Proposed CERT for Financial Sector (CERT-FIN)… Will it create an efficient organization?

The Working Group under the Chairmanship of  the Director General of CERT-IN constituted to study and submit the recommendations on the setting up of a Computer Emergency Response Team (CERT) exclusively for the Financial Sector in India covering Banks, Fintech Industry, BFSI sector, Stock Market Sector, the Pension Fund sector etc, has submitted its report and sought comments from the stake holders including Public before 31st of July 2017. The comments can be sent by email to surjith.k@nic.in or sent by hard copy to Shri Surjith Karthikeyan, Deputy Director (FSDC), Department of Economic Affairs, Ministry of Finance, Room No 269, North Block, New Delhi 110001.

A Copy of the report along with the press note is available here.


A brief discussion of the report with immediate comments are available below.

Organization:

  1.  CERT-FIN will be set up as a Section 8 Company with financial contributions from the industry. It will be guided by an “Advisory Board” for providing strategic direction as well as for reviewing its performance and for allocation of budget/resources.
  2. There will also be a Governing body with nominees of shareholding institutions.
  3. RBI will act as a “Lead Regulator” for setting up CERT-Fin.
  4. CERT-Fin will be acting a “Sectoral CERT” for the Financial Services industry and will be an umbrella organization for the industry.
  5. Additionally, “Sub Sectoral CERTs” may be set up for sub sectors within each of the regulators such as RBI, SEBI, IRDAI and  PFDRA .
  6. CERT-FIN itself will be working under a contractual arrangement with CERT-In and in turn have contractual arrangement with other sub sectoral CERTs.
  7. Cert-Fin will be jointly funded by all financial sector regulators.

Comments 1 (Organization of CERT-FIN):

The suggested set up indicates that where today there is one CERT in the form of CERT-In, now there will be a total of Five or Six organizations called “CERT” s just for covering one sector namely the Financial sector.

Further, a precedence is being set up that each regulator will have its own CERT which will function as if it is a department of the regulator.

The suggested set up apart from proliferating the number of entities will create issues in inter CERT information sharing the way some times the intelligence agencies at the Central and State level face.

It appears that each regulator wants to keep the control on the players in their domain. In other words, IRDAI does not want to share security incident information in say an Insurance Company with RBI and SEBI does not want to share the security incident information with PFDRA and so on. Each regulator is protecting his turf.

Further the CERT-Fin  will be a figure-head  which will be governed by a Board of Directors and directed by two super management bodies firstly a “Governing Body” and secondly ” An Advisory Body”.

Under the Company’s Act, any body that can set guidelines to the Board and control its budget is considered “Ultra-Vires” the Company’s act since the Board has to be supreme. Legal debate may therefore be necessary for the Advisory Body to be what it is suggested to be.

The entire set up is a recipe for inefficiency, infighting and increased cost.

At present, CERT-In has the legal powers to be the nodal agency for all information security issues. This itself has been diluted with NCIIPC (National Critical Information Infrastructure Protection Center) which is the second nodal agency under Section 70A of ITA 2000.

There is no doubt that there is a lot of work to do in Cyber Security work in the country and it requires a huge manpower. But the best way to start the work is with a proper structuring of the control organization. What is now shaping up is certainly not appearing to be an ideal set up.

Given that the “Advisory Body” will control the budget and also give operational directions, the CERT-FIN will be a puppet. I pity the CEO who is likely to head this organization which on the face of it appear to be a very prestigious entity. Any CISO worth his name will think twice before accepting the responsibility.

The suggested structure is also creating a precedent where by tomorrow there will be demand for one CERT for Airlines, One CERT for Surface Transport, certainly one CERT for GST, One CERT for the Army, One for Airforce and one for Navy and so on and ultimately atleast one CERTs for each of the ministries. Then a question will be raised why not one CERT for each State and it will be a big mess difficult to untangle.

I strongly suggest that this needs to be thought over once again.

Presently RBI already has an IT division and IDRBT exists as an organization with some experience in managing critical networks. Some how these departments are being bypassed and additional 5 organizations are being created.

We are aware that out of these regulators, Except RBI and perhaps SEBI other regulators donot have much exposure to IT itself and let alone Information Security. IRDAI is just now learning how to use IT for Insurance Business. PFDRA is a much more recent organization and not much is known about its IT capability.

Also when an CERT-FIN is funded by the stake holders and the same stake holders become part of the Advisory group and share holder’s meeting, it is effectively a set up where the “Controlled End up as the Controller”. There will be no hard decisions taken in such a body and all security decisions will be subordinated to the commercial interests of the funding agencies. We find that even now RBI is often not able to assert itself against Big Banks though the legal structure is in favour of the RBI. In the proposed set up of the CERT-FIN, there will be no control for the FIN CERT Management on its own existence and hence they will have to follow the diktats of the supporting organizations whose security postures need to be challenged by the CERT-FIN

CERT-In itself for whatever it has done or not done in the last 16 years after ITA 2000 and 8 years after ITA 2008, has gathered valuable experience from which it can manage things better than the five new CERTs that are being created.

There is no doubt that domain expertise may be lacking in CERT In today for different sectors. But keeping the current structure, one can build four different Directors reporting to the Director General and each such Director can be provided with a domain expertise support from sub-sectoral-advisory groups/Committees and such an organization should be far more effective under a unified command.

For effective management of the security of the Cyber world, a “Unified Command” is most essential. The only division that can be considered is one such command for the military and one for the civil society and further sector wise division should not be made to create parallel organizations.

Additionally CERT-In has to be liberated from the  Meity and made into an independent entity in true spirit with a separate building and budget. It should be separated in body and mind from the current set up. 

We observe that currently, even the controller of certifying Authority which is a statutorily independent body,functions just like a department of Meity.

Because CERT-In contains the word “Team” in its name, it is being treated as if it is an informal group within the mighty MeitY. This has to change if Cyber Security should be managed properly.

Security and Functionality are two different aspects of IT management. While Meity needs to handle Digital India promotion, CERT-IN needs to put the checks and balances so that technology does not become a run away horse.

Even in a corporate environment we know that unless the CISO is liberated from the CTO and made to report directly to the Board, he cannot discharge his duties properly.

Similarly CERT-In which is the apex quasi judicial authority mandated to manage the Cyber Security of the country needs to be treated as an independent organization and report directly to the PMO.

Any other structure is not only inefficient but also dysfunctional.

A Suggestion

The Government of India should call for an informal meeting of Management Experts from the private sector and discuss some of the specific aspects of managerial challenges that the proposed structure may create as raised here and just listen to the management Gurus before proceeding further. I also request relevant academic institutions such as IIMs, IIITs, NLSUI, NALSAR etc to conduct symposia on CERT-FIN and submit free and voluntary suggestions to the Government on how the organization could be structured for better coordination and effect.

(The discussion will continue in the next article)

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

2 Responses to Proposed CERT for Financial Sector (CERT-FIN)… Will it create an efficient organization?

  1. Ra Vijay says:

    Creating a turf of information related to incidents is all about being privy. However, in the interest of the nation, at least information which is deprived of organization specific content should eb shared between CERT’s. This will ensure quick action, before an eventuality s met in another sector.

  2. Give point wise other related
    information

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.