Why has CERT-In felt the need to issue a clarification?

• Prominent VPN providers, a large part of whose value proposition is ensuring anonymity of their users on the Internet, have questioned the directives, and some providers like NordVPN are even considering pulling their servers from India should the directive be enforced on them.
• “At the moment, our team is investigating the new directive recently passed by the Indian government and exploring the best course of action.
• As there are still at least two months left until the law comes into effect, we are currently operating as usual.
• We are committed to protecting the privacy of our customers, therefore, we may remove our servers from India if no other options are left,” Laura Tyrylyte, head of public relations at Nord Security, said.
• VPN providers like Surfshark have claimed that their technology does not allow the logging of users’ information.
• “Surfshark has a strict no-logs policy, which means that we don’t collect or share our customer browsing data or any usage information.
• Moreover, we operate only with RAM-only servers, which automatically overwrite user-related data.
• Thus at this moment, we would not be able to comply with the logging requirements even technically.
• We are still investigating the new regulations and its implications for us, but the overall aim is to continue providing no-logs services to all of our users.

When first convention on Cybersecurity was taken place?

• Budapest Convention on Cybercrime: It is the first international treaty that seeks to address Internet and cybercrime by harmonizing national laws, improving investigative techniques and increasing cooperation among nations.
• It came into force in 2004.India is not a signatory to this convention.

Initiatives taken by Indian Govt.

• Cyber Surakshit Bharat Yojana: It was launched in 2018 by Ministry of Electronics and Information Technology in association with National e-Governance Division(NeGD) and industry players.It includes awareness programs on cyber security; workshops on best practices and enablement of the officials with cyber security health tool kits.
• Cyber Swachhta Kendra (Botnet Cleaning and Malware Analysis Centre): It provides for the detection of malicious programs and free tools to remove such programs.
• Indian Cyber Crime Coordination Centre(I4C): It was established in 2018 to combat cybercrime in India in a comprehensive and coordinated manner.It functions under the Ministry of Home Affairs.
• Internet Governance Forum (IGF): It brings together all stakeholders i.e. government, private sector and civil society on the Internet governance debate. It was first convened in October–November 2006.
• Internet Corporation for Assigned Names and Numbers (ICANN): It is a non-profit organization responsible for coordinating the maintenance and procedures of several databases related to the namespaces and numerical spaces of the Internet, ensuring the network's stable and secure operation. It has its headquarters in Los Angeles, U.S.A.
• International cooperation: Looking forward to becoming a secure cyber ecosystem, India has joined hands with several developed countries like the United States, Singapore, Japan, etc. These agreements will help India to challenge even more sophisticated cyber threats.
• Online cybercrime reporting portal
• National Critical Information Infrastructure Protection Centre (NCIIPC)
• Information Technology Act, 2000
• National Cyber Security Strategy 2020

Where most number of cyber attacks seen in India?

• According to EY’s latest Global Information Security Survey (GISS) 2018-19 – India edition, one of the highest number of cyber threats have been detected in India, and the country ranks second in terms of targeted attacks.
• Although Banking and Telecom are the most attacked sectors but Manufacturing, Healthcare, and Retail have also faced a significant number of cyber attacks.

Motives behind Cyber Attacks

• To seek commercial gain by hacking banks and financial institutions.
• To attack critical assets of a nation.
• To penetrate into both corporate and military data servers to obtain plans and intelligence.
• To hack sites to virally communicate a message for some specific campaign related to politics and society.

Types of Cyber Attacks

• Malware, short for malicious software refers to any kind of software that is designed to cause damage to a single computer, server, or computer network. Ransomware, Spy ware, Worms, viruses, and Trojans are all varieties of malware.
• Phishing: It is the method of trying to gather personal information using deceptive e-mails and websites.
• Denial of Service attacks: A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users. DoS attacks accomplish this by flooding the target with traffic, or sending it information that triggers a crash.
• Man-in-the-middle (MitM) attacks, also known as eavesdropping attacks, occur when attackers insert themselves into a two-party transaction. Once the attackers interrupt the traffic, they can filter and steal data.

Latest Cases

• WannaCry: It was a ransomware attack that spread rapidly in May, 2017. The ransomware locked users’ devices and prevented them from accessing data and software until a certain ransom was paid to the criminals. Top five cities in India (Kolkata, Delhi, Bhubaneswar, Pune and Mumbai) got impacted due to it.
• Mirai Botnet: Mirai is malware that infects smart devices that run on ARC processors, turning them into a network of remotely controlled bots or zombies. This network of bots, called a botnet, is often used to launch Distributed Denial of Service (DDoS) attacks. In September 2016, Mirai malware launched a DDoS attack on the website of a well-known security expert.
• Need for Cyber Security
• For Individuals: Photos, videos and other personal information shared by an individual on social networking sites can be inappropriately used by others, leading to serious and even life-threatening incidents.
• For Business Organizations: Companies have a lot of data and information on their systems. A cyber attack may lead to loss of competitive information (such as patents or original work), loss of employees/customers private data resulting into complete loss of public trust on the integrity of the organization.
• For Government: A local, state or central government maintains huge amount of confidential data related to country (geographical, military strategic assets etc.) and citizens. Unauthorized access to the data can lead to serious threats on a country.

