As nation-state bad actors develop sophisticated software and create bugs to infiltrate systems to cripple sensitive infrastructure and snoop into the private lives of people who matter via surveillanceware, the Indian Computer Emergency Response Team (CERT-In) has a real tough job at hand.
Being the nation’s premier cyber agency, CERT-In was formed in 2004 under IT Act, 2000 Section (70B), under the IT Ministry.
Since then, the nature of cyber attacks has changed drastically, especially in the last couple of years in the pandemic, and countries like China, North Korea, Pakistan and others are busy supporting armies of hackers who aim to target India.
CERT-In reported more than 2.12 lakh cybersecurity incidents in January-February this year — compared to more than 14.02 lakh incidents for 2021.
Replying to a question in the Rajya Sabha in March, Minister of State for Electronics and IT, Rajeev Chandrasekhar revealed these figures, without specifying the origin of the cyber attacks.
Cyber attacks on critical infrastructure by nation-state bad actors have increased significantly and India observed a 70 per cent increase in ransomware activity in the fourth quarter (Q4) of 2021, according to cybersecurity company Trellix.
Over half of adversarial advanced persistent threat actor activity originated from Russian and Chinese backed groups.
A Russian malware recently planted from a server in Nigeria was used for a cyber attack on Oil India’s (OIL) system in Assam.
The state-owned company had suffered a major cyber attack in its field headquarters in eastern Assam’s Duliajan, with the hacker demanding $75,00,000.
The transportation, healthcare, shipping, manufacturing and information technology industries are witnessing a sharp increase in threats.
India saw over 18 million cyber attacks and threats, at an average of nearly 200,000 threats every day, in the first three months of 2022, according to cyber security firm Norton.
The country was among the top three nations that experienced most server access and ransomware attacks in Asia in 2021, said researchers from IBM’s X-Force Threat Intelligence team.
In such a scenario, the responsibilities of CERT-In grow multifold, that goes beyond issuing advisories and taking concrete steps, on the lines of global cyber agencies, to create an infrastructure to thwart nation-bad actors.
Reports recently surfaced that the government is thinking of setting up a specialised Computer Security Incident Response Team (CSIRT) to tackle attacks on critical infrastructure like power.
CERT-In is also busy fixing virtual private network (VPN) providers in the country, via new rules that require VPN service providers, along with data centres and cloud service providers, to store information such as names, email IDs, contact numbers, and IP addresses (among other things) of their customers for a period of five years.
The cyber agency has given VPN providers another three months to comply with its new rules, and the new regulations will become effective on September 25.
After concerns were raised over its directive, industry experts said that if the new guidelines are strictly enforced, corporate and enterprise VPNs will have to compulsorily report several serious offences that will help the end users.
Sandip Kumar Panda, a co-founder of Instasafe Technologies, said that the regulation is mostly aimed at B2C or personal VPN service providers.
“Quite often, these kinds of services are also used for anti-national activities which a government body might not be able to track easily. Government will be able to enforce this law for VPN service providers who are legally operating within the country,” Panda noted.
Leading VPN service providers NordVPN, Surfshark and ExpressVPN have already removed their servers from India over the new directions.
CERT-In later said that the rules of maintaining customer logs would not apply to enterprise and corporate VPNs.
Aloke Kumar Dani, Partner, Risk Advisory, Deloitte India said that the CERT-In directive is quite broad, and organisations have to make significant investments to comply.
“The extension of timeline comes as a big relaxation for micro, small and medium enterprises (MSMEs) to make the right investments and choose the right cyber incident reporting framework in order to have a robust cyber defence as well as to comply with the regulations,” Dani explained.
“Also, more clarifications are expected to come in, especially regarding the materiality of cyber incidents and the failure to comply with the overall CERT-In directive,” he added.
As per CERT-In, there are various types of other offences like data breach, data leak, spread of computer contaminant, identity theft, spoofing, phishing, Distributed Denial of Service (DDoS) attacks on applications such as e-governance, e-commerce etc.
The cyber agency has also told enterprises to report cybercrime incidents to it within six hours.
“Any service provider, intermediary, data centre, body corporate and government organisation shall mandatorily report cyber incidents to CERT-In within 6 hours of noticing such incidents or being brought to notice about such incidents,” says CERT-In.
All government bodies and service providers such as data centres are now required to maintain a log of all Information Communication Technology (ICT) systems.
The companies and organisations will also have to store the data securely for a rolling period of 180 days within the Indian jurisdiction, according to CERT-In.
At a time when investing in cyber defence becomes the top priority for the Centre and enterprises, CERT-In needs to keep up with the changing cyber landscape.
(Nishant Arora can be reached at firstname.lastname@example.org)