US-based technology industry body ITI, having international technology firms such as Google, Facebook, IBM and Cisco as its members, has sought a revision in the Indian authority’s directive on reporting cybersecurity breach incidents. ITI mentioned that the provisions underneath the brand new mandate might adversely affect organisations and undermine cybersecurity in the country.
ITI nation supervisor for India Kumar Deep, in a letter to CERT-In chief Sanjay Bahl dated May 5, requested for a wider stakeholder consultation with the industry before finalising on the directive.
“The directive has the potential to improve India’s cybersecurity posture if appropriately developed and implemented, however, certain provisions in the bill, including counterproductive incident reporting requirements, may negatively impact Indian and global enterprises and undermine cybersecurity,” Deep mentioned.
Indian Computer Emergency Response Team (CERT-In) on April 28 issued a directive asking all authorities and personal businesses, together with web service suppliers, social media platforms and information centres, to mandatorily report cybersecurity breach incidents within six hours of noticing them.
CERT-In directives
The Indian Computer Emergency Response Team (CERT-In) serves as the national agency for performing various functions in the area of cyber security in the country as per provisions of section 70B of the Information Technology Act, 2000. In order to coordinate response activities as well as emergency measures with respect to cyber security incidents, CERT-In calls for information from service providers, intermediaries, data centres and body corporate.
During the course of handling cyber incidents and interactions with the constituency, CERT-In has identified certain gaps causing hindrance in incident analysis. To address the identified gaps and issues so as to facilitate incident response measures, CERT-In has issued directions relating to information security practices, procedure, prevention, response and reporting of cyber incidents under the provisions of sub-section (6) of section 70B of the Information Technology Act, 2000. These directions will become effective after 60 days, the authorities said.
The directions cover aspects relating to synchronisation of ICT system clocks; mandatory reporting of cyber incidents to CERT-In; maintenance of logs of ICT systems; subscriber/customer registrations details by Data centers, Virtual Private Server (VPS) providers, VPN Service providers, cloud service providers; KYC norms and practices by virtual asset service providers, virtual asset exchange providers and custodian wallet providers. These directions shall enhance overall cyber security posture and ensure safe & trusted Internet in the country.
The new circular issued by the CERT-In mandates all service suppliers, intermediaries, information centres, corporates and authorities organisations to mandatorily allow logs of all their ICT (Information and Communication Technology) techniques and preserve them securely for a rolling interval of 180 days and the identical shall be maintained within the Indian jurisdiction.
ITI raises concerns
ITI has raised concerns over the obligatory reporting of breach incidents within six hours of noticing, to allow logs of all ICT techniques and preserve them inside Indian jurisdiction for 180 days, the overbroad definition of reportable incidents and the requirement that corporations hook up with the servers of Indian authority’s entities.
Deep, in the letter, has also mentioned that the organisations should be given 72 hours to report an incident in line with global best practices and not just six hours.
The report further added ITI has mentioned that the federal government’s mandate to allow logs of all lined entities’ info and communications expertise techniques, preserve logs “securely for a rolling period of 180 days” inside India and make them out there to the Indian authorities upon request isn’t a greatest observe.
“It would make such repositories of logged information a target for global threat actors, in addition to requiring significant resources (both human and technical) to implement,” Deep explained.
Additionally, ITI raised concerns about the requirement that “all service providers, intermediaries, data centres, body corporate and government organisations shall connect to the NTP servers of Indian labs and other entities for synchronisation of all their ICT systems clocks”.
The international body mentioned that the provisions might negatively have an effect on corporations’ safety operations in addition to the performance of their techniques, networks and purposes.
Also, ITI mentioned that the federal government’s present definition of the reportable incident to incorporate actions resembling probing and scanning is much too broad given probes and scans are on regular basis occurrences.
“It would not be useful for companies or CERT-In to spend time gathering, transmitting, receiving and storing such a large volume of insignificant information that arguably will not be followed up on,” Deep mentioned.
ITI has requested the federal government to defer timeline for implementation of the brand new directive and launch a wider session with all stakeholders for its efficient implementation.
It has demanded CERT-In to “revise the directive to address the concerning provisions with regard to incident reporting obligations, including related to the reporting timeline, scope of covered incidents and logging data localisation requirements”.
