Former Rajya Sabha MP Priyanka Chaturvedi on Tuesday questioned the credibility of India’s cyber security agency CERT-In after it released a fresh advisory warning organisations about rapidly evolving AI-powered cyber attacks. Reacting to the agency’s latest cyber security blueprint, Chaturvedi said it was “laughable in hindsight” that the government had earlier wanted opposition MPs to submit their phones to CERT-In following Apple’s state-sponsored surveillance alert controversy.

Taking to X, Chaturvedi wrote, “Imagine with a CERT-IN so ineffective despite getting served everything on a platter by an ethical hacker, yet IT Minister wanted opposition MPs to submit their phones to such an agency to investigate Apple’s state sponsored surveillance alert. Laughable in hindsight.”

Her remarks came shortly after the Indian Computer Emergency Response Team (CERT-In) released a new 38-page cyber security framework asking organisations to urgently patch critical vulnerabilities as cyber threats powered by artificial intelligence continue to rise globally.

The advisory recommends that organisations fix “known exploited vulnerabilities” affecting internet-facing and “crown-jewel” systems within 12 hours “where feasible”. CERT-In also suggested patching critical externally exposed vulnerabilities within a day and resolving vulnerabilities in high-value systems within three days.

The agency warned that rapid advancements in generative AI, large language models (LLMs), autonomous agents and AI-enabled automation platforms are significantly transforming the cyber threat landscape.

Why has CERT-In raised concerns over AI-powered cyber attacks?

According to the blueprint, threat actors are increasingly using AI tools to automate vulnerability discovery, launch highly targeted phishing campaigns, develop adaptive malware and accelerate cyber attacks at scale.

The agency cautioned that organisations can no longer rely only on periodic audits or reactive cyber security responses as AI is shrinking the time between vulnerability discovery and exploitation.

CERT-In also flagged risks linked to unrestricted use of public AI platforms, including prompt injection attacks, insecure AI integrations, model manipulation and data leakage.

What has CERT-In recommended for organisations?

Apart from the 12-hour remediation window for critical internet-facing systems, CERT-In suggested:

  • Patching critical externally exposed vulnerabilities within one day
  • Fixing exploited vulnerabilities affecting internal systems within one day unless other controls are implemented
  • Resolving vulnerabilities in high-value systems within three days
  • Addressing high-severity vulnerabilities within five days

The agency further recommended continuous monitoring, Zero Trust Security models, behavioural analytics, Security Operations Centres (SOCs) and adversarial testing to counter emerging cyber threats.

While the blueprint does not introduce new legal obligations, it reinforces India’s existing cyber compliance framework and reiterates the requirement for organisations to report cyber incidents within six hours.

CERT-In said organisations must move towards “adaptive, intelligence-driven, continuously validated, and resilience-oriented” cyber security practices as AI-enabled threats continue to evolve rapidly.