The Indian Computer Emergency Response Team (CERT-In) on April 28 issued new cybersecurity directions covering aspects related to the timeframe for reporting cyber security incidents, maintenance of KYC and transaction information for crypto exchanges and wallets, maintenance of customer details by data centres, cloud services and VPN providers, and maintenance of logs in Indian jurisdiction. These directions will become effective in 60 days.
CERT-In is the government-appointed nodal agency tasked with performing cybersecurity-related functions and has issued these directions under section 70B of the Information Technology Act, 2000.
Who are these directions applicable to?
- Service providers such as telecom service providers, network service providers, internet service providers, web-hosting service providers, cloud service providers, crypto exchanges and wallets, etc.
- Intermediaries such as social media platforms, search engines, e-commerce platforms, etc.
- Body corporates, which is defined as any company including firms and sole proprietorships
- Data centres
- Government organisations
What are the new directions?
- Report incidents within 6 hours: All entities must mandatorily report cyber incidents to CERT-In within 6 hours of noticing such incidents or being brought to notice about such incidents. Entities can report to CERT-In via email (email@example.com), phone (1800- 11-4949) or Fax (1800-11-6969). Entities must follow the methods and formats of reporting published on the CERT-In website. The current rules don’t prescribe any time frame and only mention that entities must report incidents “as early as possible.”
- Crypto exchanges and wallets must maintain KYC details and records of financial transactions for five years: Virtual asset service providers, virtual asset exchange providers and custodian wallet providers should mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions for a period of five years. “With respect to transaction records, accurate information shall be maintained in such a way that individual transactions can be reconstructed along with the relevant elements comprising of, but not limited to, information relating to the identification of the relevant parties including IP addresses along with timestamps and time zones, transaction ID, the public keys (or equivalent identifiers), addresses or accounts involved (or equivalent identifiers), the nature and date of the transaction, and the amount transferred,” CERT-In said.
- Service providers must maintain information on customers and subscribers for five years: Data Centres, Virtual Private Server (VPS) providers, cloud service providers and Virtual Private Network Service (VPN Service) providers, are required to register the following accurate information about customers and subscribers for a period of 5 years or longer duration after any cancellation or withdrawal of the registration:
- Validated names of subscribers or customers hiring the services
- Period of hire including dates
- IPs allotted to or being used by the members
- Email address and IP address and time stamp used at the time of registration
- The purpose of hiring services
- Validated address and contact numbers
- Ownership pattern of the subscribers or customers hiring services
- Maintain logs for 180 days in India: All entities must mandatorily enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days and the same should be maintained within the Indian jurisdiction. These should be provided to CERT-In along with reporting of any incident or when ordered by CERT-In.
- Synchronisation of clocks: All covered entities must connect to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL) or to servers traceable to these NTP servers for synchronisation of all their information and communications technology (ICT) systems clocks. Those entities with ICT infrastructure spanning multiple geographies can also use accurate and standard time sources other than NPL and NIC, as long as their time source does not deviate from NPL and NIC.
- CERT-In can order actions and demand information: For the purposes of cyber incident response, protective and preventive actions related to cyber incidents, CERT-In can issue orders to entities mandating them to take action or provide information that may be of assistance to CERT-In. Such orders may also include the format of the information that is required (up to and including near real-time) and a specified timeframe in which it is required. Entities not adhering to the requirements may be considered to be in non-compliance. As per the Information Technology (The Indian Computer Emergency Response Team and Manner of performing functions and duties) Rules, 2013, this order can only be issued by an officer of CERT-In of the rank of Deputy Secretary to the Government of India or above.
- Point of contact: Entities are required to designate a Point of Contact to interface with CERT-In. The information relating to the Point of Contact should be sent to CERT-In and must contain a name, designation, organisation name, office address, email ID, mobile number, office phone, and office fax. All communications from CERT-In seeking information and providing directions for compliance will be sent to the said Point of Contact.
What cybersecurity incidents must be mandatorily reported?
According to the directions, the following cybersecurity incidents must be mandatorily reported within 6 hours. Items in bold are the newly added ones:
- Targeted scanning/probing of critical networks/systems
- Compromise of critical systems/information
- Unauthorised access to IT systems/data
- Defacement of website or intrusion into a website and unauthorised changes such as inserting malicious codes or links to external websites etc.
- Malicious code attacks such as the spreading of viruses/worms/Trojan/Bots/ Spyware/Ransomware/Cryptominers
- Attack on servers such as Database, Mail and DNS and network devices such as Routers
- Identity Theft, spoofing and phishing attacks
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
- Attacks on Critical Infrastructure, SCADA and operational technology systems and Wireless networks
- Attacks on applications such as E-Governance, E-Commerce etc.
- Data Breach
- Data Leak
- Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers
- Attacks or incidents affecting Digital Payment systems
- Attacks through Malicious mobile Apps
- Fake mobile Apps
- Unauthorised access to social media accounts
- Attacks or malicious/ suspicious activities affecting Cloud computing systems/servers/software/applications
- Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to Big Data, Blockchain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, Drones
- Attacks or malicious/ suspicious activities affecting systems/ servers/software/ applications related to Artificial Intelligence and Machine Learning
Why has CERT-In issued these new directions?
“During the course of handling cyber incidents and interactions with the constituency, CERT-In has identified certain gaps causing hindrance in incident analysis. To address the identified gaps and issues so as to facilitate incident response measures, CERT-In has issued directions relating to information security practices, procedure, prevention, response and reporting of cyber incidents under the provisions of sub-section (6) of section 70B of the Information Technology Act, 2000,” the press release from CERT-In said.
- Countries Are Obliged To Prevent Cyber Attacks On Their Soil Against Other Countries: India And The UK
- China-Backed Hackers Targetted Power Stations In Ladakh Through Compromised IP Cameras
- How Nigerian Hackers Exploited Vulnerabilities In A Hyderabad Bank And Came Away With Crores Of Rupees
- Ransomware Incidents In India Doubled In 2021 At 132, Up From 54 In 2020: MeitY In Parliament
Have something to add? Post your comment and gift someone a MediaNama subscription.