CERT-In has issued a call for AI-assisted cybersecurity testing to accelerate discovery of vulnerabilities and optimise defensive readiness in India’s cyber ecosystem.
Key concepts
- AI-assisted cybersecurity testing: Use of ML/AI models to automate scanning, exploit generation, attack-surface mapping and prioritisation of findings.
- Penetration testing (pentest): Authorised simulated attack to identify exploitable weaknesses in systems, networks or applications.
- Red/Blue/Purple teams: Red teams simulate attackers; blue teams defend; purple teams co‑ordinate offensive and defensive activities.
- Fuzzing: Automated input generation to discover software crashes and logic flaws; AI can guide input selection.
CERT‑In: institutional and legal frame
- Designation: Indian Computer Emergency Response Team (CERT‑In) is the national nodal agency for cyber security under MeitY.
- Legal basis: Section 70B, Information Technology Act, 2000, provides statutory recognition and functions.
- Functions: Incident coordination, advisories, cyber threat collection and coordination with stakeholders.
AI methods and operational risks
- Methods: Intelligent fuzzing, automated exploit synthesis, vulnerability triage, phishing-simulation via generative models.
- Risks: Model poisoning, adversarial evasion, hallucinated exploits, data‑privacy breaches and lack of explainability.
Standards, legal considerations and practices
- Standards: NIST SP 800‑115 (testing), ISO/IEC 27001, OWASP Testing Guide; NIST AI RMF for AI risk management.
- Disclosure: Coordinated Vulnerability Disclosure (CVD) norms apply; unauthorised testing can attract offences under cyber laws for unauthorised access.
IASPOINT Booster Facts
- CERT‑In Rules, 2013: Prescribe specific duties and modes of operation for CERT‑In.
- EU AI Act: Classifies certain AI uses as “high‑risk”, relevant to offensive/defensive testing tools.
- NIST AI RMF (2023): Provides a risk‑management layered approach for AI lifecycle relevant to test tools.