CERT-IN Goes Exempt From RTI Amid Apple Investigation and FinMin Server Breach

The Indian security establishment always followed a security through secrecy model. CERT-IN is also being fit into that model where no information is shared with anyone outside the security industry.

The Indian Computer Emergency Response Team (CERT-IN) is now officially exempt under the Right to Information Act, according to a report from The Hindu. This development is happening amidst CERT-IN’s active investigation into Apple security notifications and newer data breaches and security incidents that are being reported every week. CERT-IN as a cyber security regulator has been non-performing – and with exemptions under RTI, it will be even harder to demand transparency from an already secretive organisation.

This week saw multiple cyber security incidents, with updates about Apple security incidents to The Indian Express from an anonymous official claiming it was likely a virus that was the cause behind Apple’s security notifications. There is no logic or proof for this claim from CERT-IN, which has never shared any forensic reports in the past either. Exemptions from RTI now even make it hard for people to demand documentation to this effect from CERT-IN.

With continuous data breaches that have been reported in the past, CERT-IN was never serious about providing a response to cybersecurity incidents. A report by the Economic Times claimed Taj Hotels suffered a data breach pertaining to 1.5 million customers, with the threat actor who has put data up for sale on BreachForums – a dark web marketplace. CERT-IN has been made aware of this incident, but what it does to handle this security incident will be unknown, just like the previous data breaches it never responded to.

Amid all of these incidents, there is yet another actor claiming to be selling backdoor access to the finance ministry web server. A screenshot shared by DailyDarkWeb shows a threat actor with details of the linux server and the storage capacity, selling access to it for $2,500. While there are many reported breaches on various marketplaces across the web, CERT-IN is missing in action in responding to these incidents.

Even if CERT-IN has the intent to respond to these incidents, it doesn’t have either the resources or the personnel to help achieve this. Because CERT-IN regulates the industry at large by empanelling cyber security agencies, all of the cybersecurity expertise is with the private sector. With not enough funding to hire people, it can’t afford to get the people and tools it needs either.

Recently an organisation approached the Delhi high court against CERT-IN’s empanelment guidelines and the lack of transparency in the process. The court dismissed the petition, saying the court can’t get into an extremely technical process of empanelment and substitute it with its own conclusion. While the evolution of jurisprudence related to technology is a separate matter in itself, CERT-IN as the technical expert pretty much determines what would be considered evidence with its hold on empanelment.

While India has the highest number of bug bounty hackers, who routinely report security issues to large organisations across the world, when it comes to CERT-IN they pretty much receive no active response for reporting security incidents. There is no incentive for security researchers to report incidents to CERT-IN. India has all the talent and resources it needs to fix cybersecurity problems, but there is no intent. Security through obscurity doesn’t work well for cyberspace, yet this is what is practised.

The economic landscape of cybersecurity in India is very inter-linked to CERT-IN and its policies; the state is determining how this industry functions and it wants it to be secretive. Even with the new digital personal data protection act 2023, all the fines related to data breaches go to the Government of India, removing any incentives for people to report them to a potential Data Protection Board.

A number of these cybersecurity experts are now being hired by private security agencies to provide hack for hire services across the globe. Stories of hack for hire companies like BellTrox and Appin tell the links between domestic cybersecurity companies and Indian security establishments like the Intelligence Bureau, RAW, Ministry of Home Affairs, CBI, ED, Income Tax and the major security organisations.

The Indian security establishment always followed a security through secrecy model, where information is usually hidden from the public. CERT-IN is also being fit into that model where no information is shared with anyone outside the security industry. With CERT-IN in charge of responding to security incidents related to spyware, the security establishment needs this organisation to be as secretive as it can get.

With a security agency investigating one of its peers, it’s very unlikely to get any major updates in the current setup. It would be wishful thinking to even imagine a scenario where this entire apparatus actually goes through any surveillance reforms. While the demand from the opposition at large has been transparency and accountability of these intelligence agencies, we are witnessing the opposite with all the gates of information being closed.

Srinivas Kodali is a researcher on digitisation and a hacktivist.