6 Hours of Cyber Resolvance

Blog Credit : Trupti Thakur

Image Courtesy : Google

6 Hours of Cyber Resolvance

As with the recent spate of rules across ministries, these rules also require the creation of a portal for digital implementation of the rules.

All telecom entities must report any cybersecurity incidents to the central government within six hours of becoming aware of them, as per the Telecom Cyber Security Rules, 2024, notified and brought into effect by the Department of Telecommunications on Thursday. In this six-hour period, the same as the one specified in the 2022 CERT-In directions, the affected entity must also give details of the affected system along with the description of the incident.

These rules, which were released for public consultation on August 29, mandate telecom entities to implement measures to prevent and respond to cyber incidents. They supersede the Prevention of Tampering of the Mobile Device Equipment Identification Number Rules, 2017, and have been issued under sections 22 and 56 (2)(v) of the Telecommunications Act, 2024.

The notified rules mandate all telecom entities to appoint an Indian chief telecommunication security officer based in the country, to adopt a telecom cybersecurity policy, and conduct periodic telecom cybersecurity audits, amongst other things. As with the recent spate of rules across ministries, these rules also require the creation of a portal for digital implementation of the rules.

A security incident is defined as an event that has “a real or potential risk on telecom cyber security”.

In a departure from the draft rules, the notified rules specify a 24-hour deadline after becoming aware of the incident within which the telecom entity must furnish additional details about the incident. These details include the number of users affected, the duration of the incident, the geographical area affected by the incident, the extent to which the network and service are affected, and the remedial measures the entity proposes to take. Unlike the draft rules, the entities are not required to specify the “extent of impact on economic and societal activities”.

For Raman Jit Singh Chima, global cybersecurity lead at Access Now, these deadlines are still very short and do not meet global standards.

“Between the draft rules and the notified rules, minor changes have been made to the language which do not sufficiently address the concerns that we had raised. As a result, the rules must be laid on the floor of the Parliament and the MPs must discuss them,” Chima. He also said that the “certified agency”, which has not been specified in the rules and is responsible for carrying out security audits after an incident, should have ideally been defined in the parent law itself.

“For instance, when it comes to collection and analysis of data under Rule 3, the broad, catchall term “any other data” has still been retained. In the same rule, disallowing the central government or an agency to collect, share or analyze the “content of the messages” creates a false distinction between data and metadata, and false conclusion that collection of metadata cannot lead to surveillance.”

But there is one positive change. As per the notified rules, if a person is found endangering telecom cyber security, and the government passes a written order to either suspend or permanently disconnect their telecom identifier (IMEI number, ESN, etc.), the person must be given a copy of the order and a “reasonable opportunity of being heard”. After this hearing, the original order can either be upheld, revoked or modified.

 

 

 

Blog By : Trupti Thakur