CERT-In (the Indian Computer Emergency Response Team) is a government-mandated information technology (IT) security organization. The purpose of CERT-In is to respond to computer security incidents, report on vulnerabilities and promote effective IT security practices throughout the country. CERT-In was created by the Indian Department of Information Technology in 2004 and functions of cert-in are;
1) Collection, analysis and dissemination of information on cyber incidents.
2) Forecast and alerts of cyber security incidents
3) Emergency measures for handling cyber security incidents
4) Coordination of cyber incident response activities.
5) Issue guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents.
6) Such other functions relating to cyber security as may be prescribed.
One of the important duties on various stake-holders in cyberspace is reporting of cyber security incidents to the Cert-in as mandated in Rules of 2013 and as per section 70 (b) (7) Any service provider, intermediaries, data centres, body corporate or person who fails to provide the information called for or comply with the direction under sub-section (6), shall be punishable with imprisonment for a term which may extend to one year or with fine which may extend to one lakh rupees or with both.
Cert-in is also empowered to issue directions for compliance’s to the service providers, intermediaries, data centers and body corporate in such reports of cyber security incidents and to take appropriate action against non-compliance in form of civil as well as criminal remedy.
As per recent information received under RTI by Dr. Mahendra Limaye, a cyber legal consultant based in Nagpur, cert-in has received a total number of 394499, 1158208, 1402809 and 674021 cyber security incidents such as Phishing, Scanning, Distributed Denial of Service attacks, Website intrusions, Malware infections and Vulnerable services during the year 2019, 2020, 2021 and 2022 (up to June 22) respectively.
To the query regarding how many such cyber security incidents reported by 1) Service providers 2) Intermediaries 3) Data Centers 4) Body corporate, cert-in has issued directions for compliance, the response received from Cert-in is, “In discharge of its functions, appropriate communications calling for information and / or directions are issued by CERT-In to organizations.” This answer explains that cert-in was reluctant to issue detailed break-up of the incidents wherein directions were issued by the cert-in for compliance and hence to further queries like In how many cases non-compliance reports have been forwarded by cert-in to Review Committee and In how many non-compliance matters civil or criminal actions have been initiated by cert-in, the cert-in response was cold and stating no case booked and thus making it abundantly clear that cert-in has not recommended any matters of non-compliance to review committee nor initiated any civil or criminal actions against those who had not provided timely compliance’s.
The main function of cert-in, is to provide guidance and collect information about cyber security incidents happened in India and cyber security incident is described as any real or suspected adverse event that is likely to cause or causes an offense or contravention, harm to critical functions and services across the public and private sectors by impairing the confidentiality, integrity or availability of electronic information, systems, services or networks without authorization and have negative impact on national economy. Thus, it could be understood what significance is attached to roles and responsibilities of cert-in national cyber security and when about 36 lakh incidents have been received by cert-in in around 3 ½ years, it is highly improbable that compliance’s would have been received in most of these incidents and still the information under RTI reveals that no matter was either referred to review committee or no matter was referred for appropriate civil or criminal action. Either the incidents reported were of not so significance to cert-in or may be of minimal risk to critical infrastructure of the nation and in both the cases cert-in owes to the nation the brake-up of the incidents sought under RTI.
The researchers in cyberspace very much doubt that when @36 Lakh incidents took place, there are no incidents which cert-in thought worthy of reporting to review committee or to any judicial authorities and hence they are compelled to raise questions regarding whether cert-in is justifying its role as a watch-dog of cyber space of India?
If RTI query is to be believed then it’s really worrying that the Indian premier organisation for reporting cyber incidents is not making use of its resources in effective ways and may be putting Indian Cyberspace in danger and that’s why the question, “Is Indian Cyber Watchdog sleeping?????
Dr Mahendra Limaye
Cyber Legal and Data Privacy Consultant