LLast week, major VPN providers Surfshark, NordVPN and ExpressVPN pulled their servers from India. VPNs alleged that cybersecurity guidelines issued on April 28, 2022 by the Indian Computer Emergency Response Team would render their privacy-focused business model meaningless, as they require them to log the details of everyone who accesses their servers. These guidelines will come into effect on June 28, 2022. However, the CERT-In guideline has been met with strong backlash from various other tech companies as they believe this is just the beginning and the fallout will not be limited. not out of VPNs. .
Concern about timing of incident reporting
In May, 11 industry bodies wrote a joint letter to the Director General of CERT-In, expressing their concern about the harmful impact of this directive on cybersecurity and the difficulty it poses for companies trying to do business online. India. Companies specifically pointed to the six-hour incident reporting deadline and an overly broad definition of reportable incidents as problematic.
Globally, cybersecurity regulations provide for a proportionate and graduated incident reporting schedule. The more critical an area and the more serious the incident, the higher the due diligence requirement. The CERT-In directives, on the other hand, lack this differentiation. For example, it takes a unique approach by requiring all companies, such as intermediaries, cloud service providers, data centers, governments and enterprises, to meet a uniform six-hour incident reporting deadline.
Rapid incident reporting enables cybersecurity agencies to quickly identify patterns that could be part of larger systemic attacks. Although short deadlines are not unprecedented, most advanced countries prescribe such deadlines for a narrow set of priority sectors such as banking, finance and critical infrastructure.
In France, the financial sector must report major cybersecurity incidents within four hours. The country has detailed guidelines for identifying what qualifies as a major incident, and it usually takes up to 24 hours to classify an attack. Other organizations have 72 hours to report an incident. Similarly, in the UK, financial institutions are supposed to immediately report only “hardware cyber incidents,‘ i.e. incidents resulting in a significant loss of data or loss of control of the computer system. Other sectors have up to 72 hours to report data breaches.
Read also : Interoperability affects platforms such as WhatsApp, Signal, Telegram. The EU can learn from India
Unreasonably short deadline
Leading industry bodies, such as the Information Technology Industry Council (ITI) and The Software Alliance (BSA) have argued that the prescribed time frame for reporting cybersecurity incidents is too short and may interfere with the ability of a organization to deploy immediate defensive measures following an incident. Instead, they recommend that organizations have a minimum of 72 hours to report such attacks.
A notable aspect of the CERT-in directive is that organizations will have to report even attempted cyberattacks within six hours. These incidents range from phishing attacks, in which scammers send fraudulent messages or emails to steal personal information, to denial of service attacks, in which unmanageable traffic is flooded with a computing resource to render it inaccessible. .
To clarify these questions, CERT-In published a series of Frequently Asked Questions (FAQs) in May. Through these FAQs, they have limited the scope of incidents to be reported to “incidents of a serious nature”. However, he did not define the threshold for this severity, leaving it open to wide interpretation. Large digital platforms are subject to a high volume of cyberattacks on a daily basis. They face hundreds of thousands of cyberattacks every day. In the absence of a clear and unambiguous stipulation, such a declaration obligation becomes onerous.
In some cases, premature reporting of cybersecurity incidents can cause more harm than good. If an affected organization reports an incident before finding a solution, it allows other malicious actors to exploit the flaw, causing more attacks. This is especially true in the case of zero-day exploits, i.e. attacks where threat actors exploit a vulnerability that was previously unknown to the victim organization. In 2021, Microsoft Exchange servers were attacked in a spy mission by Hafnium, a Chinese hacking group. Although Microsoft took steps to address this vulnerability, the scale of the attacks increased exponentially as soon as the incidents were made public. So, while mandatory reporting is a crucial step towards a secure cyberspace, CERT-In may consider limiting the applicability of the six-hour deadline to a defined set of priority sectors.
Read also : The dream of digital India and arbitrary internet shutdowns cannot go hand in hand. Just see the loss
Prerequisites for a secure cyberspace
India was the third most cyber-attacked country in Asia-Pacific, according to IBM Security’s Threat Intelligence Index, 2022. The Ministry of Electronics and Information Technology said that there were over 1.6 million cybersecurity incidents reported in India in February 2022, in response to a question in the Lok Sabha. A secure cyberspace is essential to India’s aspiration to become a trillion-dollar digital economy. However, the country cannot achieve this goal without carefully crafting cybersecurity rules that meet the changing needs of an emerging technology sector.
The US Cyberspace Solarium Commission has pointed out that transparent collaboration between government and the private sector is a non-negotiable prerequisite for a secure cyberspace. Such partnerships can yield constructive results in India and ensure the security and democratization of the country’s technology sector.
India has shown goodwill in this regard. At a government-industry meeting on June 10, MeitY offered some concessions on these guidelines. He assured industry leaders that the guidelines would be reviewed 90 days after they were implemented. While an agile regulatory approach is always recommended in technology regulation, prior consultation with relevant stakeholders could alleviate friction points and lead to seamless implementations.
Aditi Chaturvedi is Head of Legal at Koan Advisory. She is an engineer and a lawyer specializing in technology policy. She tweets @aditi_chaturved. Priyesh Mishra is a senior partner at Koan Advisory. He is a former LAMP Scholar and served as a policy adviser to an Indian MP. Views are personal.
This article is part of ThePrint-Koan Advisory series that analyzes emerging policies, laws and regulations in the Indian tech sector. Read all articles here.
(Editing by Zoya Bhatti)