MeitY issues Directions to Strengthen Incident Reporting and Emergency Measures for Cyber Security

MeitY issues Directions to Strengthen Incident Reporting and Emergency Measures for Cyber Security

"it is considered expedient in the interest of the sovereignty or integrity of India, defence of India, security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence using computer resource or for handling of any cyber incident, that following directions are issued to augment and strengthen the cyber security in the country"

The Ministry of Electronics and Information Technology has issued guidelines under Section 70B, subclass (6) relating to information security practices, procedures, prevention, response, and reporting of cyber incidents for Safe & Trusted Internet.

This step was taken in response to the increase in cyber crimes and incidents being reported from time to time. It was noted that there is a need to coordinate response activities and emergency measures relating to cyber incidents.

The Central Government has appointed "Indian Computer Emergency Response Team (CERT-In)" vide notification dated 27 October 2009 published in the official Gazette and as per provisions of sub-section (4) of section 70B of IT Act, 2000.

CERT-In is thereby empowered to call for information and directions to service providers, intermediaries, data centers, body corporate, and any other person for carrying out the activities enshrined in sub-section (4) of section 70B of the IT Act, 2000.

The CERT-In shall serve as the national agency for performing the following functions in the area of cyber security:

1. collection, analysis, and dissemination of information on cyber incidents;

2. forecast and alerts of cyber security incidents;

3. emergency measures for handling cyber security incidents;

4. coordination of cyber incidents response activities;

5. issue guidelines, advisories, vulnerability notes, and whitepapers relating to information security practices, procedures, prevention, response, and reporting of cyber incidents;

6. such other functions relating to cyber security as may be prescribed.

The following directions are issued:

1. All service providers, intermediaries, data centers, body corporate, and Government organizations shall connect to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with NTP servers traceable to these NTP servers, for synchronization of all their ICT systems clocks. Entities having ICT infrastructure spanning multiple geographies may also use accurate and standard time sources other than NPL and NIC, however, it is to be ensured that their time source shall not deviate from NPL and NIC

2. Any service provider, intermediary, data centre, body corporate, and Government organisation shall mandatorily report cyber incidents within 6 hours of noticing such incidents or being brought to notice about such incidents.

3. When required by order/direction of CERT-In, for the purposes of cyber incident response, protective and preventive actions related to cyber incidents, the service provider/intermediary/data centre/body corporate is mandated to take action or provide information or any such assistance to CERT-In, which may contribute towards cyber security mitigation actions and enhanced cyber security situational awareness.

4. All service providers, intermediaries, data centers, body corporate, and Government organisations shall mandatorily enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days and the same shall be maintained within the Indian jurisdiction. These should be provided to CERT-In along with reporting of any incident or when ordered/directed by CERT-In.

5. Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers, shall be required to register the following accurate information which must be maintained by them for 5 years or longer duration as mandated by the law after any cancellation or withdrawal of the registration as the case may be

6. The virtual asset service providers, virtual asset exchange providers, and custodian wallet providers (as defined by the Ministry of Finance from time to time) shall mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions for five years to ensure cyber security in the area of payments and financial markets for citizens while protecting their data, fundamental rights, and economic freedom given the growth of virtual assets.

It is further directed that in the event of any incident, the above-mentioned entities are required to furnish the details as required by CERT-In, failure to which will result in punitive action under subsection (7) of the section 70B of the IT Act, 2000 and other laws as applicable.

Additionally, the guidelines annexed a list of mandatory incidents which shall be required to be reported by service providers, intermediaries, data centers, body corporate and Government organisations to CERT-In:

1. Targeted scanning/probing of critical networks/systems

2. Compromise of critical systems/information

3. Unauthorised access of IT systems/data

4. Defacement of website or intrusion into a website and unauthorised changes such as inserting malicious code links to external websites etc.

5. Malicious code attacks such as spreading of virus/worm/Trojan/Bots/ Spyware/Ransomware/Cryptominers

6. Attack on servers such as Database, Mail, and DNS and network devices such as Routers

7. Identity Theft, spoofing, and phishing attacks viii. Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks

8. Attacks on Critical infrastructure, SCADA and operational technology systems, and Wireless networks

9. Attacks on Applications such as E-Governance, E-Commerce, etc.

10. Data Breach

11. Data Leak

12. Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers

13. Attacks or incidents affecting Digital Payment systems xv. Attacks through Malicious mobile Apps

14. Fake mobile Apps

15. Unauthorised access to social media accounts

16. Attacks or malicious/ suspicious activities affecting Cloud computing systems/servers/software/applications

17. Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to Big Data, Blockchain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, Drones

18. Attacks or malicious/ suspicious activities affecting systems/ servers/software/ applications related to Artificial Intelligence and Machine Learning

The directions will become effective after 60 days from the date of issue, i.e. 28 April 2022.