CERT-IN the good and bad side of India's nodal cybersecurity body

Pallavi Vishwakarma
August 1, 2023

The Indian Computer Emergency Response Team (CERT-In) is India’s nodal agency under Section 70B of the Information Technology Act, 2000, as amended in 2008 (IT Act, 2000). The operational scope of CERT-In includes educating different stakeholders on the best ways to secure the country's cyber infrastructure and acting as the first responder to cyber security incidents.

Functions of CERT-In are

  • Collection, analysis, and dissemination of information on cyber incidents.
  • Forecast and alerts of cyber security incidents
  • Emergency measures for handling cyber security incidents
  • Coordination of cyber incident response activities.
  • Issue guidelines, advisories, vulnerability notes, and whitepapers on information security practices, procedures, prevention, response, and reporting of cyber incidents.
  • Such other functions relating to cyber security as may be prescribed.

Why CERT-IN is considered a good government organization for cybersecurity?

  • CERT-In handled a total of 1,158,208 incidents in 2020, including website intrusion and malware propagation, malicious code, phishing, distributed denial-of-service attacks, website defacements, unauthorized network scanning, and probing, ransomware attacks, data breaches, and vulnerable services. According to a report by the International Telecommunication Union (ITU), India has improved continuously and has climbed 37 spots to take the tenth place in the Global Cybersecurity Index 2020 (GCI).
  • In May 2022, Cert-IN mandated compulsory reporting of all cyber-attacks by the government and other entities, within six hours.
  • Offer recovery procedure
  • Interact with vendors and others at large to investigate and provide solutions for incidents
  • Work as a central point for reporting incidents
  • Provides Cybersecurity training 
  • Releases latest attacks and vulnerabilities on websites as headlines for the public.
  • Companies having CERT-IN certification improve their reputation in the market as it ensures that this company has a strong security posture.
  • In addition to reporting and notifying cybersecurity incidents, the CERT-In cybersecurity directive aids in the issuance of guidelines for Indian enterprises that provide the best information security practices for handling and preventing cybersecurity issues.

Everything wrong with CERT-IN

  • Zero-knowledge systems such as VPS and VPN providers make it possible to remain anonymous and secure online, prevent tracking and profiling, and support user safety online, particularly for disadvantaged and at-risk groups in society. The guidelines provided by CERT-In run the risk of weakening the purpose of these technologies, which keep us all safe online.
  • Additionally, CERT-In goes beyond its authority by requiring virtual asset service providers, virtual asset exchange providers, and custodian wallet providers—cryptocurrency exchanges and wallets—to keep records of their customers and transactions' details for five years in accordance with the Know Your Customer (KYC) standards. The CERT-In instructions shouldn't include this. Instead, financial regulations, compliance procedures, standards, and practices should be used to control these services and service providers.
  • The CERT-IN website offers limited documentation and advice that is relevant to non-critical sector private organizations, which make up the majority of ecosystem participants in national cyber security. The available documentation not only focuses on entities in the government and critical infrastructure sectors, but it also purposefully ignores any applicable standards or guidance that it could offer to industry associations and ethical hackers, fulfilling only a tiny fragment of its mandate.
  • It is important for both the public and the corporate sector to report security flaws and cyberattacks in a way that is simple to locate and thorough but not overly onerous. The present CERT-In can only be notified of such exploits via email, leaving the specifics of such a exploit fully open-ended. In contrast, the US-CERT Incident Reporting System has a comprehensive, complicated, and privacy-conscious form that makes it much simpler to report and follow up on an exploit in the future. Additionally, paying bug bounties will encourage security researchers to contact the government with their exploits and bugs rather than using them themselves or selling them to the highest bidder on the dark web.

Final Thoughts

CERT-mandate In's to aggressively protect India's cyber security interests for the numerous stakeholders in the Indian cyber security ecosystem could benefit from a variety of improvements. To assess current policies practices, and capabilities, a clear governance structure for organizations charged with cybersecurity and cyber crisis management should be formed. This structure should include an appropriate mandate that clarifies the duties and responsibilities of various authorities.

The policymaking regarding cybersecurity should be taken seriously by CERT-IN as they can help the industry in catalyzing innovation and bringing new solutions to the market at a faster pace and with enhanced agility. And the documentation regarding any rules and regulations must be updated continuously for better implementation of the laws.

SecOps Solution is an award-winning agent-less Full-stack Vulnerability and Patch Management Platform that helps organizations identify, prioritize and remediate security vulnerabilities and misconfigurations in seconds.

To schedule a demo, just pick a slot that is most convenient for you.

Related Blogs