An exponential increase in nearly all types of cybersecurity incidents has seen governments globally becoming active and taking significant steps to strengthen their cybersecurity posture to safeguard both national interests and citizen data privacy.
For example, according to the Singapore Cybersecurity Strategy 2021, the Government is expanding its efforts to secure its systems and networks and has allocated 8% of the total Government ICT expenditure to cybersecurity.
On March 22, the U.S. Congress also passed a new cybersecurity law that mandates critical infrastructure organizations to report material cybersecurity incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 and 24 hours, respectively. It covers various sectors including the chemical industry, commercial facilities, communications sector, critical manufacturing, dams, financial services companies, food and agriculture sector, healthcare organizations, IT, energy, and transportation.
Even the Securities and Exchange Commission (SEC) is considering new regulations requiring disclosure of “material” cyber incidents within 96 hours.
Back home, the Indian Computer Emergency Response Team (CERT-In), which is the nodal agency to respond to the cybersecurity incidents within the jurisdiction of India, also issued new directions on April 28, 2022, covering aspects related to system clock synchronization, a new timeline for reporting cyber incidents, designating a Point-of-Contact person to interface with CERT-In, and a few others. “These directives must be used in case of any cognizable offense using computer resources or for the handling of any cyber incident,” mentioned CERT-in.
We ran a LinkedIn poll seeking industry leaders’ overall assessment of the mandate.
The data from the poll indicates that while 20% of the people are satisfied and consider it in line with their expectations, a majority of them (80 percent) either think of it as an unclear, short-sighted mandate or require a thorough re-evaluation.
We also reached out to some industry leaders in this domain and sought their opinion on the overall specified guidelines. While some of them say it is in line with their expectations, many others are either confused due to the lack of clarity or have other apprehensions.
Overall Expert Assessment of the Directive
Gautam Kapoor, Partner, Deloitte India feels this is a good initiative in the right direction as it encourages more sharing across organizations, and says “this particular guideline is important because this will enable us to learn from each other”. Earlier organizations were reluctant to share about such incidents for various reasons. Now with this new directive, CERT-In mandates such reportings to happen. “One thing, which I think everybody should know is that CERT is also calling out that you need to report any breaches to the OT and the IoT infrastructure as well, that wasn’t there earlier,” adds Kapoor.
On the other hand, Dr. Aditya Mukherjee, Vice President at an US financial services company says, “I find the overall approach an ambitious misstep due to the lack of strategic, operational, and tactical framework and structure around the desired outcomes and goals of these guidelines.”
Agnidipta Sarkar, Group CISO at Biocon also believes the overall approach is quite complex for an enterprise, and CERT-In should engage and help enterprises meet the overall national security intent through active collaboration.
Similarly, Amar Singh, CEO & Founder of Cyber Management Alliance Limited calls it “good intention” while raising some concerns over incident management from CERT-In. He says, “CERT-In will require super-duper analytics, data aggregation, and reporting tools to deal with the FLOOD of data.”
Let’s read on to find out other reactions from the experts:
System Clock Synchronization
Undeniably, a synced time – across systems – is a critical step for generating correct logs when it comes to cybersecurity. The first point of the directive mandates that corporate and government organizations synchronize all their ICT systems clocks to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or National Physical Laboratory (NPL).
CERT-In Directive says that all service providers, intermediaries, data centers, and corporate and government organizations shall connect to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with NTP servers traceable to these NTP servers, for synchronization of all their ICT systems clocks. Entities having ICT infrastructure spanning multiple geographies may also use accurate and standard time sources other than NPL and NIC, however, it is to be ensured that their time source shall not deviate from NPL and NIC.
“Given that we already have various credible and widely recognized NTPs being used by global corporations operating worldwide, the ask is unnecessary and absurd at this juncture,” says Dr. Mukherjee.
On the other hand, Agnidipta Sarkar thinks syncing the clock with the NTP server of NIC is essential and critical for addressing cyber attacks in a coordinated manner. However, changing time servers is a challenge for enterprises with time-dependent business activities. This, then, needs careful planning, testing, and collaborative implementation to ensure national security is ensured without impacting the normal business operations of any enterprise.
On the other hand, Ritesh Bhatia, Founding Director of V4WEB Cybersecurity considers it a welcome move. He says, “it will help investigate incidents at a more granular level with an accuracy time up to milliseconds that too, locally” referring to the first point in the directive.
New 6-hour Timeframe for Reporting Cyber Incidents
CERT-In Directive says: According to Annexure I of the CERT-In Directive, it’s mandatory for all organizations to report cyber incidents within 6 hours of noticing them.
On discussing this matter with the infosec leaders, these are the comments we received from them: “6-hour is a small timeline”, “investigations take time and cannot be concluded within 6 hours”, “too many details to be shared that are beyond our current Non-Disclosure Agreement (NDA) with the clients/customers”, “no clear directions around starting of 6 hours countdown”, “short timeline will put extreme pressure on SOC team“.
The 6-hour incident reporting timeline is the one that caught the most attention from the security experts. The directive hasn’t clarified whether it seeks only top incidents to be reported or all types of incidents. And, also, imagine an incident occurring at 3 am in the morning, how can that be reported within 6 hours? What consequences will it incur if an organization fails to comply? The challenges need to be thought through.
