header
Tech

Why CERT-IN’s Investigation Into Apple Security Notifications Is Going Nowhere

A bureaucratic body under MeitY, CERT-IN is clearly not an independent institution and has no history of actually conducting serious forensic audits.

India is rapidly digitising. There are good things and bad, speed-bumps on the way and caveats to be mindful of. The weekly column Terminal focuses on all that is connected and is not – on digital issues, policy, ideas and themes dominating the conversation in India and the world.

The Indian Computer Emergency Response Team (CERT-IN) has been tasked to make Apple explain the security notifications on “state-sponsored” attacks early this month, but can it follow through with due process and actually do its job? CERT-IN’s mandate is to provide response to computer emergencies under India’s Information Technology Act. It has never delivered on this promise and has become yet another government agency sleeping on its job.

The security notifications sent by Apple to several Members of Parliament, politicians, journalists and others has raised concerns yet again of unregulated surveillance activities by India’s intelligence agencies. Apple’s security notifications point towards state-sponsored actors and, for the sake of argument, could mean any nation state including an enemy state out there, making it a classic case of computer emergency.

The Ministry of Electronics and Information Technology (MeitY) has written a letter to Apple asking the firm to cooperate with CERT-IN and Apple has co-operated by bringing in its experts to work with CERT-IN. CERT-IN guidelines mandate that every organisation must report security incidents within six hours of the incident and Apple was reminded of this. Apple clearly has not followed this, violating some of CERT-IN’s rules.

CERT-IN similarly sent notices to WhatsApp in 2019, when WhatsApp alerted select individuals of being targeted by Pegasus. WhatsApp notified CERT-IN about the security issue in its systems without giving further details of people early into its incident response, even before it notified people who were affected. CERT-IN did not follow through on the issue until the scale of it was publicly disclosed by WhatsApp.

An Indian Express report about the investigation into Apple’s security notifications pointed out how CERT-IN is now investigating Chinese government-linked agencies, as the place of production of most iPhones is China. CERT-IN is now investigating which nation state actor could be behind these attacks, while the minister for electronics and information technology denied it could be Indian agencies and rubbished the opposition for the claims.

CERT-IN’s past actions show us that these notices that it issues to private companies have never been translated into any meaningful regulatory actions. Neither did CERT-IN follow through with WhatsApp about Pegasus, nor did it carry out an independent investigation which most cyber security agencies in different countries carried out. As a regulatory body responsible for cyber security, CERT-IN has never investigated any data breaches, nor has it provided any actual incident response.

Also read: Seizing Devices Needs Due Process. So Does Remote Accessing Via Spyware

A bureaucratic body under MeitY, CERT-IN is clearly not an independent institution and has no history of actually conducting serious forensic audits. The organisational capacity to even conduct an investigation necessary for state-sponsored attacks is probably not available to CERT-IN. Most of CERT-IN’s capacity is within India’s privately regulated cybersecurity industry. CERT-IN decides who can conduct cybersecurity audits by empanelling private organisations.

From a digital evidence perspective, no private organisation’s forensics are considered valid unless that organisation is empanelled by CERT-IN. This gives CERT-IN and the Government of India more power to reject any forensic evidence just because the organisations ‘can’t be trusted’. Even if Apple provides evidence there were indeed state-sponsored attacks, with no actual conclusive proofs attributing exact actors, Indian authorities are likely to reject it or deflect the blame.

It has been a long pending demand for CERT-IN to actually conduct forensic investigations of cyber incidents and to publish its findings. The only major reports that are published by CERT-IN are its annual reports with details of its activities like training and workshops it has conducted. As a cybersecurity regulator, CERT-IN is as bad as the rest of the regulators in the country, with no interest in seriously regulating the sector.

For the sake of argument, if it were indeed Chinese actors who were involved in targeting the Indian opposition and journalists, even then CERT-IN has no capacity to respond to this. The National Critical Information Infrastructure Protection Centre (NCIIPC), a unit of the National Technical Research Organisation (NTRO), has relatively more experience in tackling nation state actors targeting our critical infrastructure. When it comes to cybersecurity, NCIIPC still responds to threats and provides incident response, which CERT-IN has largely ignored.

While the CERT-IN is basically a regulatory organisation responsible for directing the industry to adopt cybersecurity practices, NCIIPC is more of a hands-on organisation that has in-house capacity to handle threats. If the Government of India is really serious about addressing nation state actors targeting Indians and is concerned with the safety of Members of Parliament and others, it would comprehensively address this problem.

Also read: Apple Is Not the First Tech Company To Allege Government Role in Misuse of Spyware

India needs more transparency on how its security apparatus and its regulators operate. This is unlikely to happen by itself and with the parliament and its committees unable to function under the current political climate, one needs to wait for political change. One could only hope that actually happens and the situation doesn’t get worse with the usage of state surveillance against the opposition.

For the people who have been affected by this and want more answers from Apple, it is unlikely to be revealed in India. If one is looking to follow through on this and want Apple to provide more details, they should legally proceed against Apple in the United States. Any litigation around this in India is unlikely to result in any positive response from any of the actors. Apple sued the NSO Group in the US for targeting its users and to curb abuse of nation state actors. If Apple is really serious about the privacy of its users, it will respond positively and give further details, but may be unlikely to do so in India with pressure from Indian authorities.

Srinivas Kodali is a researcher on digitisation and a hacktivist.