How India can improve its cybersecurity directions #NAMA

“Given the lack of clarity here, I think CERT-In may need to change its name to uncertain,” remarked Dr. Joseph Lorenzo Hall, Senior Vice President for a Strong Internet, Internet Society (ISOC), at MediaNama’s round-table discussion on the Impact of India’s New Cybersecurity Directions.

The new cybersecurity directions, issued by the Indian government’s Computer Emergency Response Team (CERT-In) on April 28, covers aspects related to the timeframe for reporting cybersecurity incidents, synchronisation of system clocks, maintenance of logs, maintenance of KYC and transaction information for crypto exchanges, and maintenance of detailed customer information for VPN, cloud service, data centre providers.

The directions have already been criticised by a long list of stakeholders, and the speakers at the MediaNama round-table discussion held on June 2 didn’t spare them either, but they have also shared their recommendations on how to improve the directions. The speakers include Kumardeep Banerjee, Country Manager, ITI; Richa Mukherjee, Director, Public Policy and Corporate Affairs, PayU; Shivangi Nadkarni, Co-founder and CEO, Arrka; Sreenidhi Srinivasan, Principal Associate, Ikigai Law; Sukanya Thapliyal, Project Officer, Technology and National Security at CCG, NLU, and Suman Kar, CEO, Banbreach, in addition to Dr. Hall. The discussion was moderated by Nikhil Pahwa, Founder and Editor, MediaNama and Sarvesh Mathi, Journalist, MediaNama.

The discussion was held with support from Internet Society, Meta and E2E Networks Limited.

What is wrong with the 6-hour reporting timeline

• When does the clock start ticking? “From a legal perspective, when does the clock start for this six hour time frame of reporting?,” Pahwa asked, explaining that there might be mechanisms that notice some unusual activity and send an alert to the team at 3 in the morning. “Does the clock start from when the notification from the server went out or does it start from the moment someone saw the message?” Pahwa asked the speakers.
  • From when a human being has read a report: “We apply judgement typically, but the idea is from the time a human being has read a report, if you prefer that, but that is not really spelt out,” Kar responded.
  • It’s a question that companies have: “I am not sure,” Mukherjee said, adding that it is a question that her company wants to raise as well.
• Singular incident vs. continuous incidents: An audience member asked how the reporting timeline works for a chain of incidents: will you have to notify when you notice the first incident in a series or the last one if there are continuous incidents? The speakers were unclear about what happens here as well.
• Is it fine to submit a person running a WordPress site to this requirement? “Do you think that a six hour timeline is fine for a person who’s just running a website and his WordPress is outdated, and it gets breached using a bot? Sometimes it might take them weeks to identify that this has happened even though they might have gotten an email that may have indicated that there is a potential for a breach,” Pahwa said.
• Highly sophisticated attacks will not manifest within 6 hours: Most of the highly sophisticated ransomware may not fully manifest itself in just six hours and it may take longer for any organisation to understand what is going to be the impact, whether it has hit them and how they are going to respond to it. So things may not become clear in the six hours itself, Mukherjee said.
• Attackers will carry out due diligence and target companies: “6 hours is simply not feasible even for large organisations and I am going to give you a small example. Take a look at Bangladesh Central Bank, they got hacked over a weekend. Your attackers will carry out due diligence, they will figure out when your employees are going to go home over a long weekend and that is when they are going to morph your attacks. So 6 hours, these sort of deadlines really do not matter much in terms of strengthening your security postures,” Kar said.
• Where does the six-hour timeline come from? Where does the six hour number come from? Is there a study done on it; why not 6.5 or 7 hrs?, Mathi asked the speakers, in response to which, Mukerjee said: “When I was just scanning through some of the cybersecurity circulars of RBI, there is a circular in 2016, which states that any kind of reportable incident has to be reported between 2 to 6 hours for the banks. So I don’t know if they have taken that 6 hours from there, but we do have this kind of a precedent.”
• Companies normally use a severity methodology, does that apply now? “I was talking to fintech companies and also internally at my organisation, they say whenever this reporting happens, there is something called severity methodology, which is determined by each organisation: high severity, less severity, etc. So based on the severity the reporting happens to the regulators currently. Is the same kind of methodology expected when reporting to CERT-In,” Mukerjee asked. And as per global frameworks, the moment any organisation contains a specific incident, even if it is a high severity incident, the severity is reduced because you are able to contain it, Mukerjee added.

Dear reader, we urgently need to build capacity to cover the fast-moving tech policy space. For that, our independent newsroom is counting on you. Subscribe to MediaNama today, and help us report on the policies that govern the internet.

