability and applies to all Entities operating even outside India for all cyber incidents (“Incident(s)”) that arises involving computer, computer network or system located in India. Individuals are not covered under the Direction.

The Virtual private server, Cloud service provider, VPN service provider and data centres have the additional obligation of maintaining certain information for a period of 5 years or longer. Similarly, the Virtual asset service provider, Virtual asset exchange providers, Custodian wallet providers (as defined by the Ministry of Finance from time to time) shall have the additional obligation of mandatorily maintaining all information obtained as part of Know Your Customer (KYC) and records of financial transactions for a period of five years.

The Direction will also apply to intermediaries[2] (as defined under Information Technology Act, 2000). Intermediaries shall also include the social media intermediaries[3] the definition of which is provided under the Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“Intermediary Guideline”). Rule 3(1)(1) of the Intermediary Guideline makes it mandatory for the intermediaries to report Incidents to CERT-In. Rule 13 of the CERT-In Rules, 2013 provides the type of Incidents to be reported by intermediaries in addition to the Annexure I of the CERT-In Direction of 28.04.2022.

Analysis

• The ambiguity that is present with respect to the applicability of the Direction is that except for the terms body corporate and intermediaries, there is no definition provided for other Entities, and is left open to the Ministry to define which has not been done as of now. The FAQs also fail to provide any clarity regarding the definitions of these Entities.

COMPLIANCE:

i. REPORTING OF CYBERSECURITY INCIDENTS:

The Entities are mandated to report any Incident that falls under the Incidents listed under Annexure I of the Direction, within 6 hours of noticing such Incidents or being brought to notice of such Incidents. This is a major shift from the CERT-In Rules of 2013 as it did not stipulate any time frame for reporting Incidents.

In case all the information that is required by CERT-In is not available within 6 hours of becoming aware of the Incident, such information can be reported later within a reasonable period of time.

Any incident mentioned under Annexure I of the Direction and any Incident of severe nature, Data Breaches[4] and Data Leaks[5], large scale or more frequent incidents and Incidents having an impact on the safety of human beings needs to be reported within the 6 hour window. Reporting of an Incident is a statutory mandate, and will therefore override any confidentiality restrictions.

The FAQs issued by CERT-In specifies that standalone vulnerabilities that are unconnected with the Incidents need not mandatorily be reported.

Analysis:

• The FAQs have clarified what shall amount to Data Breaches and Data Leaks. Data Leak to any untrusted environment is covered as a part of a reportable Incident. This definition is very broad and open ended and is very subjective.

• The scope of reportable Incidents has been expanded from that of the 2013 CERT-In rules.

• One of the issues that is present is that the threshold on the impact of the Incident, the severity and scale of the Incident that is to be reported is not stipulated.

• The Entities must be given the opportunity of deciding the reporting of Incidents based on the severity. The Direction also do not take into account the capacity of the Entities to respond to such Incidents. CERT-In has failed to provide a reasonable amount of time frame based on the severity of the Incident.

• The reporting timeline must be based on the sector, sensitivity of the data, the nature of the domain, the impact of the Incident, etc.

• The Direction also specifies only about the part of reporting and does not state anything about the liability for such Incidents itself.

ii. MAINTAINING LOGS:

The service providers, data centres, body corporates and government organisations are mandated to maintain logs of their ICT (Information and Communication Technology) systems for a period of 180 days on a rolling basis. The same shall be presented to CERT-In while reporting the Incidents or when it is ordered/directed by CERT-In.

The Direction also requires all the Entities to establish a Point Of Contact (POC) even when the Entity does not physically operate in India.

Analysis

• The issue present here is that communication systems, information and computer systems are already broadly defined under the IT Act and now the Direction seems to have broadened it further.

• As per this vague Direction, all the Entities, even the ones that do not have physical presence in India will be required to localise their logs. This point has been clarified by the FAQs which state that logs can be maintained outside India as long as it is provided to CERT-In when requested. The logs of financial transactions, though, need to be maintained in India.

