CERT-In’s new cybersecurity directive is a misadventure
On April 28, the Indian Computer Emergency Response Team (CERT-In), the statutory body for cybersecurity, issued a sweeping directive. It mandated “service providers, intermediaries, data centres, body corporate and government organisations” to abide by a range of diktats, mostly relating to cybersecurity incidents. This directive, which came into effect on Monday, was not only an embarrassing misadventure but also raised worrying questions about the competence of India’s cybersecurity agencies in maintaining a healthy cyberspace and guaranteeing the resiliency of its economy and citizens.
CERT-In mandated organisations of all hues to notify a cyber incident within six hours and send incident details to an email address or call centre. Because the thresholds of what constitutes an incident are subjective, topical and environmental, that email address or call centre is likely to be spammed with notifications. CERT-In also wants organisations to store logs for a period of 180 days. Evidence gathering in cyber incident response is driven by observation over stretches of time. That observation is aided by raw event data or logs. A single such device can spew gigabytes of logs per day. The overhead of maintaining that level of observability remains unaffordable for most organisations. CERT-In has stepped into a policy quagmire by not only directing organisations on the information it wants, but also how.
Even if we discount the lack of nuance as bureaucratic lethargy, the directive raises serious questions by saying it is guided by the national security consequences of cyber incidents. Whether national security imperatives drive Section 70(B) of the Information Technology Act, from which CERT-In draws its power, remains debatable.
In international relations, the term “referent object” is used for the element that is threatened or needs to be protected. Within cybersecurity, there is no singular referent object to drive consensus upon. If the economy is the referent object, then national security may get less emphasis as businesses are averse to sharing information. For the nationState, the referent object could be the internet as a global common. Therefore, the referent object could be the State, individual, business enterprise or even the internet, but with some overlap.
With this relative distinction, the questions on the whys and hows of protecting these referent objects become even more divergent. Cybersecurity and national security may not go hand in hand. That is why previous legislative attempts — such as the Obama-era Cybersecurity Information Sharing Act — to foster public-private partnership (PPP) did not gain much traction. Even the authoritarian Chinese government had to backtrack when it forced the mandatory linking of online identity with physical identity for cybersecurity. Yet, it also shows that PPP, in whatever shape or form, underpins national cyber resilience. It is where the CERT-In directive falters. As the agency of a democratic State accountable to the public, CERT-In shows little reciprocity in how it will assist organisations in lieu of the valuable information it is seeking from them. With an impetus on gaining, instead of exchanging information, the foundations of PPP would crumble. CERT-In’s contemporary in the United States (US), the Cybersecurity Infrastructure Security Agency, is already taking PPP to the next level by focusing on operational collaboration.
CERT-In has bitten off more than it can chew. This directive sounds like it was written in the 90s. It was a possible overreaction to the vulnerable domestic cybersecurity environment and the threat from an aggressive China. India’s cyber agencies have struggled with high-profile investigations such as the intrusion into the Kudankulam Nuclear Power Plant. In this era of lightspeed cyber attacks, CERT-In’s detection mechanisms remain manual. It also apparently failed to study the notification laws of many democracies that explicitly focus on data breaches and not generic cyber incidents. For example, in Australia, the referent object is clearly defined — “any individual at risk of serious harm”.
CERT-In’s plan to hoover up troves of sensitive data, without a privacy law, is quixotic. The directive should be rescinded or face a challenge in court. The only avenue to instate a notifiable national cyber incident regime should be through the legislature, subject to democratic deliberation.