While the privacy breach of 121 Indian citizens, many of them activists, lawyers, and academics, has given rise to a stand-off between the government and WhatsApp, this episode has also put the spotlight on the digital security agencies of the government. Not only has it raised questions about who procured the Pegasus spyware found on these citizens’ devices, but also the Indian state’s own capacities to escalate matters of cyber security, especially when foreign operators are involved.
Even as WhatsApp and government are engaged in a blame game, the fact remains that a “security issue” highlighted by WhatsApp globally was duly noted in a “vulnerability” notification published online by the Indian Computer Emergency Response Team (CERT-In) under the IT Ministry in May. WhatsApp now claims to have shared the number of targeted users in India in September too. However, that letter has not been made public.
Going by the surprise expressed by the government over the targeting of Indian users, it appears that the notifications did not attract desired attention through the appropriate ranks.
Two main agencies in the government are responsible for cyber security in India. One is CERT-In under the IT Ministry which began operations in 2004 and is responsible for incident reporting management. This is the appropriate agency to notify for any security vulnerabilities.
Former National Cyber Security Coordinator (NCSC) Gulshan Rai told The Indian Express that this agency has the mandate to escalate serious concerns to the ministry and other relevant stakeholders.
Farrhad Acidwalla, founder of Cybernetiv Digital, said CERT-in usually takes newly discovered mass potential vulnerabilities seriously and updates their website and pushes advisories. “They also have the same information published via their website with background, vulnerability notes, procedures, prevention, response, and other advisories.”
The CERT-In annual report says they handled 2,08,456 incidents in 2018. These include website intrusion, malware propagation, malicious code and more. In 2018, they issued 193 security alerts and published 36 advisories and 222 vulnerability notes.
The other main agency is National Critical Information Infrastructure Protection Centre (NCIIPC) under National Technical Research Organisation (NTRO), which is responsible for protection of critical infrastructure. It was created under Section 70 of the IT Act, 2000. These two bodies have overreach over all other cybersecurity agencies.
CERT-In and NCIIPC keep a tab on information infrastructure issues across different sectors and coordinate with each other through the NCSC in Prime Minister’s Office.
Going by the response in the immediate case, it is the IT Ministry which is fielding the debate on the privacy breach of Indian citizens while the Home Ministry has ring-fenced itself by declaring that “strict action will be taken against those who are found responsible guilty of violating any provision of law”.
Neither MHA nor any other security agency has so far come out to declare the steps taken to find out the intent to trace privacy breach beyond IT Ministry’s notice to WhatsApp.