We have discussed some aspects of the organizational structure for the proposed CERT-Fin in our previous article (See here).
Let’s now see some of the other aspects of the report on which public comments can be submitted upto July 31, 2017.
The scope of activities of the CERT-FIN will be defined by MOUs that will be signed between CERT-In and the CERT-FIN as well as CERT-FIN and its sub sectoral CERTS such as CERT-RBI, CERT-SEBI, CERT-IRDAI, CERT-PFDRA etc.
Presently the functions of CERT In is defined under ITA 2008 and similar obligations and powers need to be bestowed with the sectoral CERTs with some oversight responsibility being retained with CERT IN.
The Core Mission of the CERT-Fin would be to provide support to the stake holding organizations in identifying Cyber threats and Vulnerabilities so that the Cyber Risks can be mitigated. This can be achieved by dissemination of threat information collected from global sources and out of its own research to the stake holders on a real time basis.
Simultaneously, there could be regulatory responsibilities which may include providing directions to the stakeholders on security matters and pulling them up if required.
The statutory powers vested with the CERT IN cannot be transferred to the sectoral CERTs including CERT Fin and at best these CERTs may be allowed to make recommendations to CERT-In for regulatory sanctions on an erring stake holder.
According to the report the following are listed as the activities of the CERT-FIN
1) Analysis of financial sector cyber incidents and reporting the incidents to CERT-In including
i) Collection, analysis & dissemination of information on cyber incidents.
ii) Forecast and alerts on cyber security incidents.
iii.) Emergency measures on cyber security incidents
iv) Coordination for cyber incident response activities.
v) Issue guidelines, advisories, vulnerability and white papers relating to
information security
vi) Monitor sectoral efforts in financial sector towards maintaining dynamic and
modern cyber security architecture, developing awareness amongst
regulated entities and public in general.
vii) Such other functions relating to cyber security in financial sector, as may be
prescribed
2) Create Awareness on security issues through its website and 24X7 incident response helpdesk
3) Provide Incident Prevention and Response Services and Security Quality Management Services
4) Offer policy suggestions for strengthening financial sector cyber security to all stakeholders including regulators/Government
5) Conduct workshops for employees of the sector and public if necessary through public-private partnership
6) Provide seamless integration for information dissemination to other nodal agencies using standard protocols.
7) Develop its own research capability to identify threat information which essentially means that it should maintain its own Honey-Pot, SOC and ability to collect, process and value add on threat intelligence.
8) Facilitate quality training and certification programs including online programs in the cyber security area, develop manpower and expertise in Cyber Security product development and Cyber operations etc.
9) Collaborate with academic institutions such as IITs and IISc to chart out the long term plan for Cyber Security infrastructure in the Indian context.
10) Develop Critical manpower infrastructure to improve employability of youth at the bottom of the pyramid by designing proper courses.
11) Identify “Protected Systems” in the sector (under Section 70 of ITA 2008)
12) Develop an international Interface with tie ups with various financial CERTs operating internationally to adopt international best practices in its functioning.
13) Standing Technical sub committee to be established to ensure collaboration with TEL-CERT (New CERT for the telecom sector) for continuous flow of information
14)Coordinate efforts at rendering the Financial Infrastructure secure through efforts including Cyber Risk Insurance
The report suggests that apart from placing the report in public domain for comments, workshops can be held with all stakeholders and scholars specialized in the area of Cyber Security, leading academic and technology institutions for feedback.
The proposed scope of activities for the CERT-Fin is fairly comprehensive and completely welcome.
However, keeping in mind our previous observations of the merit of a “Unified Command” for better Cyber Security management, and preventing subsuming of the Cyber Security functions within the functional responsibilities of the individual regulators, thereby subordinating the security objectives to other functional objectives, it is essential that most of the above responsibilities need to be kept with CERT-In itself.
If CERT-Fin tries to become a complete CERT in itself including international interface, management of SOC for the industry, Research through Honey-Pots etc, its core competence which is liaising with the industry stake holders may go under utilized. There will be needless duplication of efforts and degradation of the objectives.
It is therefore suggested that CERT-FIN should focus on meeting the objectives of CERT-In which is well reflected in the above document itself as part of the CERT-FIN responsibilities as an accessory to CERT-In rather than doing all of it on its own.
What this could mean is to re-invent CERT-In itself as a Section 8 company and enrol representatives of each of the Financial Sector regulators into its Governing body, create CEOs for each sector with appropriate domain expertise and run the entire operations of CERT-FIN as an integral part of CERT-In outside the direct control of the individual regulators. This new CERT-In should report directly to the PMO and share intelligence space with the Police and Military since Cyber issues are part of any Cyber Terrorism or Cyber war strategies in the current days.
The working group has failed to underscore the risk of “Imported Hardware and Software” used in the IT infrastructure and the need for quick indigenisation.
The “Research” is therefore also required on “Unraveling the hidden code” in hardware and software that is embedded in our devices and analyzing them from the security perspective.
It must be recalled here as a matter of caution that last time an attempt was made to have “Security Certification for Telecom Equipment”, the committee headed by the IISC director and having representation of CERT In director was formed. However, the operations were sponsored by none other than a leading Chinese Telecom equipment supplier indicating a complete absence of security precaution to avoid conflict situations.
We should not do a similar mistake now and the core operations of CERT-In should be funded from the budget directly by the Parliament carved out as part of the National defense expenditure.
CERT-FIN may raise funding from its stake holders and use it for its outreach activities such as education etc and reduce the burden on the exchequer. However any funding or sponsorship of the core activities of the CERT-In or any other CERT organization by the stake holders themselves is not a good idea and should be re visited.
P.S: The above comments are meant to stimulate further thought among the public so that they can provide their own feedback on the working group report. I hope it would be useful for this purpose.
It is made clear that the observations are not meant in anyway to undermine the great effort that has gone into the preparation of this report and the efforts deserves a high degree of praise.
I will be forwarding these thoughts also as my observations on the report. I urge readers to also send their observations without fail.
We appreciate the public consultation effort and ensure that it becomes useful to the decision makers so that this practice continues.
Instead of remaining silent and later coming up with criticisms, it is necessary for the Civil Society to respond now even if some of the early reactions can be wrong for lack of adequate research.
Naavi