What is wrong with the list of reportable incidents?

• Attempt at phishing vs successful phishing: “Is an incident also an attempt at phishing, for example, as opposed to phishing actually having been succeeded,” Pahwa asked, explaining that there could be millions of attempts in a year in India and telecom operators would go crazy reporting the number of times when their network is used for a phishing attempt.
  • Wouldn’t necessarily need to report every attempted event: The directions add to or modify the 2013 rules, and these rules state that what needs to be reported is a cyber security incident, which is defined as any real or suspected adverse incident in relation to cyber security that violates so and so and which also results in some kind of unauthorised access, denial of service, unauthorised use. “I wouldn’t necessarily read this as every attempted event,” Srinivasan said.
  • Events are different from incidents: “There is a term called events and there is a term called incidents and an attempt to attack or an attempt of phishing, they are all events. Now all events don’t necessarily result in an incident. So I think the guidelines are very clear about reporting incidents,” Nadkarni added.
• What are fake mobile apps? The directions point towards the reporting of new kinds of cyber security incidents, and amongst those are things like fake mobile apps and any kind of attack on a big data system. How are any of these terms defined in law? Is there too much arbitrariness in how CERT is approaching things, Pahwa asked the speakers.
  • No specific definition: “I don’t believe there’s a specific definition on these things,” Thapliyal replied. “And while these directions do seem like a very centralised approach that the government is taking, I don’t think that the government has something very arbitrary in its mind. I think it’s coming halfway because of the inability to assess the landscape and what challenges it poses. It’s also because of the limited capacity they have,” Thapliyal explained.
  • Gives CERT-In arbitrary power and increases compliance requirement: “From a practical operational perspective, there are two things that I have issues with. Number one: some of the phrases in the directive are so broad, it creates a massive amount of arbitrariness regarding whom CERT-In wants to go after and whom they don’t. The other thing is that it is creating compliances. We have a very small organisation and we are going to struggle with this kind of compliance,” Pahwa remarked.
• Every death is a homicide until it’s ruled out: How complex is it to distinguish between an actual incident and something that one believes is an incident from a technical perspective? Pahwa asked. To which Kar replied: “You know, how police investigations go, right? Every death is a homicide until it’s ruled out. So it’s similar in cybersecurity.”
• How many incidents might have to be reported to CERT? On an average, how many so-called incidents do midsize companies have to deal with in a year, Pahwa asked the speakers. “It’s really very hard to say because with the advent of cloud computing, what’s happening is you are no longer limited to the number of human beings you employ. You can simply spin up hundreds and 1000s of devices in one click. So that increases your attack surface. So it is extremely difficult to come up with a number, it will be in the millions, probably,” Kar replied..
• Does CERT-In have the capacity to deal with a million events: “I’m just wondering whether CERT-In has the capacity to deal with a million reports a year? What has your experience been with reporting of incidents to CERT-In? How soon are they able to respond to something? What is CERT-In’s response time,” Pahwa asked. To which Kar sarcastically replied: “They respond?”

What’s wrong with the 180 days of logs requirement?

• Are 180 days of logs necessary and what’s the industry standard? If you are dealing with some of the most advanced strains of ransomware or some of the more lethal APTs, and if you’re dealing with a situation like the Kaseya incident that happened, you’re probably going to need logs for the last two years. But does every single company need to have logs of every single application running on every single device? The answer is no. You need to figure out what the crown jewels in your network are. And then you need to have logs for specific applications that are running on these crown jewels, Kar explained.
• One-size-fits-all approach does not work: “When you start looking at security, you start with a threat model. And every sector has their own threat model. You cannot have a one-size-fits-all approach to cyber security. And even if it’s possible, it is going to slow down your service response time. So it’s a net loss for your customer,” Kar remarked.
• FAQs have cut down the scope: The guidelines specifically mention that this applies to organisations with any ICT system. Does that mean that every single server device application, everything that you use, needs to generate logs. How feasible is this, Pahwa asked the speakers.  “It’s feasible for some of the larger organisations, and they probably already do that to a certain extent. And if you look at the FAQ document, you’ll see that CERT is talking about firewalls and network related applications. So they have cut down the scope of logging to a certain extent,” Kar said.

Did the FAQs help?

