Rootconf and Privacy Mode recommend that stakeholders who are impacted by the CERT-In 2022 directions should directly engage CERT-In in public consultation, and rally for more transparent consultative processes in the future.
On 28th April 2022, the Indian Computer Emergency Response Team (CERT-In) issued new directions under sub-section (6) of section 70B of the Information Technology Act, 2000 relating to information security practices, procedure, prevention, response, and reporting of cyber incidents for the “safe & trusted internet”. Rootconf community members held a discussion on the 4th of May 2022 to discuss critical concerns regarding the newly issued directions and the impact they would have on business operations and privacy.
To discuss some of these ambiguities, Rootconf, Privacy Mode, and FOSS United Foundation co-organized an online panel discussion on the 20th of May. The panel included Richa Mukherjee, Director of Public Policy and Corporate Affairs at PayU India; Srinivas Kodali, an independent researcher; and Prateek Waghre, Policy Director at Internet Freedom Foundation. The session was moderated by Sonali M, Associate at 9.9 Insights, Strategic Advisor to Albright Stonebridge Group.
A document of FAQs was made publicly available by CERT-In days prior to this meeting, which the panelists also engaged with. The discussion was designed to help the audience gain a better understanding of the impact, especially on data governance and operational practices, and the potential methods for stakeholder engagement. The expert panel shared key insights and recommendations in response to the directions, and participated in an interactive live Q/A session with the audience. In the audience were representatives from teams responsible for implementation of and compliance with these directions; Ops and Admins; independent researchers and journalists who cover the IT sector in India.
In her opening remarks as a moderator, Sonali noted that these directions were released in the backdrop of certain bills and policies such as the draft Data Protection bill and a Data Governance Policy around data sharing, which increase cumulative compliance burdens on business entities and are likely to raise costs and operational challenges. The CERT-In 2022 directions are more concerning as the compliance requirements are far more strenuous in comparison.
Key Concerns
1. Tech Ecosystem: Srinivas highlighted the technical challenges that entities might face in implementing these guidelines, especially with requirements such as time synchronization, reporting timeframes, and log maintenance.
- The primary challenge for businesses to implement these guidelines would be an increase in need for resources. As per Direction (iv), constant maintenance of logs is required for 180 days, which is an “assumed standard in India’'. This would likely increase the cost of storage and operations due to the high volume and different types of logs. It also depends on the size of the business, as a larger business would incur much higher costs.
- With regards to individuals’ privacy, Direction (v) ensures an end to anonymity as it asks VPN service providers to store user data for a minimum of 5 years.
- The mandatory nature of Direction (i), which requires time synchronization, poses an issue for multinational companies, as it would be very resource-intensive to synchronize to Indian time server infrastructure. Smaller firms and start-ups may even be forced to rethink their business approaches due to a lack of extensive resources.
- The 6 hour reporting time as mentioned in Direction (ii) poses two issues - the capacity of staffing required to meet these requirements might be prohibitive for businesses which operate at a smaller scale, and some issues are complex because of the sophisticated nature of the attack and merely reporting within 6 hours is going to be very difficult.
- The directions do not provide additional clarity about the role, participation and engagement of CERT-In subsequent to the incident report being logged. And this is particularly significant if sophisticated, major attacks are reported.
- CERT-In is not answerable to RTI, which leads to a lack of accountability.
2. Fintech Ecosystem: Richa shared her views on PayU’s key challenges in complying with these guidelines and whether the time limit of 60 days is adequate to implement their requirements.
- With regards to Direction (ii), the 6 hours reporting time is inadequate for a detailed root cause analysis (RCA) and to understand the type of ransomware, malware, etc. that may have attacked the system.
- There is a need to define severity methodology so that only the most severe incidents are reported.
- There is also the topic of how logs will be audited which could determine the data format in which logs will need to be processed for submission. It would be relevant for businesses to understand the subsequent steps from providing CERT-In with incident logs and reports.
- Companies in highly regulated sectors like fintech are required to maintain logs of their ICT systems and this is covered by guidelines from RBI. In this case, the CERT-In directions do not clearly specify and define ICT systems.
- The directions also make it clear that CERT-IN can, in real time, order specific actions and/or demand information. This will have to be included in standard incident handling processes as organizations will be more focused on incident analysis, risk mitigation and reporting to affected parties.
3. Consequences: Prateek shed light on the consequences of the directions which were issued in the absence of a data protection bill, the common perception of the industry towards the guidelines, and also the concerns identified by the Internet Freedom Foundation with regards to the directions.
- One of the concerns is that these guidelines had been issued without any public consultation, as it was assumed to be unnecessary since the directions do not affect the “aam aadmi” (common man). However, it was concluded that while the directions are not meant for individuals, they still affect individuals.
- Even with the recent release of the FAQs, which would ideally be brought up in a public consultation, there is still a considerable amount of ambiguity regarding what does and does not apply to one, as well as penal provisions.
- These directions are coming into play without a Data Protection Bill, which is an area of concern for individual users and their privacy.
Recommendation
Having direct engagement with CERT-In is recommended for those entities that are deeply impacted by the directions.
About Rootconf
Rootconf started as an annual conference for practitioners from DevOps, and now SRE, to share approaches to solve infrastructure-related challenges. It has now diverged into a continuous community engagement programme with focus on data security, CloudOps, DataOps, and more. In April 2020, Rootconf collaborated with the Privacy Mode programme to host a conference on data privacy in engineering and product.
About Privacy Mode
Privacy Mode is a growing community on data privacy, with a focus on engagement with policy and improving the overall privacy ecosystem from consumer and maker standpoints.
Please take a look at our topic map (at the end of the page) which charts the various streams of data privacy we work/plan to work on if you’re interested in collaboration.
For further information, please contact us at PrivacyMode@hasgeek.com.
{{ gettext('Login to leave a comment') }}
{{ gettext('Post a comment…') }}{{ errorMsg }}
{{ gettext('No comments posted yet') }}