Cert-In has issued an order that suggests that “Any Individual, “organization” or Corporate entity” affected by Cyber Security Incidents may report the incident to CERT-IN. (Copy of the Order)
However some types of incidents need to be reported mandatorily. The incidents that need to be mandatorily reported are
- Targeted scanning/probing of critical networks/systems
- Compromise of critical systems/information
- Unauthorized access if IT systems/data
- Defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to exerternal websites etc.
- Malicious code attacks such as spreading of virus/worms/Trojans/Botnets/Spyware
- Attacks on servers such as Database, Mai and DNS and network devices such as Routers
- Identity Theft, Spoofing and Phishing attacks
- Denial of Service (DOS) and Distributed Denial of Service (DDOS) attacks
- Attacks on Critical infrastructure, SCADA Systems and Wireess networks
- Attacks on Applications such as E-Governance, E-Commerce etc.
Since the order is being sent to industry associations with an instruction that it should be sent to all major organizations, it appears that this is also meant for the private sector companies (though not specifically mentioned) besides Government departments and corroborates the advertisement that CERT-IN had released recently.
While the intention behind the order is understandable and was under powers available under Section 70B, there is need for more clarity to ensure that the circular is properly interpreted. It was already available under the Section 79 guidelines for intermediaries.
Firstly, the order need to be interpreted as applicable for “Service Providers”, Intermediaries”, “Data Centers” and “Body Corporates” and not to “Any Individual”.
Secondly, the word “attack” could mean both an “attempted attack” and “successful attack.”. Attacks are attempted always on every network and hence it is not possible to report all attempted attacks. The key therefore is to define what is an “Incident”.
Companies may normally define an “Incident” with reference to an adverse event that has the potential to cause either a liability on the organization or disruption of its service.
It is necessary for CERT-In to provide its own definition which is appropriate to its objectives. Otherwise there will be confusion for compliance managers.
Hopefully the clarification would be issued in due course.