Latest Topics in News
CERT-In Enters Elite Club of Intelligence Agencies Beyond RTI’s Reach
Centre exempts CERT-In from RTI act
The Right to Information (RTI) Act, enacted in 2005, aims to promote transparency and accountability among public authorities in India. It empowers citizens to seek time-bound information on governance matters from government organizations.
Hereby, the UCN Team offers a comprehensive analysis, giving you key concepts and insights into this news.
The Indian Computer Emergency Response Team (CERT-In) is the national nodal agency established in 2004 under the IT Act 2000 to deal with cyber security threats in the country. It functions under the Ministry of Electronics and Information Technology (MeitY) and is responsible for monitoring cyber attacks, issuing security advisories, and coordinating with public and private agencies when data breaches or hacking incidents are reported. Recently, the government has exempted CERT-In from the purview of the RTI Act through an official notification.
CERT-In and its functions
The Indian Computer Emergency Response Team (CERT-In) was formed in 2004 under the Information Technology (IT) Act 2000 to serve as the national agency for dealing with cyber security incidents and threats.
CERT-In has been assigned several key functions related to monitoring, alerting, and coordinating cyber security efforts in India. These include:
- Monitoring and detecting cyber attacks: CERT-In keeps track of phishing, hacking, and other cyber attack incidents across Indian internet domains.
- Issuing advisories and guidelines: It routinely publishes guidance for organizations and users on vulnerabilities in software like Android, Chrome, WhatsApp as well as best practices for cyber security.
- Coordination with public and private agencies: During significant cyber attacks like the AIIMS Delhi hack in 2022, CERT-In works together with other bodies like National Critical Information Infrastructure Protection Centre (NCIIPC) and National Disaster Management Authority (NDMA) to respond effectively.
- International cooperation: CERT-In has signed agreements and Memorandums of Understanding (MoUs) on cyber security with countries including UK, US, Australia, Singapore, Malaysia, Japan, Canada in recent years. It also works with forums like the Shanghai Cooperation Organisation.
Exemption from RTI Act
The government has recently released an official notification dated November 23, 2023 to include the Indian Computer Emergency Response Team (CERT-In) in the Second Schedule of the RTI Act, thereby exempting it from providing information under the transparency law.
Prior to this, there were already 26 intelligence and security agencies like the Intelligence Bureau, RAW, DRI, ARC, ED which were excluded from the ambit of the RTI Act under the same schedule. By adding CERT-In to this list as entry number 27, the government has brought India’s national cyber security body also out of the purview of the RTI Act.
This move can have significant implications for CERT-In’s functioning as it no longer remains obligated to provide information about its operations to the public. The exemption is perceived to help maintain confidentiality of sensitive data.
What does the exemption entail
By getting exempted from the RTI Act as per Section 24, CERT-In will now be excluded from the requirement of providing any information to RTI queries from citizens (As per Section 24(1) of the RTI Act-2005, intelligence and security agencies specified in the Second Schedule are exempt from the provision of RTI Act-2005).
However, this exemption comes with certain exceptions. Allegations of corruption and human rights violations can still be investigated by requiring CERT-In to furnish relevant information to authorities.
The government holds certain powers under Section 24 of the RTI Act which have been used to exempt CERT-In. This includes inserting any intelligence organisation’s name under the Second Schedule through an official notification.
Perspectives on the exemption
There are arguments on both sides regarding the exemption granted to CERT-In from the RTI Act’s purview.
Supporters of the move opine that it will allow CERT-In to carry out its sensitive operations related to cyber security more effectively if certain information can be kept confidential. Keeping details like nature of threats assessed, assets monitored or vulnerabilities discovered out of public domain can strengthen overall national defenses.
However, transparency activists have raised concerns that exemptING CERT-In from RTI scrutiny will reduce public accountability which can be misused to hide inefficiencies or errors. It also impacts the citizen’s right to information especially regarding a crucial organization handling cyber security.
An appropriate balance needs to maintained between national security considerations and the public interest of ensuring transparency in CERT-In’s functioning. The exclusion from RTI should not grant it absolute immunity from questions on efficiency or effectiveness.
Final Thoughts
In the UCN team’s informed perspective, the government move to include CERT-In within the list of agencies exempted from providing information under the RTI Act, comes from an intent to allow CERT-In to carry out its cyber security responsibilities more effectively, it has sparked a debate around transparency and accountability versus strategic interests.
Going forward, striking the right balance between these aspects will have an important bearing on India’s national security in the digital age. The functioning of CERT-In as the apex cyber defense agency also needs to be closely monitored even though certain information should remain confidential.
FAQ
What are the key responsibilities of CERT-In?
CERT-In is India’s national cybersecurity agency. Its main duties include collecting and analyzing cyber attack information, issuing alerts about new threats, coordinating emergency responses across public and private sector during incidents, and formulating policies to strengthen overall IT security.
What does the abbreviation CERT stand for?
CERT stands for Computer Emergency Response Team. It refers to a group of cybersecurity experts who work to protect organizations against online threats. CERTs detect, respond to, and prevent cyberattacks across computer networks and systems.
What is CERT-IN security certification?
A CERT-IN certificate is an audit report issued by an approved auditor validating that an organization meets Indian government’s IT security standards. Obtaining this certification involves fully auditing company’s websites, applications, networks etc. It aims to ensure robust cyber safeguards are in place.
Is CERT-In the national nodal agency for cyber incident response?
Yes, CERT-In has been designated the nodal agency at national-level for cybersecurity incident response, as per India’s Information Technology Act, 2000 (section 70B). It is the apex body responsible for issues related to cyberattacks and defenses.