India’s digitalisation efforts are reaping fruits as Information Technology led developments are making an impact in various sectors. Simultaneously, the adverse effects have become more pronounced, with 6,07,220 cyber security incidents being reported in just the first half of 2021. Given this background, CERT-In’s (Indian Computer Emergency Response Team) recent directions try to enhance cyber security by bridging the gap in cyber incidence analysis.
In this regard, CERT-In’s approach involves mandating data collection, retention and integration by data centres, Virtual Private Server (VPS) providers, cloud service providers and Virtual Private Network service (VPN service) providers, etc. While it is imperative to enhance cyber security, some directives suggested by CERT-In may not be privacy-friendly and may hamper data security, increase costs for Indian startups and have market implications.
Privacy Concerns over CERT-In Directions
While it is imperative to enhance cyber security, asking data centres, VPS and cloud service providers and Virtual Private Network service (VPN service) providers to register and retain some of the metadata (listed in the directive) may not be proportional. Likewise, the five years of data retention mandate is excessive and will require significant infrastructure investments.
Second, mandating the virtual asset service providers, virtual asset exchange providers and custodian wallet providers to maintain KYC information is broad and excessive even as India adopts Financial Action Task Force recommendations for KYC. In addition, India’s KYC guidelines allow financial service providers to collect more information than they require to stay compliant. However, KYC as a process has many challenges. A primary quantitative study conducted by Deepstrat and The Dialogue revealed major loopholes in India’s KYC processes adopted by multiple stakeholders in the payment ecosystem. Primary evidence collated in the study shows the accounts receiving money fraudulently often have poor or incorrect KYC details. This issue, complemented by the lack of harmonisation of KYC for different services, makes it next to difficult for law enforcement agencies to complete an investigation with the help of KYC data.
India’s KYC infrastructure requires a significant overhaul. In consultation with law enforcement and technical experts, the government should determine what datasets should be collected for law enforcement purposes. Until this is ensured, merely directing companies to maintain KYC data may not help in meeting the cyber security objectives.
Market and Security Implications of CERT-In Directions
This directive would have multiple market-level implications. First, the classification of incidents supposed to be reported to CERT-In seems overbroad. Currently, multiple categories could potentially classify cyber security incidents and trigger mandatory reporting for all. This shall lead to greater pressure on companies’ internal operations, increase funding pressures associated with hiring more manpower and establishing processes for ensuring compliance with this mandate. Moreover, the large number of incident reports would make it difficult to gather any practical intelligence.
Second, Directive (i), which pushes entities to connect and sync their ICT systems with the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or National Physical Laboratory (NPL), would impact multinational companies. The synchronisation process is complex for multinational organisations that coordinate time across many geographies. As irregularities in the Earth’s orbit cause slight divergences in time frames, synchronising one part of their IT infrastructure to a different time standard means disrupting services and hindering the incident response. In addition, this would also increase the operational cost for small-scale businesses and startups which use different cloud servers, as they have to move or sync to NTP servers of NIC or NPL. It is ideal to recognise syncing with UTC (Coordinated Universal Time) since NPL servers contribute to the UTC.
Third, mandating metadata retention by VPN service providers impacts their business as the trust quotient, an integral part of the VPN business, might be compromised. In addition, compromising VPN would also impact Indian operations of businesses which use VPN.
Fourth, though reporting the incident is crucial, integrated timestamping gives businesses only six hours to report cyber incidents, which would cause operational hurdles for businesses as they would also be involved in damage management. The breach and its extent could take days or even longer to detect in most cases. Therefore, it is difficult to grasp the full knowledge of the actual breach and its degree within six hours, leading to victims of the incident receiving an unfiltered data dump. This also contradicts some international best practices. For instance, under the General Data Protection Regulation businesses must report incidents within 72 hours after detecting breaches while the Data Protection Act of Singapore provides a 72-hour period since the assessment of breach. The report by the Joint Parliamentary Committee on the PDP Bill 2019 also provides a 72-hour timeline for companies to report data breaches to the Data Protection Authority.
Finally, mandating service providers to retain data for five years increases privacy concerns and leads to imposition of high financial cost on businesses. This could hurt the overall IT and IT-enabled services and products as some players may need to incorporate new systems to collect data and store it. Similarly, validation of subscribers’ names, addresses and contact numbers mandated through CERT-In directions would also increase operating costs for startups, data centres etc., as they install new infrastructure and processes for the first time.
Requesting the VPN service provider for data like IP address and timestamp used at the time of registration/onboarding might cause security implications for individuals and businesses trying to use a secure connection over unsecured internet infrastructure.
The Way Forward
While reporting cyber incidents from a data security lens is crucial, reporting within six hours would cause operational hurdles for businesses as they would also be involved in damage management. Instead, it would be ideal to follow a risks-based approach to security. Delineating reporting times according to the severity and scale of impact and the business model of companies is a more sustainable way forward. It will allow for better response outcomes from organisations, which will be able to focus on damage limitation while enabling them to share quality information with CERT-In for incident analysis. CERT-In must adopt a risks-based approach to collection and management, directing businesses to develop a security event log collection and management plan relevant to the organisation’s risk appetite and operating model.
Therefore, as we move forward in securing Indian cyberspace, it is essential to bring a positive-sum game by balancing cyber security with right to privacy, market implications and security concerns.
ALSO READ | Personal Data Protection Bill: Overbroad Exemptions on Data Processing Dilute Govt’s Own Cause
Kamesh Shekar is Senior Research Associate at The Dialogue and Fellow at The Internet Society. Kazim Rizvi is a public policy entrepreneur and founder of The Dialogue, an emerging policy think tank. The views expressed in this article are those of the authors and do not represent the stand of this publication.
Read all the Latest Opinions here
Comments
0 comment