Day 95 – Q 4.What is CERT-in? What is its mandate? What are the bottlenecks in its effective functioning? Comment.
4. What is CERT-in? What is its mandate? What are the bottlenecks in its effective functioning? Comment.
CERT-in क्या है? इसका जनादेश क्या है? इसके प्रभावी कामकाज में क्या अड़चनें हैं? टिप्पणी करें।
In the written reply to Parliament by Meity, as per the information reported to and tracked by Indian Computer Emergency Response Team (CERT-In) 3,13,649 cyber security incidents were reported during the year 2019 till October, which highlight the growth of cyber incident reporting in the country.
CERT-in is the national nodal agency with the objective of securing Indian cyber space. CERT-in provides incident prevention and response services as well as Security quality management services.
Mandate of CERT-in:
In the Information Technology amendment act, 2008, CERT-in has been designated to serve as the national agency to perform the following functions in the area of cyber security:
- Collection, analysis and decimation of information on cyber incidents.
- Forecasts and alerts of cyber security incidents.
- Emergency measure for handling cyber security incidents.
- Coordination of cyber incidents response activities.
- Issue guidelines, advisories and vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents.
And such other function relating to cyber security as may be prescribed.
Bottleneck in effective functioning:
- CERT-in does not impose any obligation on government entities to report cyber incidents unless they come under any of the expressions service providers, data centers, intermediaries or body corporate.
- This would mean that if the data kept with the Registrar General & Census Commissioner of India is hacked in a cyber incident, then there is no statutory obligation under the CERT Rules on it to report the incident.
- There has been delay in acknowledgement of cyber security incident in Kudankulam Nuclear Power plant.
- CERT Rules provide for a mandatory obligation to report the cyber incidents listed therein, the Rules themselves do not provide for any penalty for non compliance.
- There is lack of legal obligation to report to the data subjects whose data is stolen or is put at risk due to the said breach.
However, it does not mean that there are no consequences for non compliance, as under the parent legislation i.e. the IT Act mentions the appropriate penalties for non compliance.
Cyber incidents have serious consequences for societies, nations, and those who are victimized by them. The theft, exploitation, exposure or otherwise damage of private, financial, or other sensitive personal or commercial data and cyber attacks that damage computer systems are capable of causing lasting harm.