• The FAQs clarify that ICT logs include Firewall, IDS, IPS Log, Critical application log, etc. The critical application log can vary from company to company. The Entities must be given the opportunity to decide what are the critical application logs for their business.

iii. SUBSCRIBER DATA RETENTION:

The Data Centres, Virtual Private Server Providers, Virtual Network Service Providers and Cloud Service Providers are mandated to register and maintain certain information such as a) Validated names of the subscribers hiring service b) Period of hiring c) IPs allotted/being used by the members d) Email address and IP address and time stamp used at the time of registration / on-boarding e) Validated address and contact number f) Purpose of hiring and g) Ownership pattern of subscribers/ customers. The Direction requires these service providers to maintain the above listed information for a period of 5 years or longer as required by law.

In this regard the FAQs have clarified that this mandate does not apply to Enterprise and Corporate VPNs and VPNs in this context are said to include Entities that provide ‘Internet proxy like services’ through use of VPN technology. The FAQs have also clarified the ‘ownership pattern’ need to include some basic information of the subscriber or the customer whether they are individuals, partnership, association or company with some brief particulars about the key management.

Analysis

• The Direction mandates the virtual asset service provider, virtual asset exchange providers and custodian wallet providers to maintain all information that is collected as a part of Know Your Customer (KYC) and records of all financial transactions for a period of 5 years. Earlier the requirement of maintaining KYC records was only imposed on Entities that were regulated by the financial regulators. The scope of the Entities that need to maintain the KYC details has now been expanded while there is no proper definition for the service providers mentioned in the Direction. The Direction specifies that the Ministry of Finance shall define them but as yet there is no definition provided. This requirement can also be seen as overstepping on part of CERT-In as these things are to be regulated under the financial statutes and compliances.

• With regard to the reporting of data from the logs to CERT-In it has been clarified by the FAQs that this will not happen on a continuous basis, and will only take place in the event of occurrence of any Incident.

iv. SYNCHRONISATION OF SYSTEM CLOCKS:

The Direction requires all Entities to synchronise their ICT system clocks with the Network Time Protocol (“NTP”). NTP Server provides a time stamp in coordinated universal time (“UTC”) and the conversion of UTC to local time is done at the host which receives the NTP sync from the NTP Server. National Physical Laboratory (“NPL”) or National Informatics Centre (“NIC”) also provides UTC time as per global norms. In this regard the FAQs have clarified that the Entities need not necessarily set their system clocks in Indian Standard Time (“IST”). The Entities can use their other standard time sources as long as it does not deviate from the NTP. The customers on cloud environments can also continue to use their native time source or even set up their own NTP servers.

Analysis

• It will be difficult to ensure that there is no deviation from NTP while using other time sources. Since all the ICT system clocks are asked to connect to a single server of the Indian government, this can also raise the risk of a single point of failure and vulnerability.

• It is also suggested that CERT-In must allow the Entities to synchronise with other servers as long as they do not deviate from UTC and ensure an accurate time stamp. And the Entities should not be burdened with synchronising with the government servers like NTP.

v. PENALTIES

Any non-compliance with the Direction would entail a penal penalty or punitive action under section 70-B(7) of the IT Act. The FAQs point out that only when non-compliance is deliberate punitive actions will be taken.

Footnotes

1. Section 43A, Information Technology Act,2000; “body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities.

2. Section 2(w), Information Technology Act,2000; intermediary -with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online-market places and cyber cafes.

3. Rule 2(w), IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, social media intermediary‘ means an intermediary which primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services;

4. FAQs on CERT-In Cyber Security Directions of 28.04.2022, Annexure I, xi A Data Breach is a cyber-incident where information is stolen or taken from a system without the knowledge or authorization of the system's owner. Stolen data may involve sensitive, proprietary, or confidential information such as credit card numbers, customer data, trade secrets, or theft of Intellectual property etc. Most data breaches are caused due to un-plugged vulnerabilities, hacking or malware attacks.

5. FAQs on CERT-In Cyber Security Directions of 28.04.2022, Annexure I, xii Data Leak is the release of sensitive, confidential or protected data to an untrusted environment. Data Leaks can be used by threat actors for malicious activities and can be due to accidental causes such as lack of proper safeguards to protect data, improper configuration, user error, backdoors, vulnerabilities etc.