• FAQs don’t hold the force of law: The FAQ document addressed some of the stakeholder questions with regards to implementation. However, given that “FAQs do not carry the force of law, they do not offer enough assurance to businesses operating in India,” Banerjee said. “So our basic problem is that we will continue to have some of the concerns,” Banerjee added.
• Government puts out bad policy and digs in its heels with FAQs: “This is kind of in line with what’s been happening with regulations in general. If you recall it started with RBI’s data localization, no public consultation and nothing at all, then the RBI issues a series of FAQs in response to all the criticism it had received and changes the rules as such accordingly. The IT rules last year, there were FAQs, post that, there were supposed to be SOPs. So it is almost like you have put out a bad policy and then you try and you dig in your heels with FAQs to try and show that you are clarifying things but really they don’t carry the force of law, so effectively, they don’t change much,” Pahwa opined.

How do the cybersecurity directions impact privacy?

• Goes against data minimisation: The maintaining logs is one bit and also maintaining other information for VPN providers: validated information about individuals’ IP addresses, email addresses, validated address and contact numbers; and asking for these to be retained for a five year period. So is there some rationale for having a five year retention period for such kind of information? This kind of goes against the general core privacy principle of data minimization, Srinivasan said.
• Depends on how much personal data is shared and how it is used: The information that is being shared as part of reporting, how much of personal data is really being shared? Because that’s where the scope will come in. And if there are log files, they do have personal data. “So as long as that doesn’t get used for a different purpose, and there is evidence to show that it’s not getting used for a different purpose, I don’t see an issue from a privacy perspective,” Nandkarni said.
• How does one verify and validate customer information? “Are you going to now require KYC of anyone who works with a cloud company? And therefore, will I be required to do Aadhaar authentication, because I’m working with a cloud service provider that’s hosting MediaNama? And how does this impact foreign entities that might want to host their services in India? Will Indian cloud companies also have to validate them,” Pahwa asked. That will remain an open question. “I think the FAQs also don’t unfortunately provide much clarity on that one question,” Srinivasan replied.
• Don’t see issues with GDPR: “There were some questions being discussed about the violation of GDPR. I actually looked up the standard contractual clauses released a while ago by the EU and anybody can report and share information with a public authority in their respective country, just that they need to inform the controller that this information is being shared. So I don’t really see any kind of an issue from a GDPR perspective,” Nandkarni explained.

Were stakeholder consultations held or not?

• What is the harm in holding stakeholder consultations: “All of us here, including many of our member companies, all want to have a safe, secure, trusted internet. Nobody is here to create any harm. And what is the harm in having a stakeholder consultation before coming out with a directive which is as important or as critical as cybersecurity measures,” Banerjee asked.
• But didn’t MeitY say it held consultations? MeitY and FAQs, both of them say that we consulted industry stakeholders and we’ve developed this over time with industry stakeholders. So who was consulted?, Mathi asked the speakers. “I would not hazard this guess. There are many people who are listening in. I’m sure there are 122 participants, so I’m sure if somebody was consulted, they could raise their hand,” Banerjee responded.
• Was a limited consultation held? “Let me put forth a hypothetical situation and this is all fake. You don’t need to believe it. And I’m doing this just for fun. CERT-In calls one industry body over to discuss it with them. The industry body goes and meets CERT-In  along with three entities that are significant in the cloud space. And this is all an assumption. And they’re given the copies of these guidelines and this happened on Friday, and they’re told that they have to respond by Monday. So they send in the responses by Monday. Nothing happens and these guidelines are issued as is, with no inputs incorporated.  Does this sound like a feasible story,” Pahwa quipped.

What is the impact on small businesses?

• Small businesses are clueless about what’s going on:” Few small businesses we spoke to are clueless about what’s going on and how it even connects with what they do. But we have to realise that most small businesses don’t think about security beyond ensuring that they don’t get viruses in their system and so on. That’s the reality. It’s a huge gap between what the big guys do and what happens on the ground with more than the 63 million SMEs that are there,” Nadkarni said. Most of them are waiting for guidance from the larger guys, Nadkarni added.
• Cost impact will depend on the type of small businesses: What are we looking at in terms of cost, if small businesses had to comply with this directive? What kind of budget are we looking at, Mathi asked the speakers. It will depend on the kind of business they run. So for example, if it is an IT services company, or a KPO (Knowledge process outsourcing) or a BPO (Business process outsourcing), then there are very few internal systems. A lot of it these days: HR, accounting, all of that is pushed on to the cloud now. So for them, the cost of compliance is not going to be significantly higher than what they’re doing today. But if it’s a SaaS based company or a FinTech kind of company, then they would need to invest in some sort of security operations and monitoring mechanism. “I can’t put a figure to it because it would be very different for somebody that is a 15 person organisation than someone who’s a 500 person organisation, and then within which, what kind of business they run,” Nadkarni explained.

