By Fiona Mehta
The ministry of electronics and information technology announced its first-ever cyber security policy in May 2022, requiring service providers, intermediaries, data centres, body corporates, and government entities to report any breaches or leaks within six hours of being alerted.
The policy will come into effect within 60 days. It will have far-reaching ramifications as to how the entities mentioned above collect and store, the period for which it will be stored and the mandatory need to share it with the government in case of a breach.
Parallel to this, the government is also working on a new cyber security policy, which has been in the works for over two years and proposes a multi stakeholder framework to check propaganda, deception, disinformation and “adversarial narratives” being peddled on websites of social media companies, people familiar with the matter said. Called National Cyber Security Strategy, 2021, the policy stresses on the need for a legislative framework to address the emerging challenges in the technology space.
Incidents that will be reported under CERT-in policy will include targeted scanning/probing of critical networks/systems, compromise of critical systems/information, unauthorised access of IT systems/data, defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to external websites, malicious code attacks such as spreading of virus / worm / Trojan / Bots / Spyware / Ransomware / Cryptominers, attack on servers such as Database, Mail and DNS and network devices such as routers, identity Theft, spoofing and phishing attacks.
The National Informatics Centre, that runs most government servers, has in itself been a target of several phishing attacks, wherein email ids of senior officials were compromised.
Moreover, for the purposes of cyber incident response, protective and preventive actions related to cyber incidents, the service provider, intermediary, data centre, body corporate is mandated to take action or provide information or any such assistance to CERT-In, which may contribute towards cyber security mitigation actions and enhanced cyber security situational awareness. They have also been asked to appoint a point of contact officer.
The above-mentioned entities have also been asked to enable logs of all their information and communications technology systems and maintain them securely for a rolling period of 180 days within the Indian jurisdiction. If needed, these will have to be shared along with reporting of any incident or when ordered/directed by it.
Maintain Accurate Information:
Aside from this, “virtual private server (VPS) providers, cloud service providers and virtual private network service (VPN service) providers, have been asked to register the following accurate information to be maintained for a period of five years or longer duration as mandated by the law”. The information includes validated names of subscribers/customers hiring the services, period of hire including dates, IPs allotted to/being used by the members, email address and IP address and time stamp used at the time of registration/on-boarding, purpose for hiring services, validated address and contact numbers and ownership pattern of the subscribers/customers hiring the services.
Know your customer:
As far as the virtual asset service providers, virtual asset exchange providers and custodian wallet providers (as defined by ministry of finance from time to time) are concerned, they shall “mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions for a period of five years so as to ensure cyber security in the area of payments and financial markets for citizens while protecting their data, fundamental rights and economic freedom in view of the growth of virtual assets”.