Exemption of CERT From Public Disclosure Rules CriticizedCritics Say Indian Security Agency Needs Public Accountability and Transparency
The Indian government has exempted the national Computer Emergency Response Team from providing information to citizens under the Right to Information Act, raising concerns from critics over whether the agency can investigate cybersecurity incidents in good faith and without bias.
The Indian government issued a notification on Nov. 23 to confirm the exemption, which was in the works for over a year. CERT-In now joins 26 other central government-run security and defense entities that are exempted from Right to Information rules and cannot be forced to divulge operational details.
Organizations exempt from the purview of the RTI Act include the foreign intelligence agency Research and Analysis Wing, the Intelligence Bureau, the National Technical Research Organization, paramilitary forces, the National Security Council Secretariat, the Central Economic Intelligence Bureau and the Directorate of Revenue Intelligence.
Exemptions are granted by the government under Section 8(1)(a) of the RTI Act, which states that the disclosure of information by designated agencies would "prejudicially affect the sovereignty and integrity of India, the security, strategic, scientific or economic interests of the state, relation with foreign state or lead to incitement of an offense."
Coinciding With Allegations of Spyware Use
The government's decision arrived a month after it had promised to thoroughly investigate Apple's claims of state-sponsored attacks targeting the iPhones of several members of Parliament and journalists in India.
Apple in November warned users about a state-sponsored attacker attempting to remotely access sensitive data, communications, camera and microphones, but later refused to provide details of the specific threat, stating that a disclosure may "help state-sponsored attackers adapt their behavior to evade detection in the future." The technology giant also declined to attribute the attacks to any specific state-sponsored attacker (see: Apple Alert on iPhone Hacking Fuels Spyware Fears in India).
The RTI exemption implies that affected victims may not be able to obtain details about the government investigation by CERT-In. The agency coordinates the government response to major cybersecurity incidents with help from public and private organizations.
CERT-in also led investigations into a massive cyberattack on the All India Institute of Medical Sciences, Delhi, India's premier healthcare institute. An AIIMS spokesperson told Information Security Media Group the incident had affected patient care services such as appointments, registrations, admissions, discharges, billing and report generation (see: Ransomware Disrupts Indian Premier Hospital for 2nd Day). A government ministry later accused Chinese hackers of infiltrating five of the 40 physical servers managed by AIIMS.
The government's decision to exempt CERT-In investigations from public scrutiny could affect digital trust, ISACA Ambassador RV Raghu told Information Security Media Group. "There is a delicate balance between national security and the trustworthiness of digital ecosystems. The elements of quality, availability, security and privacy, ethics and integrity, resiliency, and transparency all need to come together to achieve digital trust. Fewer security incidents can lead to greater trust, but so can transparency when these incidents do occur," he said.
New Delhi-based data privacy lawyer Gaurav Bhalla says CERT-In's investigation into the AIIMS cyberattack and state-sponsored hacking of Apple iPhones possibly prompted the government to shut the door on any information about these investigations, which he said is ironic because of the government's stance on privacy.
"The government has emphasized the importance of data privacy by enacting the Digital Data Protection Act 2023, but on the other hand it wants to shield the functioning of the national cybersecurity investigation agency from any exposure," he said. "Regressive actions by the government such as this one will only result in skepticism amongst the public as regards actions being undertaken in the event of breach of their personal information."
'Covering Your Back?'
Dinesh Bareja, COO of Open Security Alliance and founder of India Watch, said that CERT-In was formed in 2005 but the agency is more important today because of the increase in attacks and exploitation of government and institutional entities, so the timing of the RTI exemption does not make sense.
"We have AIIMS, Safdarjung Hospital, Aadhaar, CDSL and many more taking up prime space in media, along with uncontrolled, and exponential increase in cybercrimes. The CERT-empaneled League of Auditors needs to be called out along with CERT to establish accountability for these incidents but the door has quickly been shut, the weakness hidden," he said.
"This is just a government initiative to put a protective cover on an institution which should be doing a lot more than it shows it is doing. This business is not about covering your back but leading from the front."
Venkata Satish Guttula, co-founder and chief information security officer at Mumbai-based CyberXGen, said CERT-In, as the government's top agency to tackle cybercrime, should aim for a middle ground where it can maintain operational secrecy while still being accountable to the public.
"While detailed investigations should remain confidential, CERT-In could disclose aggregate data that doesn't reveal sensitive information. This could include the number of cybersecurity incidents reported, types of incidents categorized by threat level, statistics on resolutions, and the average response time to incidents," he said.
According to Guttula, CERT-In must abide by its primary role of sharing insights on trends in cyberthreats and general advisories without revealing specific vulnerabilities or the identity of affected organizations. "Such disclosures would provide a transparency framework that does not compromise national security and would likely be sustainable under judicial review," he said.
Industry bodies and organizations raised concerns over CERT-In's dedication to transparency and engagement long before the agency received legal protection from public disclosure. The agency in April 2022 released guidance on information security practices, which industry bodies said were not formulated with public comment.
CERT-In required organizations to report cyber incidents to the agency within six hours, and it required VPN providers, cloud service providers and data centers to maintain logs for 180 days. It directed organizations to share information with the agency upon request to speed incident analysis. "These directions shall enhance overall cybersecurity posture and ensure safe and trusted internet in the country," CERT-In said.
"It is interesting and unfortunate that on one hand, CERT-In wants our logs and data under the garb of addressing cybersecurity incidents, noncompliance with which will lead to one year jail time, but on the other hand, it itself doesn’t want to be transparent and held accountable to the citizens," the New Delhi-based Internet Freedom Foundation said.
The group said it has filed right-to-information requests to understand the institutional process CERT-In put in place to facilitate the implementation of the 2022 directions, but the agency was "nonresponsive and evasive," leaving organizations with no idea about how to put the directions into practice.
"Individuals are bound to share information with the state or any of its instrumentalities, but the latter has no such obligation, and is instead protected against it. Such inconsistent and continued steps to weaken accountability mechanisms toward citizens inflict untold damage to our digital rights," IFF said.