CBSE used a platform developed by Coempt Eduteck Private Limited, a private company that also provides technology solutions to state education boards and universities.

Keeping aside the purported merits and efficiency of OSM, as well as the controversies surrounding the procurement process, it is worth examining the failures that led to CBSE's embarrassing OSM pilot and discussing how security should be addressed in mission-critical systems going forward.

Nisarga reported the vulnerabilities he found to the Indian Computer Emergency Response Team (CERT-In) on February 25 and received an acknowledgement from the agency the following day. Security researchers often report vulnerabilities to CERT-In because of its status as the national nodal agency for receiving and responding to vulnerability, and incident reports. However, many are unaware that CERT-In has no real enforcement powers.

Following Nisarga's responsible disclosure, Coempt Eduteck Private Limited fixed the most serious of the several vulnerabilities he had reported. The vulnerability in question involved a client-side hardcoded credential that could be used to bypass the normal authentication process altogether, effectively functioning as an easily discoverable backdoor for anyone who examined the application. Nisarga sought updates from CERT-In on the status of his report for several weeks but did not receive a satisfactory response.

That remained the case until May 22, when Nisarga publicly disclosed all the vulnerabilities he had discovered, on his blog, including those that had not been fixed. It is worth noting that public disclosure of vulnerabilities is a recognised practice in the cybersecurity industry, particularly when vendors are unresponsive - a process commonly known as "full disclosure." Google's own vulnerability disclosure policy provides a 90-day disclosure timeline from the date of initial notification, which is reduced to seven days when there is evidence of active exploitation.

In response, rebuttals and assurances came from all quarters: "the system is secure and transparent," "the vulnerable platform is a test environment and contains no real data," and "no data or grades can be modified." These rebuttals were not accompanied by documentary evidence and followed the familiar pattern of responses often seen from government agencies after security vulnerabilities or breaches are reported. Following the initial rebuttals, security researchers discovered more serious vulnerabilities on the platform.

On May 31, CBSE admitted that vulnerabilities existed in its platform and stated that it was working with a team of experts from the Indian Institutes of Technology to address both reported and unreported issues. On June 5, the team of experts said they believed artificial intelligence had been used by bad actors and researchers to identify vulnerabilities on the platform.

Stricter norms

It is immediately clear that procurement norms for entities such as CBSE require swift and decisive reform. The AI-driven vulnerability apocalypse, which the government claims to be taking very seriously following the announcement of Anthropic's Claude Mythos, should not take centre stage.

Interestingly, access to Anthropic's Claude Mythos 5 and Fable 5 models has since been suspended globally following a US export-control directive, making the government's proposed response unavailable for now.

The current procurement system incentivises CERT-In-empanelled private firms to conduct security audits quickly and cheaply, reducing security to a largely bureaucratic and contractual exercise.

Where critical infrastructure is concerned - and education surely qualifies - the liability of auditing firms should begin at the moment they certify a system and extend to future breaches arising from negligent audits. Penalties should also include substantial financial consequences, rather than being limited to the revocation of a firm's CERT-In empanelment. Such accountability should be codified in law rather than left entirely to contractual arrangements.

Product regulation

The government could also consider regulating security at the product level, similar to the European Union's Cyber Resilience Act, while building on measures already in place for surveillance products. Since April 1, CCTV cameras cannot be sold in India without STQC certification and compliance with the government's notified Essential Requirements covering device security.

This framework could be extended to software products by making companies such as Coempt Eduteck legally liable for the security of the software they develop, with stringent penalties even when the software is deployed by a third party. It is worth noting that an official discussion paper by CERT-In on cybersecurity and procurement by government organisations already exists, though no penal provisions are discussed.

Reform or retire

Many, including myself, have previously highlighted CERT-In's limitations and suggested reforms. These inputs have largely focused on improving communication processes and increasing transparency, but they have been entirely ignored. A 2023 amendment to the RTI Act also resulted in CERT-In being exempt from requests for information under the law.

Many questions remain about how Nisarga's and others' disclosures were handled by CERT-In, Coempt and CBSE. Unfortunately, those questions are unlikely to be answered and will instead be addressed, if at all, through official statements and carefully worded press releases that omit critical details.

Without immediate reform, CERT-In risks becoming increasingly irrelevant, especially as other agencies are already capable of performing many of its functions. The National Critical Information Infrastructure Protection Centre (NCIIPC) is one such agency. Interviewees in a 2019 policy brief that I co-authored cited the "positive and timely resolution" of security issues reported to the NCIIPC, noting that it could serve as a model for other government bodies.

Initiatives such as the Cyber Swachhta Kendra, which can be bluntly described as a perpetual cybersecurity awareness campaign run by CERT-In, could be more effectively handled by an agency such as the Indian Cybercrime Coordination Centre (I4C), or potentially done away with altogether.

Until the fundamentals - competent audits, accountable agencies and enforceable obligations for vendors - are addressed, focusing on the AI-driven vulnerability apocalypse will do little to improve the security of critical systems.

(Karan is an independent security researcher from New Delhi)