India's CERT given exemption from Right To Information requests
Activists worry investigations may stay secret, and then there's those odd incident reporting requirements
India's government has granted its Computer Emergency Response Team, CERT-In, immunity from Right To Information (RTI) requests – the nation's equivalent of the freedom of information queries in the US, UK, or Australia.
Reasons for the exemption have not been explained, but The Register has reported on one case in which an RTI request embarrassed CERT-In.
That case related to India's sudden decision, in April 2022, to require businesses of all sizes to report infosec incidents to CERT-in within six hours of detection. The rapid reporting requirement applied both to serious incidents like ransomware attacks, and less critical messes like the compromise of a social media account.
CERT-In justified the rules as necessary to defend the nation's cyberspace and gave just sixty days notice for implementation.
The plan generated local and international criticism for being onerous and inconsistent with global reporting standards such as Europe's 72-hour deadline for notifying authorities of data breaches.
The reporting requirements even applied to cloud operators, who were asked to report incidents on tenants' servers. Big Tech therefore opposed the plan.
India gave some ground by extending the compliance deadline for small and medium businesses by an additional 90 days. But the regs eventually came into force, despite CERT-In not explaining how it would ingest or analyze the likely flood of data.
The Register sent multiple requests to CERT-In seeking clarification of its capabilities and the extent of compliance. We received no responses.
Indian outlet MediaNama used an RTI request and learned that a mere 15 entities had complied – and that India recorded 1,391,457 cyber security incidents in all of 2022. If they occurred evenly throughout the year, that would mean roughly 350,000 took place after the September deadline for filing after CERT-In's requirements came into effect.
- India gives local techies 60 days to hit 6-hour deadline for infosec incident reporting
- Indian politicians say Apple warned them of state-sponsored attacks
- India's ongoing outrage over Pegasus malware tells a bigger story about privacy law problems
- India's absurd infosec reporting rules get just 15 followers
CERT-In's exemption from India's 2005 Right To Information Act has generated criticism from India's Internet Freedom Foundation (IFF), which called the move "certainly not in the public interest as it weakens the rights of the people by diluting an Act meant to empower them."
"The exclusion of CERT-In from application of the Act, in an environment where data breaches, device vulnerabilities, and deployment of illegal spywares occur frequently, significantly erodes its accountability," the org further alleged.
According to IFF, any exemption of an organization from the RTI must go before parliament, but at this time there is no certainty that will occur for CERT-In.
"The notification which exempted them contains no reasons," warned lawyer and IFF founding director Apar Gupta. "Here, the message is simple: while the Union Government wants to peep into your private lives and then leak it to the world, it does not want to answer any of your questions."
The change has also raised eyebrows in the context of the recent warnings of state-sponsored attacks on Apple devices sent to some Indian politicians. Activists fear an RTI ban may make it harder to learn more about those warnings.
India's IT minister, Rajeev Chandrasekhar, has kept quiet over the change, choosing instead to reprise his fight against deepfakes.
The minister last week held a meeting with social media platforms to discuss deepfakes – the day after the CERT-In RTI exemption announcement was made.
CERT-In reportedly joins 26 other intelligence and security organizations already exempt from the purview of the Act. ®