Indian CISOs voice concerns on CERT-In’s new cybersecurity directives

Cybersecurity experts have raised concerns around the recently announced standards by the Indian Computer Emergency Response Team.

0n 28 April 2022, the Indian Computer Emergency Response Team (CERT-In) issued directives that, among other things, require entities to report cybersecurity incidents to the agency within six hours and maintain IT logs and communications for six months. The directives, to be effective from 27 June 2022, are applicable to all service providers, intermediaries, data centres, corporate bodies, and government organisations.

Some Indian cybersecurity practitioners say the six-hour incident reporting mandate is unnecessarily short and does not compare to the global standards. Jaspreet Singh, clients and markets leader at auditing firm Grant Thornton, notes that mature markets have reporting guidelines of 24 hours to 72 hours.

The mandate could make things even more complex when organisations are trying to focus on the difficult task of understanding, responding to, and repairing cybersecurity incidents, say several practitioners that CSO India spoke to.

False-positives could lead to overkill of responses and significant workload increases

Fal Ghancha, CISO at DSP Mutual Fund, says that the majority of the time—more than 70%—there are false-positive cybersecurity alerts of an incident. A six-hour reporting mandate could lead to an overkill of reporting. Because the timeline is very tight, people will become more aggressive and paranoid; they will report the incident in a rush and make wrong decisions, he says. 

Ghancha points out that the CERT-In directives have multiple granular actions, which today many organisations don’t follow at length. “The entire ecosystem will have to be integrated with a 24/7 monitoring system and skilled resource to ensure all the reports are seen, analysed, and reported as per the new guidelines,” Ghancha says.

The extra work for security operations centers could be significant, he says. “Let’s say today an organisation is monitoring its crown jewels only, which may be 20% of the total assets. Tomorrow, the organisation will need to monitor additional assets, which will be 50% to 60% higher than the current number.”

Venkateswaran T R, deputy general manager for money-laundering prevention at Punjab National Bank, says the problem with the mandate is that there are neither the skill sets nor the awareness in India to report an incident within six hours. “It takes an enormous skill set, time, and awareness first to find out what exactly is the attack and then mitigate it. It is not feasible to report an incident within six hours because many do not even understand the terminologies of various aspects of incident reporting yet,” says Venkateswaran, who previously served as the CISO at the bank.

Vague standards make reporting and incident assessment uncertain

Worse, “the mandate does not define what all will have to be reported,” Venkateswaran says, increasing the skills needed to make appropriate, consistent evaluations. “There is a need to have a classification and clarification on who all need to report an incident and at what level,” he says.

Grant Thornton’s Singh says he believes the new mandate is a good start in terms of having uniform reporting guidelines, but agrees that a clear-cut definition of what an incident is would have helped.

Venkateswaran says larger companies might be able to comply with the new norms, but smaller companies will find it a big challenge. He suggests the norm should include a general format of informing about an attack and reporting at a subsequent stage when the data is analysed and the attack is contained.

Singh says the new mandate will force companies to go through a maturity model and that CISOs will need to put in place a clear-cut incident management plan and reporting guidelines.

CERT-In’s new directives: A first step or a bad start?

The concerns over the CERT-In directives’ timeframes and ambiguities can be seen as a first step where the journey will improve over time, or as poor start that will divert resources and attention.

Singh is cautiously optimistic for the long run: “Today, cyberattacks are a reality. Till now, there were no reporting guidelines. Though there were sectorial guidelines from RBI, there was nothing at a country level. So, this is a very good start as it will bring uniformity. The more we share with CERT-In and other organisations, the better it becomes for the country as awareness increases,” he says.

Venkateswaran is not so hopeful: “Not much will be achieved out of the new mandate. We need to first create skills and maturity in the community and seek answers to questions such as: Do we know how to identify an incident? Do we have the tools that can help us at that pace?”