4 min read.Updated: 10 May 2022, 10:27 PM ISTRahul Matthan
The mandatory reporting of trivial breaches to CERT-In may overwhelm its ability to police serious cases
Listen to this article
Towards the top of the list of the more challenging assignments I have had to undertake as a technology lawyer in India, has been trying to explain to clients what they need to do in the event of a data breach in India.
Most countries have comprehensive rules setting out the various steps that companies must follow from the moment they learn of a breach. These rules are designed to mitigate the privacy harms from a breach of personal data. In the absence of a full-fledged privacy law in India, we have had to dig for answers to these questions in unlikely places.
In 2013, the Indian Computer Emergency Response Team (CERT-In) was established under rules issued under the Information Technology Act, 2000, to serve as a “trusted referral agency" that users could turn to in the event of a cyber attack. The role of CERT-In was to provide technical assistance in the event of a breach, and as such it had no mandate to assess the privacy implications of such breaches. However, since these were the only regulations that even came close to setting out breach-reporting obligations, we had no option but to turn to them for answers.
The 2013 Rules largely left it up to individual users to decide whether or not they wanted to report a cybersecurity incident to CERT-In. However, in an annex at the end, it listed ten types of incidents that mandatorily had to be reported. And that was where the problems began.
Most incidents described in the annex had to do with attacks on critical infrastructure: the SCADA systems central to our national energy grid, the DNS servers that route internet traffic, and other such systems. However, the annex also required relatively benign incidents—“unauthorised access to IT systems/ data", “defacement of websites" and “spoofing and phishing attacks"—to be reported to CERT-In.
Now, I do not intend to underplay the seriousness of these types of breaches; if executed well, phishing attacks are among the most effective ways by which hackers can gain access to an IT system. However, only a very small proportion of these attacks are successful. Requiring users to mandatorily report all such incidents—every phishing attempt, every attempt to gain unauthorized access to a computer, every kid who scrawls digital graffiti on a website—is excessive. It places an onerous reporting burden on companies that is unwarranted, considering that their IT departments are eminently capable of dealing with them. More importantly, it risks so thoroughly inundating CERT-In with trivial incidents that the agency may be left incapable of responding to serious incidents when they actually occur.
If the 2013 Rules were bad, late last month, when the ministry of electronics and information technology (MeitY) extended the 2013 Rules by issuing a new set of Directions under the Information Technology Act, 2000, things got decidedly worse. The new directions considerably expanded the list of mandatorily reportable incidents, doubling it to 20. It introduced new reporting requirements in relation to attacks on Internet-of-Things devices, unauthorized access to social media accounts, and, in a particularly incomprehensible regurgitation of meaningless tech buzzwords, for suspicious activities that could affect systems relating to big data, blockchain, virtual assets, robotics, 3D and 4D printing, additive manufacturing, drones, artificial intelligence and machine learning.
If that wasn’t enough, companies are now required to report cyber incidents to CERT-In within six hours of becoming aware of them, and in a form that has to be downloaded from the CERT-In website as a non-editable PDF. Firms are required to maintain (within the territory of India), logs of their ICT systems for a period of 180 days and ensure that their system clocks are synchronized with Network Time Protocol Servers of either the National Informatics Centre or the National Physical Laboratory. It even presumes to regulate virtual asset service providers, requiring them to maintain Know Your Customer information and records of their financial transactions for a period of five years.
Questions have been raised as to whether the MeitY has the legislative competence to issue directions to cover such a broad swathe of subjects. Classifying all “suspicious activity" relating to drones, blockchain and artificial intelligence as cyber security incidents, regardless of their likely consequences, does seems excessive. But even if we set that aside for a moment, what escapes me is how mandating such broad and all-encompassing reporting requirements will help CERT-In better perform its statutory functions. Surely, an organization tasked with assisting users as they deal with cyber incidents should focus its resources on addressing serious incidents that are likely to have an impact on the largest number of users. Instead, CERT-In seems to be encouraging companies to bury it under such a monstrous pile of cyber-incident reports, that it will simply be incapable of filtering out the signal from the noise.
I had previously written about the instinct to over-legislate so that nothing slips through the regulatory net on account of unintended restraint. This tendency—that I called ‘Regulatory FOMO’ or the lawmaker’s fear of missing out—is probably the best explanation for why the new CERT-In Directions have been issued in this form.
But, surely, we can’t let FOMO prevent our first line of defence against cyber attacks from doing what it was created to do.
Rahul Matthan is a partner at Trilegal and also has a podcast by the name Ex Machina. His Twitter handle is @matthan