tl;dr
CERT-In responded to our representation about the issues with their Responsible Vulnerability Disclosure and Coordination Policy, explaining that the Policy is an executive decision and so must follow the existing provisions of the law. In light of this, we have written to MeitY, asking them to amend the Information Technology Act, 2000 to provide a safe harbour for genuine security researchers.
Introduction
On 3rd September 2021, the Indian Computer Emergency Response Team (CERT-In) released its new ‘Responsible Vulnerability Disclosure and Coordination Policy’ with the aim of strengthening trust in the ‘Digital India’ and ‘Make in India’ campaigns, and encouraging responsible vulnerability research. The Policy provides information about where cybersecurity vulnerabilities in products and services can be reported, the details expected in vulnerability reporting, the procedure by which CERT-In will examine and act upon such reports, and the timelines for resolving issues.
However, the Policy effectively discourages the reporting of vulnerabilities! Clause 7 of the Policy states that: “The reporting party must ensure to comply with all the extant laws and regulations while discovering the vulnerabilities. Reporting a vulnerability to CERT-In does not imply being exempt from compliance. Discloser shall be responsible for any action performed by her/him for discovering the vulnerability whatsoever”.
In response to this, we wrote to CERT-In on 13th October 2021 indicating our concerns about this provision. In our representation, we highlighted that such a policy may lead to a regulatory regime in which genuine security researchers may be penalised for disclosures. We also stated that Clause 7 of the Policy may also be in conflict with the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 which adopt a more cooperative and collaborative approach to vulnerability disclosures.
CERT-In responds!
On 26th October 2021, CERT-In responded to our representation. In their response, CERT-In stated that the Policy was an executive decision of CERT-In taken in consonance with section 70B(4) of the Information Technology Act, 2000 (IT Act), and so, “the policy is non-statutory in nature in nature and not a law itself”, with the provisions of clause 7 more akin to a “disclaimer”.
Further, CERT-In argued that it “cannot own the responsibility nor is competent to exempt anyone from legal obligations”, and that the Policy “is not legally capable to cause any modification to the provisions of applicable law”. Thus, CERT-In suggested that we take this matter up with the Cyber Law Division of the Ministry of Electronics and Information Technology.
We thank CERT-In for their response to our representation. We acknowledge the arguments made by CERT-In and appreciate the statutory limits by which CERT-In is bound. In accordance with this, it is imperative that MeitY consider suitable amendments to the IT Act and also look towards making suitable policy and regulatory frameworks for vulnerability disclosures.
Urgent amendments needed
An IBM study reported the average data breach in India cost 16.5 crores INR, an increase of 17.85% from 2020. The report also noted that the average time to detect a breach increased from 230 days to 239 days while the average time taken to contain a breach reduced from 83 to 81 days respectively. This indicates a significant amount of information and data loss for users.
It is also important to note that several data breaches are not discovered and/or disclosed by the data fiduciaries but rather by independent digital security researchers. Previously, several independent digital security researchers and news organisations reported that a large amount of data - over 8.2 TB in size - of MobiKwik users was put on sale over the dark web; a similar breach of personal data of 50 crores plus Facebook users, which includes over 60 Lakh Indian Facebook users was reported by several researchers. Thus, there is a clear need to provide these researchers with legal safeguards.
We have previously highlighted this legal lacuna in an earlier submission to MeitY dated 3rd June 2020, as well as in our comments on the National Cyber Security Strategy 2020 dated 13th January 2020 and our submissions to the Joint Parliamentary Committee (JPC) on the Personal Data Protection Bill, 2019.
Thus, we believe that MeitY must urgently consider amending section 43 of the IT Act to prevent data fiduciaries from bringing vexatious legal claims and proceedings against vulnerability testers and cyber security experts. Additionally, we recommend that MeitY offer its inputs to the JPC on the Personal Data Protection Bill, 2019 so that the Schedule to the Bill can be amended to include narrowly tailored good faith exceptions for vulnerability testers and cyber security experts.
In addition to this, MeitY may consider offering rewards and recognition to genuine cyber security researchers for upholding and securing our national interest, in lieu of which bug bounty programmes and responsible vulnerability disclosure mechanisms need to be adopted by the government and its agencies.
Important documents
- CERT-In’s Responsible Vulnerability Disclosure and Coordination Policy (link)
- IFF’s representation to CERT-In regarding ‘CERT-In’s Responsible Vulnerability Disclosure and Coordination Policy’ dated 13th October 2021 (link)
- CERT-In’s response to IFF’s representation dated 26th October 2021 (link)
- IFF’s representation to the Ministry of Electronics and Information Technology (link)