CERT-In: Is It Fulfilling Its Mission?Sizing Up Activities of India's Computer Emergency Response Team
India's Computer Emergency Response Team, CERT-In, gets active when there's a parliament session going on and it must prepare some figures to document the rising cybersecurity incidents in India. But the statistics usually leave us with much ambiguity.
In its most recent report to parliament, CERT-In said there were more than 8,000 incidents of website hacking reported in India between January and March. It also reported that cybersecurity incidents, including phishing, scanning, malicious code, website intrusion, denial-of-service, and others, totaled 41,319 in 2013; 44,319 in 2014; 49,455 in 2015; and 14,356 for the first three months of 2016 (see: How to Tackle the Growth of Cybercrime).
Cybersecurity experts contend that CERT-In has made inadequate progress in achieving its goals.
CERT-In did not provide any clarity on how the agency arrived at these numbers, what these numbers actually indicate and what can be done to address growing cyber threats. (see: Assessing Government's War on Cybercrime)
Information Security Media Group repeatedly reached out to CERT-In authorities to gain more information, but received no response.
The Numbers Game
The cybersecurity incident data from CERT-In likely comes up way short of the actual total because so many incidents are never reported. The absence of a breach notification law means many organizations choose not to tell authorities they've been breached.
"Other than being able to 'shock and awe' people who are listening to it, these numbers really don't serve much purpose," says Dinesh O Bareja, COO, Open Security Alliance, an advisory and consulting services firm.
Some cybersecurity experts are skeptical about CERT-In's data collection mechanism. "I doubt if CERT-In has a proactive collection mechanism for data on attacks, says S. Ravichandran, a cybercrime investigator based in Coimbatore. "It has to get the information from the victim before it acts. A great majority of the corporate and website owners are not aware of CERT-In's existence, let alone its role in cybersecurity."
Several other security experts I spoke to are skeptical about the agency's methodologies and contend that the agency simply lumps all numbers together, without really differentiating them based on impact. For example, given the high number of website hacks CERT-In reports, many are likely defacements, which don't represent a major security threat. It's far more important to know more details about the number of major data breaches and DDoS attacks.
CERT's annual reports, which usually provide further details and clarity on attacks, never come on time. The latest available report on the website is for 2014. With the threat landscape evolving at a rapid pace, a two-year-old report isn't very useful. CISOs, more often than not, rely instead on reports produced by third-party vendors, who proactively share data way before CERT publishes it.
CERT-In Fulfilling its Mission?
The role of CERT-In is to help protect India from cyber threats, build awareness of emerging threats and provide solutions for recovering from such attacks. It's mission also includes investigating and acting upon requests to block websites which violate Indian law, creating a cybersecurity policy for India, promoting information security studies and creating standards for the industry.
Some cybersecurity experts contend that CERT-In has made inadequate progress in achieving its goals. Critics also underscore a clear need for CERT-In to move beyond formulation of policies and reporting of data to actually executing its policies and developing an effective incident response mechanism.
A resource crunch at the agency could be a major issue that needs to be overcome. Nevertheless, CISOs I spoke with expressed discontent. They want CERT-In to come up with an effective intelligence gathering mechanism and pre-emptive threat intelligence. And they want it to issue real-time alerts, guidelines and emergency measures.
CERT-In also needs to ensure that its empaneled security auditors do a good job when conducting vulnerability assessment and penetration testing audits of websites and networks of corporate and government organizations. It's time for CERT-IN to review its auditing process and issue stringent guidelines to all critical sector organizations (see: What's Wrong with CERT-In's Empanelment Guidelines?).
I encourage CERT-In to publicly respond to its critics and provide more information on its activities. And I invite you to share your expectations for CERT-In by commenting in the space below.