With an increasing number of Indians using the Internet and cyberspace and the goal of a $1 trillion digital economy by 2026, the Government of India is taking steps to strengthen cybersecurity in India. It has established an evolving framework comprising statutes, rules, directions and supervisory agencies intended to keep cyberspace safe for individuals and businesses.
CERT‐In
The Indian Computer Emergency Response Team (“CERT‐In”) is a national organisation appointed1 by the Government of India to ensure cyber safety in India.
Functions of CERT‐In. The functions of the CERT-In are2:
- a) collection, analysis, and dissemination of information on cyber incidents;
b) forecast and alerts of cyber security incidents; - c) determining emergency measures for handling cyber security incidents;
- d) coordination of cyber incidents response activities;
- e) issuing guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response, and reporting of cyber incidents; and
- f) such other functions relating to cyber security as may be prescribed.
1 The appointment was made vide notification dated 27 October 2009 in terms of section 70B of the Information Technology Act, 2000 (“IT Act”).
2 Section 70B(4) of the Information Technology Act, 2000
The CERT-In Rules3 prescribe how CERT-In performs its functions and provide for the level of support provided by CERT-In concerning different types of ‘cyber security incidents.’4
Powers of CERT‐In. CERT-In is the referral agency for cyber users in India for responding to cyber security incidents.5 CERT-In is empowered to seek information from and issue directions to service providers, intermediaries, data centres, body corporate, and other persons to carry out its functions.6 Information regarding logs may be requisitioned by an officer of CERT-In, not below the rank of Deputy Secretary to the Government of India. The CERT-In Rules also set out the procedure to be followed if such information is not provided. Persons that fail to provide the information called for or follow directions issued by the CERT-In may be punished with imprisonment, a fine or both7.
Cyber Security Directions 8
The Cyber Security Directions provide a framework for ensuring cyber security in India. They were issued pursuant to consultations with industry and government organisations and other stakeholders.
3 Information Technology (The Indian Computer Emergency Response Team and Manner Performing Functions and Duties) Rules, 2013 published vide notification dated 16 January 2014 pursuant to section 70B(5) of the IT Act read with section 87(zf) of the IT Act
4 Rule 11 of the CERT-In Rules
5 Rule 8 of the CERT-In Rules
6 Rule 14 of the CERT-In Rules
7 Section 70B(7) of the IT Act
8 Directions dated 28 April 2022 issued by the Ministry of Electronics and Information Technology, CERT-In under section 70B(6) of the Information Technology Act, 2000 relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet, No. 20 (3)/2022-CERT-In
Person Covered by Cyber Security Directions. Service providers, ‘intermediaries’9, data centres, body corporate, Virtual Private Server (VPS) providers, cloud service providers, Virtual Private Network (VPN) Service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and government organisations (“Parties Covered by CERT‐In Directions”) are required to comply with the Cyber Security Directions.
Duty to Report. Parties Covered by CERT-In Directions are required to immediately report10 cyber security incidents to the CERT-In. The methods and formats of reporting cyber security incidents are published on CERT-In’s website.
Duty to Synchronise. Parties Covered by CERT-In Directions are required to connect to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with NTP servers traceable to these NTP servers, for synchronisation of all their ICT systems clocks. This means that the clocks in the network of the service providers, intermediaries, data centres, body corporate and governmental organizations must be in sync with the NTP server and will provide the exact same time as NTP. This, in turn, will help in determining the exact time when a cyber security incident took place.
Duty to Maintain Logs. Cyber Securities Directions also mandate that Parties Covered by CERT-In Directions maintain logs of all their ICT systems and maintain them securely for a rolling period of 180 days. The said logs are to be maintained within the jurisdiction of India and must be provided to the CERT-In while reporting an cyber security incident or when so directed or sought by the CERT-In.
9 Defined in section 2(w) of the IT Act.
10 Rule 12 of the CERT-In Rules
Duty to Know Customer. Data centres, VPS providers, Cloud Service providers and VPN service providers are required to maintain accurate information about subscribers/customers and the hiring services availed by subscribers etc. for a period of five years or such longer duration according to law after cancellation or withdrawal of the registration.
Overall, the Cyber Security Directions are intended to improve India’s overall cyber security framework so that the Internet is safe for its citizens.
Things to Think About
Issues related to the CERT-In Rules or the Cuber Security Directions that require deeper thinking include:
- How do the CERT-In Rules or the Cuber Security Directions affect the individual right to privacy?
- Are confidentiality agreements affected by CERT-In Rules or the Cuber Security Directions?
- Do the CERT-In Rules or the Cuber Security Directions cover non Indian entities?
- How is the confidentiality of customer data that may be reported to CERT-In ensured? How should data that is required to be disclosed to CERT In that belongs to data subjects covered by data protection regimes such as GDPR be handled? ∙ Where should the logs that may be requisitioned by the CERT-In be stored?