• CERT-In is empowered under Section 70B of the Information Technology Act to collect, analyse and disseminate information on cyber security incidents.
• Computer Emergency Response Team - India is an organisation of the Ministry of Electronics and Information Technology with the objective of securing Indian cyberspace.
• It is the nodal agency which deals with cybersecurity threats like hacking and phishing.
• It collects, analyses and disseminates information on cyber incidents, and also issues alert on cybersecurity incidents.
• CERT-IN provides Incident Prevention and Response Services as well as Security Quality Management Services.

Mandates

• Mandatorily Enable Logs: It mandates all service providers, intermediaries, data centres, corporates and government organisations to mandatorily enable logs of all their ICT (Information and Communication Technology) systems.
• The service providers has to maintain the logs securely for a rolling period of 180 days, and the same shall be maintained within the Indian jurisdiction.
• The log should be provided to CERT-In along with reporting of any incident or when directed by the computer emergency response team.
• Connect and Synchronize all ICT systems: To ensure the chain of events is accurately reflected in the time frame, service providers have been asked to connect and synchronize all their ICT systems clocks to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or National Physical Laboratory (NPL).
• NTP is a protocol used for reliably transmitting and receiving accurate time sources over TCP/IP-based networks.
• It is used for synchronizing the internal clock of computers to a common time source.
• Requires Maintaining Records: It also require virtual asset, exchange, and custodian wallet providers to maintain records on KYC and financial transactions for a period of five years.
• Companies providing cloud, virtual private network (VPN) will also have to register validated names, emails, and IP addresses of subscribers.

• There was “nothing to worry about” CERT-In’s norms. “There is no privacy concern. Suppose somebody takes a mask and shoots, wouldn’t you ask them to remove that mask? It is like that.
• Cybersecurity is something which is continuously evolving. So we have issued very comprehensive guidelines from CERT-In. Ultimately, if there is a threat to you, the police and you would both have to work together.”
• “The basic concept (of the guidelines) is that the people who are actually running the infrastructure should take all possible steps to make sure that things are in place and if there is any breach, immediately inform us so that we can take action.
• In 2020, the National Cyber Security Strategy was conceptualised by the Data Security Council of India (DSCI) headed by Lt General Rajesh Pant. The report focused on 21 areas to ensure a safe, secure, trusted, resilient, and vibrant cyberspace for India.
• However, amid a surge in cyberattacks on India’s networks, the Centre is yet to implement the National Cyber Security Strategy.

• Large Scale Digitisation of Public Services: Focus on security in the early stages of design in all digitisation initiatives.
• Developing institutional capability for assessment, evaluation, certification, and rating of the core devices
• Timely reporting of vulnerabilities and incidents.
• Supply Chain Security: Monitoring and mapping of the supply chain of the Integrated Circuits (ICT) and electronics products.
• Leveraging the country’s semiconductor design capabilities globally at strategic, tactical and technical levels.
• Critical Information Infrastructure Protection: Integrating Supervisory Control And Data Acquisition (SCADA) security
• Maintaining a repository of vulnerabilities.
• Preparing an aggregate level security baseline of the sector and tracking its controls.
• Devising audit parameters for threat preparedness and developing cyber-insurance products.
• Digital Payments: Mapping and modelling of devices and platforms deployed, supply chain, transacting entities, payment flows, interfaces and data exchange.
• State-Level Cyber Security: Developing state-level cybersecurity policies,
• Allocation of dedicated funds,
• Critical scrutiny of digitization plans,
• Guidelines for security architecture, operations, and governance.
• Security of Small And Medium Businesses: Policy intervention in cybersecurity granting incentives for a higher level of cybersecurity preparedness.
• Developing security standards, frameworks, and architectures for the adoption of the Internet of Things (IoT) and industrialisation.

About  CERT-In

• Computer Emergency Response Team - India is an organisation of the Ministry of Electronics and Information Technology with the objective of securing Indian cyberspace.
• It is the nodal agency which deals with cybersecurity threats like hacking and phishing.
• It collects, analyses and disseminates information on cyber incidents, and also issues alert on cybersecurity incidents.
• CERT-IN provides Incident Prevention and Response Services as well as Security Quality Management Services.