TWO KEY ministries, Information Technology and Home Affairs, are making a strong pitch for the ownership of Computer Emergency Response Team (Cert-In), the country’s nodal cybersecurity watchdog. At present, Cert-In comes under the administrative control of the IT Ministry.

According to sources, the two ministries have been engaged in discussions for at least a year now after MHA first elaborated on how bringing Cert-in under its ambit would help law enforcement. Cert-In’s technical expertise, the MHA believes will streamline its investigative abilities in cyberspace, particularly because it has enforcement powers.

The IT Ministry, however, believes the CERT-In’s job, which includes incident reporting and also alerting organizations about malware, is quite technical in nature, and that its remit goes far beyond law enforcement purposes.

The back and forth exemplifies the evolving complexity of the online world, especially when harms are involved, where multiple stakeholders have to work together and often with different approaches and mandates.

“Cert-In’s main job is to share inputs with the government on how the security infrastructure can be better, which is a very technical function. They have very limited powers in terms of actually carrying out investigations. For instance, unlike law enforcement agencies, Cert-In does not have any search and seizure powers, which limits its abilities to conduct full-blown investigations on its own,” a senior government official told The Indian Express.

Festive offer

“The Home Ministry is approaching the debate with the perspective that since it has the overall investigative powers for various offenses, if it also controls a technical agency like Cert-In directly, it might help streamline some of the law enforcement agencies’ work,” a second government official said. They also described the tussle as “bureaucratic power games”.

Multiple queries sent to the IT and Home Affairs ministries did not elicit a response.

A third official, who did not want to be named, said because of the way the Allocation of Business Rules (AoBR) have been framed, “cybersecurity has not been made the sole remit of any one ministry. There are agencies that work on various facets of cybersecurity, which come under the Prime Minister’s Office, Home Ministry, and the IT Ministry. That ambiguity in the rules is also causing this turf war. Globally, some countries have their respective Certs under the Home office, or the IT ministry.”

The Information Technology (Amendment) Act 2008, designated Cert-In to serve as the national agency to perform key functions in the area of ​​cybersecurity including the collection, analysis and dissemination of information on cyber incidents; forecast and alerts of such events; prescribing emergency measures for handling them; and coordinating cyber incident response activities, among other things.

The MHA also has a dedicated cybersecurity agency under it, called the Indian Cyber-crime Coordination Center (I4C). However, it differs from Cert-In in that it focuses primarily on cyber crimes and improving coordination between various law enforcement agencies. Cert-In coming under the fold of Home Affairs could potentially give it the much needed technical expertise its agencies currently lack.

Cert-In has been involved in the investigation loop of several high-profile cyber incidents that have impacted Indian institutions. For instance, it carried out a technical analysis of the cyberattack which had brought the operations of AIIMS Delhi to a grinding halt for several days in 2022.

The agency has also evolved to enjoy a significant amount of regulatory powers since inception. In 2022, Cert-In issued a cybersecurity directive to all entities, which required VPN service providers along with data centers and cloud service providers, to store information such as names, email IDs, contact numbers, and IP addresses (among other things) of their customers for five years, among other things.

Cert-In has also been criticized for not revealing details of investigations publicly, which civil society activities believe could help in transparency. The agency handled close to 1.4 million cybersecurity incidents in 2022, as per its latest annual report. The mitigation of vulnerable services accounted for the largest number of incidents handled by the agency, totaling 8,75,892.