How to properly boost cyber security

Indian Computer Emergency Response Team issued instructions on April 28 to address information safety requirements, structure, prevention, response, and reporting of cyber incidents . The government must first assess the implications of such plans and devise a realistic timeline .

The Indian Computer Emergency Response Team (CERT-In) issued instructions on April 28 to address information safety requirements, structure, prevention, response, and reporting of cyber incidents in Section 70-B(6) of the Information Technology Act 2000 (IT Act).The scope of the above obligations has been broadened in comparison to the Information Technology (The Indian Computer Emergency Response Team and the Manner of carrying out functions and duties) Regulations, 2013.Service providers, intermediaries, data centers, and body corporates are seeking compliance with the National Physical Laboratory and National Informatics Center (NIC), mandatory reporting of all cyber incidents within six hours of noticing or alerting, CERT-IN, and undertaking to perform such activities for cyber security risk mitigation when notified by CERT-IN, and the retention of all logs of all ICT systems up to 180 days within Indian jurisdiction for data centers, virtual private network service providers, cloud service providers, and virtual private CERT-IN has been trying to obtain reports and investigation submissions from service providers, intermediaries, as well as body corporates for a long time now, according to the legislation and its obligation under section 70B(4) of the IT Act.This was affecting its position as a data collection, monitor, and dissemination company for cyberattacks, as well as coordinating incident response and emergency procedures.

Several cyberattacks are much more common and occur on a regular basis.Hundreds of phishing emails could be sent to an organization, and contacting them would dramatically raise the cost of compliance.It would also be interesting to see if CERT-Ins' approach for dealing with common-day cyberattacks and its own capacity enhancement in terms of achieving the desired compliance has been given a 60-day window before implementation of these compliances is scheduled.This may be a too short a window considering the transformation's breadth.

The tragic event of the Twitter crash in 2018 showing the impracticality of rushing in changes without considering risks.In this situation, there will be multiple companies in the MSME sector that will take time to implement procedures for compliance.All covered entities will also have to mandatorily enable logs and maintain them for 180 days outside the Indian jurisdiction.Currently, most organizations keep logs for about 30 days, and the extra data storage device investment would be prohibitive if you think about it.In parallel, data centres, virtual private server providers, cloud service providers, and virtual private network service providers will be required to hold additional records for five years or more after cancellation or withdrawal of registration.

The compliance cost in each case is expected to rise dramatically.Many of the companies will need to shift their servers geographically as well as add excess storage capacity.The addition of manpower for compliance, on the other hand, could take much longer.A realistic timeline would be six months, which would allow the entities to effectively transition to the new regime.Non-compliance is punishable by a stiff one-year jail term as well as fines.

But privacy questions cannot be denied.These worries are acute as VPNs and virtual asset wallets are forced to store and disclose KYC and transaction details.Because they address privacy concerns, VPNs have been successful for companies as well as individuals.In the few instances, these tunnels have been used for criminal purposes, and law enforcement authorities have yet to receive any assistance from the operators.

Although CERT-In has been proactive in recognising new technological frontiers and tackling previously unknown cyber threats, it is lacking in terms of a graded approach to ensuring compliance.