What are the global trends and norms in cybersecurity?

• Others follow a risk-based approach to reporting: “I think most regions do follow some kind of an impact-based or risk-based approach: how an incident has impacted services, functions, individuals. Other jurisdictions, say, Singapore, Australia may have sharp timelines but that is limited to incidents involving critical infrastructure for instance. Europe has a network and information directive where there is some guidance on what is a significant incident which has to be reported. We have also come across instances, say Canada, where they have a cyber management plan for their government systems,and they come up with an injury test where you see the level of harm to health and safety of individuals, you see impact to government programmes. So there are some kinds of thresholds and guidance rather than I would say any and every incident,” Srinivasan said.
• Others look at sector or impact specific approaches: “Governments across the globe opt for reporting requirements and it ranges from 24 to 72 hrs but generally the kind of approach that governments take is from a sector-specific point of view or they have different sorts of approaches on looking at the cyber security incidents. So there is a consumer-based approach that the FTC (Federal Trade Commission) takes up in the USA. So they look at data breaches and how it is going to impact consumers. There are a lot of innovative ways countries are experimenting with this, which we really don’t find here. So that’s something that we should definitely learn from outside countries,” Thapliyal said.

Role of CERT-In compared to CERT in other countries

• CERT-In’s job is not to investigate every single breach: “CERT-In is not supposed to help out every single organisation, at least that’s not how CERTs operate. CERT is just one team that you have who looks into all the up and coming incidents, as well as vulnerabilities and their job is to provide you with guidelines on how to mitigate threats that you face, or prepare for potential threats that might hit you. I think what CERT-In here is trying to do is a lot without necessarily having the bandwidth or budget or even resources to pull it off. They really should focus on what their scope should be”, Kar said.
• Law enforcement role in India: “The Internet Society’s report says that by acting somewhat like a law enforcement agency with these new requirements, CERT-In might actually scare away companies from reporting, rather than just performing their function as an incident response team,” Mathi remarked.
• Exemption from RTI is a concern: There was a recent report that CERT-In might be exempted from RTI for national security reasons, so there is no way to even hold CERT accountable or get any information, Mathi said. “On the justification part, I think CERT might be able to do it because over years we have seen the national security sector enjoys a lot more exemptions but this certainly is a concerning thing. I don’t know how we can counter this, this is something that the government has to understand and I think if they look at cyber security from a collaborative perspective they would probably have better strategies around it,” Thapliyal added.
• Role of CERT in other countries: “It depends on geography. For example Israeli CERT, I would say has a lot more authority investigating breaches whereas the Dutch CERT, they are probably one of the finest when it comes to incident response and criminal forensics. They use a more collaborative approach. Whenever there is an incident, they would proactively reach out to the impacted organisations, help them out, that whole burden of regulation does not even arise because organisations know that these guys are trying to help us, so they are almost always welcome,” Kar explained.

What is wrong with the time synchronisation requirement?

• You need at least three different sources: Time is a hard problem. And it’s been one of the finest examples of what we humans can achieve in terms of solving a complex problem in a distributed manner. The way the network time protocol (NTP) works is that you talk to at least three sources. Three different time sources and you come up with this complicated average time that you use. And because your system can have its own idiosyncrasies, it will probably not be in lockstep with these time sources that you’ve been using. So, you check back again in a few minutes or a few hours.  So, this is pretty much how the network time protocol thing works. “CERT-In’s direction, unfortunately, does not seem to take into account the finer nuances of the protocol that the software has to manage or take care of,” Kar explained.
• There are other best practices out there that CERT can adopt: The IETF has been talking about NTP best practices for the last couple of decades and they’ve had this Best Current Practice document that specifically talks about NTP and in fact, it became an RFC (Request for Comments) document in 2019. So CERT-In could easily have said that we would like organisations to implement RFC 8633, Kar said.

What’s the history and context behind the directions?

