India Issues A Directive For Reporting Cyber Incidents
The Indian government has issued new directives requiring organisations to report cyber security incidents to CERT-IN within six hours, even if those incidents are port or vulnerability scans of computer systems.
The policy will come into effect within 60 days. It will have far-reaching ramifications as to how the entities mentioned above collect and store, the period for which it will be stored and the mandatory need to share it with the government in case of a breach.
The Indian Computer Emergency Response Team (CERT-In) serves as the national agency for performing various functions in the area of cyber security in the country set out in the provisions of section 70B of the Indian Information Technology Act, 2000.
- CERT-In continuously analyses cyber threats and handles cyber incidents tracked and reported to it.
- CERT-In also regularly issues advisories to organisations and users to enable them to protect their data/information and ICT infrastructure.
- CERT-In calls for information from service providers, intermediaries, data centres and corporate organisations to coordinate response activities and emergency measures.
This requirement was originally promoted by CERT-In after it identified specific gaps causing difficulties in security incident analysis and response, and how to more actively address them. These measures and various other provisions were published and were integrated into section 70B of the Information Technology (IT) Act, 2000, so they are part of the Indian law, entering into force in 60 days.
The ministry of electronics and information technology has underlined its first ever cyber security policy, asking service providers, intermediaries, data centres, body corporates and government organisations to report any breaches or leaks within six hours of them being flagged. “Any service provider, intermediary, data centre, body corporate and government organisation shall report cyber incidents to CERT-In .. within six hours of finding such incidents or being brought to notice about such incidents,” the policy says.
Incident Reporting
A “cyber incident” is defined under the Information Technology Rules as “any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation.”
Examples of cyber incidents that must be reported include:
- Compromise of critical systems.
- Targeting scanning.
- Unauthorized access to computers and social media accounts.
- Attacks against servers and network appliances like routers and IoT devices.
- Website defacements, malware deployments, identity theft, DDoS attacks, data breaches, leaks rogue mobile apps.
The most significant requirement is that any Internet service provider, intermediary, data centre, or government organisation, shall report these incidents to CERT-In within six hours of their discovery
Also included are malicious code attacks (such as the spreading of viruses, worm, Trojan, bots, spyware, ransomware or cryptominers), attacks on servers (such as database, mail DNS and network devices); identity theft, spoofing and phishing attacks; data breach; data leak; and attacks or malicious/suspicious activities affecting cloud computing systems/servers/software/applications.
India.gov: Hindustan Times: BleepingComputer: Lexology: The Hacker News: National Law Review:
You Might Also Read: