‘Policy on reporting cyber vulnerabilities is flawed’

India’s new policy on reporting cyber vulnerabilities is deleterious. Cybersecurity researchers and ethical hackers say it effectively discourages them from reporting these vulnerabilities because their actions could be misconstrued as an offence under the IT Act, 2000.

For the unversed, vulnerabilities are weaknesses in an organisation’s IT security system that can be exploited by cybercriminals to steal and leak data confidential data. Independent experts either bring these to the notice of the companies or report it to Computer Emergency Response Team-India (CERT-In), which is the nodal agency to deal with cybersecurity threats and to strengthen the Internet domain in India.

What’s the issue?

The contention is over Clause 7 of the Responsible Vulnerability Disclosure and Coordination Policy, released by CERT-In on September 3.

According to the clause, the reporting party must “comply with all the extant laws” like the IT Act, Section 43, which bars unauthorised access to systems. while Section 66 prescribes the corresponding punishment (jail and/or fine).

“Independent security experts may gain unauthorised access to a network when probing a system but they do so to study the vulnerabilities. So while their intent is not malicious, it could be seen as wrong under the IT Act, which is what this policy reinstates,” explains Rohin Garg of Internet Freedom Foundation (IFF), a New Delhi NGO that works to defend digital rights.

IFF has, thus, written to CERT-In to amend the said clause. It has asked for provisions to exempt hackers reporting genuine security flaws, and to also specify what is unauthorised access and what is not, in clear terms. “We haven’t received a response yet,” informs Rohin, a policy counsel of regulation and social welfare.

‘Protect cybersec experts, don’t persecute’

Benild Joseph says ethical hackers like him expose vulnerabilities because they are passionate about data security and privacy, and the least they expect is a word of appreciation and acknowledgement from the organisation concerned. Some companies, however, do offer monetary rewards under the ‘Bug Bounty Program’.

“In the MobiKwik case, the company did not respond to the alert sent by the ethical hacker, so he reported the vulnerabilities on social media for the public good,” Joseph gives an example. The Gurugram startup denied the data hacking and snubbed the hacker as attention-seeking.

Likewise, in 2019, US security journalist Dissent Doe discovered that 1to1Help, a wellness company in Bengaluru, was leaking patients’ private counselling data. The company has filed a lawsuit against him in the Bangalore City Civil Court. Given that data breach incidents are rising (box) and more companies have gone online since the pandemic, India needs a legislation that protects cybersecurity researchers, whistle blowers and ethical hackers from legal intimidation, he feels.

In the absence of a robust disclosure mechanism that values and rewards digital security experts, the Dark Web — an online marketplace for selling confidential data — is thriving. “It’s almost a 5 million dollar industry,” Benild points out.

“The number of vulnerabilities that get reported are far fewer because cybersec researchers fear legal action. The policy is furthering that climate of hesitancy,” Rohin speaks from the anecdotal evidence.

Pranav Manjesh Bidare, policy officer at The Centre for Internet and Society, Bengaluru, says companies must not fear vulnerability disclosures. “They think that if a word about a vulnerability in their system goes out, their stock prices will fall. Instead, they should be

transparent with their users. It will build loyalty.”

He has another concern. “The policy is adopting a multi-stakeholder approach, in that it will try to balance the interests of the company, consumers and cybersecurity experts. This leaves a lot of room for compromise, where a company can get away without fixing their vulnerabilities. But courts don’t follow this approach — they stick to the law,” he says.

A look at recent data breaches in India

In Aug 2021, around 5,00,000 records of Pine Labs were hacked. Bengaluru-based retail transaction tech company denies the claims.

In May 2021, data of 180 million orders of Domino’s India were leaked on the Dark Web.

In Mar 2021, data of around 10,000 MobiKwik users were put on sale on the Dark Web.

In Feb, 2021, data of 4.5 million passengers of Air India were leaked.

In Nov 2020, data of around 20 million users of Bengaluru-headquartered BigBasket was hacked.

In Jan 2020, Bengaluru-based Unacademy confirmed a data breach of over 20 million user accounts.

30 data breaches were reported to CERT-In in Jan-June, 2021, according to an RTI.