CERT-In directions are ambiguous, may pose cybersecurity risk: Zerodha CTO Kailash Nadh

Zerodha’s Chief Technology Officer (CTO) Kailash Nadh has pointed out that several requirements of the Indian Computer Emergency Response Team (CERT-In) directions are ambiguous and that, in fact, a requirement may pose a cyber risk to customers.

This follows a letter that was written to CERT-In’s director general Sanjay Bahl earlier this week, wherein several experts requested the cybersecurity agency to defer implementation of the directions issued on April 28. Nadh, along with others, was a signatory to the letter.

The?directions issued by CERT-In?require service providers to maintain logs of all information and communication technologies (ICT) systems for a period of 180 days. The directions also say that entities have to report cybersecurity incidents within 6 hours to CERT-In.

Service providers also have to register and maintain personal information of subscribers for five years or longer and provide this data to CERT-In if demanded in case of a cybersecurity incident, according to the directons.

Nadh said, “The cybersecurity incident reporting mandate (within 6 hours) ideally should not be uniformly applied to every kind of corporate body. Not all cyber security incidents are the same or have the same risk vector or impact.

“There are countless automated cyber security incidents that happen throughout the day against every system that is online. There needs to be better clarity on how to distinguish and report incidents,” he added.

The Zerodha CTO also pointed out that the mandate to service providers to store customer details may pose a cybersecurity risk.

“The mandate to service providers to store customer details for prolonged periods can in itself pose a cybersecurity risk to customers as such datastores now become attractive targets for attacks. Data minimalism is a valid cybersecurity strategy to be considered,” he said.

Not just cybersecurity risk, the mandate to store customer details have also been criticised as being?a threat to privacy?by several VPN service providers. VPNs such as?Surfshark,?NordVPN,?ExpressVPN?have announced that they will remove their servers from the country in a bid to not comply with the directions.

Nadh compared the CERT-In directions, with the much-stricter cybersecurity directions that were issued in 2018 by Securities and Exchange Board of India (SEBI).

“The CERT-In directions do not affect us at all. We are a heavily regulated entity under SEBI, who in 2018 came out with stringent cyber security directions for the capital markets industry,” he said.

However, unlike the CERT-In directions, SEBI’s 54-point regulation was co-authored by SEBI and industry participants together in a highly consultative process as it had to address nuances of numerous technical details, Nadh said.

“I strongly believe that matters pertaining to technology regulation should be made very carefully, and a larger consultation should be taken up with the industry experts and public. SEBI's highly consultative and pragmatic approach to large scale technology regulation in the capital markets industry is a great example for this,” he added.

Minister of State for Electronics and Information Technology Rajeev Chandrasekhar had earlier?reasoned not taking a public consultation?by claiming that that the directions do not affect general citizens.

However, Nadh disagrees. “In this particular case, service provider's are being mandated to be custodians of customers' data for long periods, so it warrants consultation with the public,” he said.

As of now,?CERT-In has extended the deadline?for micro, small and medium enterprises (MSMEs) to comply with its April 28 cybersecurity directions to September 25. It has also delayed till September 25, the implementation of the direction that required service providers to store names of customers, address and their contact numbers.