7 highlights
-
In 2013, the Indian Computer Emergency Response Team (CERT-In) was established under rules issued under the Information Technology Act, 2000 to serve as a “trusted referral agency” that users could turn to in the event of a cyber attack.
-
The 2013 Rules largely left it up to individual users to decide whether or not they wanted to report a cybersecurity incident to CERT-In. However, in an Annex at the end of the rules, it listed ten types of incidents that mandatorily had to be reported. And that was where the problems began.
-
Most incidents described in the Annex had to do with attacks on critical infrastructure - the SCADA systems central to our national energy grid, the DNS servers that routed internet traffic and other such systems. However, the Annex also required relatively benign incidents - “unauthorised access to IT systems/ data”, “defacement of websites” and “spoofing and phishing attacks” - to be reported.
-
Requiring users to mandatorily report all such incidents - every phishing attempt, every attempt to gain unauthorised access to a computer, every kid who scrawls digital graffiti on a website - is excessive and unwarranted.
-
Surely an organisation tasked with assisting users deal with cyber incidents should focus its resources on addressing serious cyber incidents that are likely to have an impact on the largest number of users. Instead of doing that, CERT-In seems to be encouraging companies to bury it under such a monstrous pile of cyber incident reports that it will be simply incapable of filtering out the signal from the noise.
-
I believe that it is this anxiety around unintended consequences of their drafting that drives lawmakers to stuff their statutes with residuary clauses—ostensibly innocuous catch-all provisions designed to cover subject matter that might have been inadvertently omitted during the drafting process.
-
This tendency, that I called Regulatory FOMO or the law maker’s fear of missing out - is probably the best explanation for why the new CERT-In Directions have been issued in this form.