• Parliamentary committee has been looking at VPNs for a while now: “A parliamentary committee has been looking at cloud-based services like VPN for a while now and they have come up with a couple of reports, specifically report no.230 and a follow up report no. 233, a year back. And if you go through those reports, you would pretty much see what we are seeing today in terms of guidelines. So the thought process was already there in terms of what the government thinks they should do in order to regulate these services and to curb cyber crime,” Kar said. “Back then a lot of us were very vocal about how the document reflects a factually misguided understanding of the internet and how it might be very difficult to implement for people or organisations. So we did criticise it, but apparently nothing much has changed and CERT has gone ahead and come up with these guidelines,” Kar added.
• Ransomware is one of the main reasons for the directions: “I think ransomware has been one of those issues that have been there but not talked about by mainstream media. We have seen ransomware attacks compromising a number of sensitive organisations in India and the way things are moving in this world, it is basically a soft skill that you can get for a real cheap, real quick and without having to sacrifice people. If you look at the CERT guidelines you would get the sense that these documents are essentially talking about two different things. One they are talking about incident response and the second thing they are talking about is transparency and KYC into crypto related transactions. Now the one place where we see both these things come together is a ransomware attack,” Kar explained.

Ten recommendations made by the speakers

1. Scrap these guidelines and start a public consultation: “There are lots of unanswered questions and those questions will only come up when we have a diverse set of responses from a diverse set of stakeholders. Six people on this discussion, along with 100 or so people in this chat is still not a wide enough net to get all the perspectives you need to make a better decision that impacts this entire country and potentially businesses across the world,” Pahwa said. “I think it’s myopic, foolish and terrible policymaking to come up with certain directions and just force it on people without taking into account what it means for the entire internet ecosystem. Because India is not a country in isolation and on the Internet. What happens here impacts the rest of the world, what happens in the rest of the world impacts us as well. If you want to be a part of the global Internet, then we have to work in a manner where we understand how it impacts everyone,” Pahwa added.
2. Hold consultation with technical experts: Have a stakeholder consultation or have some sort of an open house with all the technical experts, the legal experts, and bring in as much perspective as possible, Banerjee said. Until consultations are held, stay the directive or at least extend the timeline for its implementation, Banerjee added.
3. Reduce the distrust between the government and the private sector: “The approach that CERT-In is taking, you cannot really dismiss it. I think some part of it is justified because they don’t really get a lot of coordination from private partied. But what you and I can do, and maybe industry can also weigh in here, is to see how to reduce the distrust between the government and the private sector,” Thapliyal said.
4. Multi-stakeholder approach: Government should take a multi-stakeholder approach in cyber security issues because this is something which is too big to be handled by just one party. Government has an edge when it comes to understanding cyber security from a strategic point of view, but at the same time, the commercial aspect is something that industry understands better, Thapliyal said.
5. Cut down on scope: “It’s too broad right now. So for example if you look at the EU Artificial Intelligence Act, it’s broader than GDPR. If CERT-In thinks that they can throw in a single line and regulate AI, well, then we are in for a very difficult time,” Kar said.
6. Reuse existing best practices: “I think it’s also important to reuse what we already have. For example I spoke about the NTP related RFC. So there are standards out there that we can reuse rather than reinvent the wheel,” Kar opined.
7. Required ongoing conversation: “You need to have a conversation and it needs to be an ongoing conversation, because the threat landscape keeps evolving very fast,” Kar said.
8. Graded timelines for reporting incidents: Have a relook at the guidelines and have the timelines for reporting in six hours graded. Make them risk based so that you know you’re not jumping for everything, Nadkarni said.
9. More depth and clarity should be provided: A lot more depth, and clarity needs to be brought out in terms of who needs to do what and at what juncture. It’s a very high level document at this point in time and we need a lot more awareness amongst all the stakeholders who are impacted by this. “I mean, you can’t just release something on the net and expect everybody to understand what is being discussed,” Nadkarni said.
10. Fix organisational and infrastructural issues first: “I think there are some organisational issues that need to be fixed in terms of CERT making sure that it has the capacity to deal with whatever it’s going to put out. It’s very underfunded at the moment. Another thing about the whole time synchronisation; the infrastructure needs to be there. So India’s NTP servers, the NPL and NIC servers need to be robust. I think the ISOC report says if the servers are robust, and if they are of good quality, then computers will naturally start picking up their time from these NTP servers. You don’t have to mandate it.  I think they should zoom out, look at the other larger things to facilitate a directive like this, and then get to the directive,” Mathi remarked.

Note: Quotes have been slightly edited for clarity and brevity.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also Read

• Impact Of India’s Cybersecurity Directions On The Global Internet
• Global Coalition Criticises India’s Cybersecurity Directive
• Fact Check: Do Other Countries Have Lesser Than 6 Hours To Report Cybersecurity Incidents?
• Why India’s New Cybersecurity Directive Is A Bad Joke
• Deep Dive: The Legality Of India’s New Cybersecurity Directive