The Indian Computer Emergency Response Team (CERT-In) was not known for its accountability and transparency, and now, with the Indian government exempting the agency from the Right to Information (RTI) Act of 2005, the agency’s workings are only going to be shrouded in more secrecy as the agency does not have to field any RTI requests from the public.
This is worrying because CERT-In is the nodal agency for all cybersecurity-related matters in the country, and at a time when cyber incidents are on the rise in the country, it’s all the more necessary to know what the agency is doing to address these incidents.
The exemption also means that we will never know if the cybersecurity directions issued in 2022 are being implemented or not. The directions were regressive and we had raised multiple concerns about how many of the provisions were hard or impossible to implement. In fact, we filed RTI requests with CERT-In earlier this year and found out that the agency has no idea about the implementation status of these directions. You can read more about the RTI responses here and here. Going forward, we will not know anything about the implementation of the directions because we cannot pose any RTI requests seeking this information.
Another reason why this exemption is worrying: Earlier this month politicians from opposition parties received an alert from Apple warning them that their iPhones might be targets of state-sponsored attackers. There is an allegation that the ruling government is behind these hacks, but CERT-In, which is reportedly investigating the claims has not uttered a word about it. A report citing unnamed sources suggested that the agency has turned its investigation to China, but CERT-In has not officially commented on this. With an issue of this magnitude, which raises concern about the very core of our democracy, we would expect more transparency and accountability from the nation’s cyber-security agency, but alas, the government has instead enabled this agency to function more like a black box than ever before.
Do know you which is the body which has been tasked with investigating when your data is breached, or even when the phones of opposition leaders are hacked by Pegasus type of spyware? It is called, CERT-In (full form, Computer Emergency Response Team).
It falls under the… pic.twitter.com/RMs7ShS1qr
— Apar (@apar1984) November 25, 2023
- RTI: No Details On How Many Entities Have Complied With CERT-In’s Cybersecurity Directions
- Cybersecurity Rules: Only 15 Entities Reported Incidents Within The Stipulated 6 Hours, RTI Reveals
- Why India’s New Cybersecurity Directive Is A Bad Joke
- Here’s How India’s Digital Personal Data Protection Bill Threatens Right To Information
STAY ON TOP OF TECH NEWS: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!