ITI, a US-based trade group with members including Google, Facebook, IBM, and Cisco, has asked the Indian government to change its direction on reporting cyber security breaches. The elements of the new requirement, according to the ITI, may harm businesses and impair cybersecurity in the nation.
In a May 5 letter to CERT-In chairman Sanjay Bahl, ITI national manager for India Kumar Deep, requested a larger stakeholder engagement with the industry before finalizing the order.
“If properly developed and implemented, the directive has the potential to improve India’s cybersecurity posture,” Deep said. “However, certain provisions in the bill, such as counterproductive incident reporting requirements, may negatively impact Indian and global enterprises and undermine cybersecurity.”
On April 28, the Indian Computer Emergency Response Team (CERT-In) issued an order requiring all government and commercial institutions, including internet service providers, social media platforms, and data centers, to disclose cybersecurity breaches within six hours of becoming aware of them.
All service providers, intermediaries, data centers, corporations, and government organizations must enable logs of all their ICT (Information and Communication Technology) systems and maintain them securely for a rolling period of 180 days, according to a new circular issued by the CERT-In. The logs must be kept within the Indian jurisdiction.
The ITI is concerned about the requirement that companies connect to the servers of Indian government entities within six hours of becoming aware of a breach, the requirement to enable logs of all ICT systems and keep them within Indian jurisdiction for 180 days, the overbroad definition of reportable incidents, and the requirement that companies connect to the servers of Indian government entities.
Deep said in the letter that organizations should be allowed 72 hours, not only six hours, to disclose an event following worldwide best practices.
The government’s order to enable logs of all covered organizations’ information and communications technology systems, keep logs “securely for a rolling period of 180 days” inside India, and make them accessible to the Indian government upon request, according to the ITI, is not a best practice.
“It would make such logged-information repositories a target for global threat actors and needing considerable resources (both human and technological) to deploy,” Deep added.
The demand that “all service providers, intermediates, data centers, body corporates, and government organizations should link to the NTP servers of Indian laboratories and other entities for synchronization of all their ICT system clocks” has also caused alarm among the ITI.
According to the worldwide organization, the requirements might have a severe impact on firms’ security operations and the performance of their systems, networks, and applications.
The government’s existing definition of a reportable event, which includes operations like probing and scanning, according to ITI, is much too wide, considering that probes and scans are commonplace.
“It would be inefficient for businesses or CERT-In to spend time collecting, sending, receiving, and keeping such a massive number of inconsequential data that is unlikely to be followed up on,” Deep added.
ITI has requested the government postpone the new directive’s implementation date and have a broader dialogue with all stakeholders to ensure its successful implementation.
“Revise the directive to address the problematic provisions concerning incident reporting duties, especially linked to the reporting schedule, the scope of covered occurrences, and logging data localization requirements,” ITI required of CERT-In.