Don’t penalise cybersecurity researchers!

On CERT-IN’s new Vulnerability Disclosure Policy

tl;dr

We wrote to the Indian Computer Emergency Response Team regarding a provision in their new Responsible Vulnerability Disclosure and Coordination Policy that penalises cybersecurity researchers for vulnerability disclosures. In our representation, we highlighted how such provisions would create an atmosphere in which researchers would be reluctant about reporting vulnerabilities and recommended that a robust disclosure mechanism be implemented that protects researchers from harm.

Background

Cybersecurity researchers in India have long faced threats for their work. Previously, we had highlighted the example of journalist Dissent Doe, who was sued for disclosing a leak in client data. A more recent incident is the case of the Mobikwik data breach earlier in March this year, in which Mobikwik threatened to take legal action against the security researcher who uncovered the  breach and suggested that the researcher was ‘trying to grab media attention’. We have written about the need to protect cybersecurity researchers before: our submissions on the National Cyber Security Policy and the Personal Data Protection Bill, 2019 contain granular recommendations on how to build a robust and transparent system for vulnerability reporting. Through our #DataProtectionTop10 series, we have further elucidated how the Personal Data Protection Bill, 2019 fails to adequately protect whistleblowers, digital security researchers, and vulnerability testers.

On 3rd September, 2021, the Indian Computer Emergency Response Team (CERT-IN) released its new ‘Responsible Vulnerability Disclosure and Coordination Policy’ with an aim to strengthen trust in the ‘Digital India’ and ‘Make in India’ campaigns, and to encourage responsible vulnerability research. The Policy provides information about where cybersecurity vulnerabilities in products and services can be reported, the details expected in vulnerability reporting, the procedure by which CERT-IN will examine and act upon such reports, and the timelines for resolving issues.

Now, while the policy furthers transparency (to an extent) and clarifies the process of reporting to CERT-IN, it does contain a  significant issue: the Policy effectively discourages the reporting of vulnerabilities! Clause 7 of the Policy states that:

The reporting party must ensure to comply with all the extant laws and regulations while discovering the vulnerabilities. Reporting a vulnerability to CERT-In does not imply being exempt from compliance. Discloser shall be responsible for any action performed by her / him for discovering the vulnerability whatsoever”.

Penalising good faith disclosures

Such provisions contribute to a disclosure regime in which security researchers would be liable under the Information Technology Act, 2000 (‘IT Act’), and are penalised for disclosures of genuine security vulnerabilities. Section 43 of the Information Technology Act, 2000 penalizes anyone who gains unauthorized access to a computer resource without permission of the owner, and so fails to draw a distinction between malicious hackers and ethical security researchers. Thus, even when researchers have acted in good faith they may be charged under the IT Act. As we have mentioned earlier, companies have exploited this loophole in the said provision to press charges against cybersecurity researchers who expose data breaches in their companies. The Personal Data Protection Bill, 2019, currently being considered by a Joint Parliamentary Committee, also fails to protect security researchers and whistleblowers. All of this leads to situations in which researchers are reluctant to report vulnerabilities for fear of being sued.

Clause 7 of the Policy is also in conflict with the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (‘2013 IT Rules’) which adapts a cooperative and collaborative approach. Rule 10 requires CERT-IN to interact with stakeholders including research organisations and security experts for preventing cyber security incidents. Under Rule 11(2), CERT-IN is obligated to collaborate with, among others, organisations and individuals engaged in preventing and protecting against cyber security attacks. Thus, by imposing complete and sole responsibility on cyber security researchers for actions undertaken during the discovery of a vulnerability, the policy is in conflict with the collaborative spirit of the 2013 IT Rules and so is a genuine impediment to effective collaboration.

Growing need for improved security

Digital security researchers and vulnerability testers are an important class of people in the cybersecurity arena. With our increased dependence on technology, data breaches have become the order of the day. We often come to know about these data breaches not from the data fiduciaries, but from independent researchers. For example, the Mobikwik data breach and the Facebook data breach reported earlier this year were brought into light not by the companies themselves but by independent researchers.

The importance of cyber security researchers is further underlined by the increase in data breaches and security incidents. Research conducted by Micro Focus shows that Indian organisations have seen a 58.2% increase in the volume of cyberthreats. Moreover, February 2021 witnessed a mammoth 9.04 million brute force attacks, compared to 1.3 million in February 2020. The study by Micro Focus also shows that 98% of Indian organisations have a shortage of IT Security Personnel, in violation of applicable law. As the COVID-19 pandemic causes more aspects of modern life to go digital, the threat, and indeed incidence, of such attacks will only rise further.

The economic impact of data breaches is also tremendous. An IBM study reported that the average data breach in India in 2021 cost Rs 16.5 crore,  an increase of 17.8% from 2020 (Rs. 14 crore). The per-unit data cost increased by 6.85% to Rs 5,900. The report also noted that the average time to detect a breach went up from 230 days to 239 days, while the average time to contain a breach went down from 83 to 81 days. This indicates a significant amount of information and data loss for users.

Protect cybersecurity researchers now!

It is imperative that CERT-IN’s vulnerability disclosure policy reflect the urgent need for a robust vulnerability reporting mechanism that protects vulnerability researchers from harm. To this extent, we recommended that clause 7 of the Policy be amended, and that an explicit provision for protection of genuine security disclosures from vexatious legal claims and proceedings must be specified. This must be complemented by adding a narrowly tailored good faith exemption for security researchers to the Schedule of the Personal Data Protection Bill, 2019.

Important documents

  1. CERT-IN’s Responsible Vulnerability Disclosure and Coordination Policy (link)
  2. IFF’s representation to CERT-IN regarding ‘CERT-IN’s Responsible Vulnerability Disclosure and Coordination Policy’ (link)
  3. IFF’s submissions on the national Cyber Security Policy (link)
  4. IFF”s Public Brief on the Personal Data Protection Bill, 2019 (link)
  5. Previous blogpost titled ‘Security researchers need legislative protection for responsible disclosure’ dated 15th January, 2020 (link)Previous blogpost titled ‘#DataProtectionTop10: Protecting whistleblowers, digital security researchers, and vulnerability testers’ dated 4th June, 2021 (link)