“Complying with CERT-In isn’t an issue, it is actually an honour. The question is how it can be done on a win-win model,” feels Agnidipta Sarkar.
The mandate could certainly be an issue – especially for organizations that are still maturing in security as it may require more funds for cybersecurity tools and additional talent acquisition.
Maintaining Logs for 180 Days
CERT-In Directive wants organizations to enable logs and securely maintain them for a rolling period of 180 days. These logs will be provided to CERT-In along with reporting of any incident or when ordered/directed by CERT-In.
Retaining cyber security logs is a critical aspect of any cyber security strategy. Events log lets organizations adhere to compliance measures and address forensic cases.
“The log retention mandate is an appropriate ask, however, CERT-In is yet to clarify the technical details and approach. Another aspect to ponder on is to what extent and how CERT-in would assist organizations and its maturity, and sophistication to do so,” says Dr. Mukherjee.
Similarly, Gautam Kapoor feels 180 days for the log retention period is just right, to begin with, but it could be increased over a period of time. “While it does increase the cost of compliance, you only realize the power of the logs when you are breached,” says Kapoor, commenting on the financial and performance stress that comes along with log retention.
Maintaining Customer Information for 5-Years
CERT-In Directive says that Data Centres, Virtual Private Server (VPS) providers, Cloud Service Providers, and Virtual Private Network Service (VPN Service) providers, shall be required to register the following accurate information, which must be maintained by them for a period of 5 years or longer as mandated by the law after any cancellation or withdrawal of the registration:
- Validated names of subscribers/customers hiring the services
- Period of hire (including dates)
- IPs allotted to/being used by the members
- Email and IP addresses and time stamp used at the time of registration/on-boarding
- Purpose for hiring services
- Validated address and contact numbers
- Ownership pattern of the subscribers/customers hiring services
As quoted in Economic Times, “We are committed to protecting the privacy of our customers, therefore, we may remove our servers from India if no other options are left,” said Laura Tyrylyte, NordVPN’s security spokesperson.
Ensuring Financial Security with 5 Year Records
CERT-In Directive says the virtual asset service providers, virtual asset exchange providers, and custodian wallet providers (as defined by the Ministry of Finance from time to time) shall mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions for a period of 5-years so as to ensure cybersecurity in areas of payments and financial markets for citizens while protecting their data, fundamental rights, and economic freedom in view of the growth of virtual assets.
Ratan Jyoti, CISO, Ujjivan Small Finance Bank Limited welcomes the step from CERT-In with regards to the ongoing digital transformation at every level post-covid and specifically pertaining to the BFSI sector.
“The growth of virtual assets has been abundant in the last few years, and keeping in view the sensitivity and intricacies of the stakeholders and the technologies involved in creating, maintaining, and using such virtual assets, it was inevitable to have an oversight on the transactions involved using virtual assets and keeping the interests of the end-customer and the economy as a whole.”
The directions mandate applicable service providers to keep end-to-end being collected as part of various activities – right from customer onboarding (KYC) to the financial transactions being carried out. This will not only safeguard customers’ interests but also helps the service providers to trace back multiple things and take proactive action(s) before there is much damage.
In addition, this also helps the regulators and authorities to know about the modus-operandi in case of frauds, specifically international frauds, and thus take appropriate actions. This will indirectly benefit the nation in building a strong financial ecosystem.
Privacy & Cybersecurity Go Hand in Hand
We also reached out to Sameer Anja, a data privacy expert and the co-founder of Arrka, and sought his opinion on some of the issues from a privacy standpoint. We are quoting him as is:
From the Organization’s perspective:
- The organization will need to clearly mention in its Privacy Notice that the data will be shared with CERT-In upon request.
- Further, the organization will need to put controls in place to ensure that this data does not get used within the organization for any other purpose.
- The organization will also need to ensure the data is kept secure during the specified retention periods.
From CERT-In’s perspective:
- It will need to ensure the data is strictly used for the purpose of network & Information Security only.
- And, it does not get misused for other purposes by them or, if disclosed further to other govt entities, then by those entities either.
“From a VPN Provider’s perspective where the provision of anonymous browsing or ‘hide my data’ features are provided, the same will have to be tweaked to meet the laws & regulations of the country,” adds Sameer.
Our overall impression is the directive is surely a disruptive step in the right direction and organizations are willing to comply with it and are ready to report all types of cyber incidents required by the law. That said, how CERT-In will respond to those incidents and provide further remediation steps is the big question that cybersecurity practitioners have very little clarity on.
Due to a lack of clarity, the directive also leaves room for an open-ended discussion as it raises too many questions/concerns and doubts. For example, in case of a data breach, when should the customer be informed about it, the consequences of not complying with the mandate, how CERT is going to handle the data, and no scope defined for running services that need to be logged, are only a few.
While some cybersecurity practitioners reserved their comments on it considering it is an evolving issue, others have strong opinions on this shortsighted mandate and have suggested further re-evaluation and open consultation from the larger industry and experts.
Indeed, the government needs to understand organizations’ pain points, provide more clarity on each point and must seek and encourage collaboration with information security experts to better align their policies with the IT industry’s synergy to increase their efficacy.
What do you think about India’s new cybersecurity directive? Share your opinion in the comment below.