Why India’s cybersecurity watchdog should not exempted from RTI

What’s happening: The Indian Computer Emergency Response Team (CERT-In) might soon be exempted from the Right to Information (RTI) Act, 2005, on the grounds of data sensitivity, Economic Times reported.

What is CERT-In? CERT-In is the government-appointed nodal agency tasked with performing cybersecurity-related functions in the country.

What happens if CERT-In is exempted? If exempted from RTI, CERT-In will no longer have to respond to right to information requests filed by the public. The RTI Act was enacted to ensure transparency of government agencies, but exceptions such as these dilute its purpose.

Why does it matter? It’s important that public institutions are answerable to the public and are transparent about their workings. For example, CERT-In released a cybersecurity directive last month that has been criticised by a long list of people. The directive has a significant impact on cybersecurity, privacy, freedom of expression, surveillance, etc, and there are plenty of questions around the directive; if CERT-In is exempted from RTI, getting answers to these questions becomes a whole lot harder.

On the one hand, CERT-In wants our logs, non-compliance with which will lead to one year jail time, but on the other hand, doesn’t want to be transparent to the citizens in return. (3/3)https://t.co/yEyOOTn13f

— Internet Freedom Foundation (IFF) (@internetfreedom) May 20, 2022

Advertisement. Scroll to continue reading.

A huge blow to transparency and accountability. Sustained attacks on people’s Right to Know is leading to its death.

3/3

— Saurav Das (@OfficialSauravD) May 20, 2022

RTIs filed by MediaNama with CERT-In: MediaNama filed three RTI requests this month with CERT-In (Department of Electronics and Information Technology) concerning the cybersecurity directive. These RTIs should give you a sense of why it is important to have CERT-In as part of the RTI Act:

RTI 1:

Advertisement. Scroll to continue reading.

With respect to new directions issued by the Indian Computer Emergency Response Team (CERT-In) on April 28, I have the following questions about NIC and NPL time servers that companies must synchronise their ICT clocks with:

1. How many time servers do National Informatics Centre (NIC) or the National Physical Laboratory (NPL) run?
2. What are their IP addresses?
3. What geographical locations are they configured in?
4. What are their average latency times?
5. Do they publish the uptimes and downtimes of their NPT servers?
6. What is the hardware and software configuration of their NTP servers?
7. If these servers go down who should be contacted?
8. Who is the primary and secondary ISP for these servers?
9. What is the ASN these servers are operated in?

These questions are highly relevant to the public interest as CERT-In has asked all companies in India to synchronise their time with NIC and NPL servers. As syncing time is a critical and complex issue, it is of importance that companies are aware of the technical details of the servers that they are being asked to follow.

RTI 2:

With respect to the financials of the Indian Computer Emergency Response Team (CERT-In), I have the following questions:

1. What is the capital budget that was allocated to CERT-In in the last five years?
2. How much of it is spent on software and how much on hardware?
3. What is the total amount of budget allocated to personnel?
4. What is the management vs engineer ratio?

RTI 3:

Prior to the release of CERT-In directions on April 28, were there any internal government consultations held. If so, can you please share the details of the various departments that participated and the submissions made by them including any record of minutes that are not confidential?

Are any other government agencies exempted? There are many intelligence and security agencies such as the Intelligence Bureau, CBI, Narcotics Control Bureau, and RAW that are exempt from the RTI Act for security reasons.

What next? The Department of Personnel and Training is finalising the modalities of the exemption regime for which a notification is likely to be issued soon, Economic Times stated.

Advertisement. Scroll to continue reading.

Also Read:

• CERT-In Wants Cybersecurity Incidents Reported Within 6 Hours
• Why India’s New Cybersecurity Directive Is A Bad Joke
• VPN Providers Call India’s New Rules Worse Than China, Russia
• FAQs On Cybersecurity Directive Adds Fresh Concerns
• India’s Cybersecurity Directive Goes Against Security, Tech Companies Argue

Have something to add? Post your comment and gift someone a MediaNama subscription.