wordpress blog stats
Connect with us

Hi, what are you looking for?

India’s cybersecurity directive goes against security, tech companies argue

ITI has asked the Indian government to withdraw its recent cybersecurity directive and have fresh stakeholder consultations.

“We have concerns with several of the incident reporting obligations, including the mandatory reporting of cyber incidents within 6 hours of noticing, the requirement to enable logs of all ICT systems and maintain them securely within Indian jurisdiction for a rolling period of 180 days, the overbroad definition of reportable incidents, and the requirement that companies connect to the servers of Indian government entities,” the Information Technology Industry Council (ITI) said in its letter dated May 5 to the Indian Computer Emergency Response Team’s (CERT-In). ITI represents some of the largest tech companies in the world including Apple, Amazon, Meta, Google, and Microsoft.

CERT-In, which is the government-appointed nodal agency tasked with performing cybersecurity-related functions in the country, issued a cybersecurity directive on April 28 and has since received strong pushback from cybersecurity experts for lacking clarity and being impractical.

“While we appreciate that with this Directive CERT-In is seeking to improve cybersecurity, we fear that as drafted and without significant revisions the Directive may negatively impact Indian and global enterprises and actually undermine cybersecurity in India. […] If left unaddressed, these provisions may have severe consequences for enterprises and their global customers without solving the genuine security concerns,” ITI said.


Dear reader, we urgently need to build capacity to cover the fast-moving tech policy space. For that, our independent newsroom is counting on you. Subscribe to MediaNama today, and help us report on the policies that govern the internet.


What issues does ITI have with the cybersecurity directive

  1. 6-hours to report incidents is not in line with global standards: According to the directive, all companies must mandatorily report cyber incidents to CERT-In within 6 hours of noticing such incidents or being brought to notice about such incidents. ITI has asked CERT to provide feasible incident reporting timelines of at least 72 hours, commensurate with incident severity levels in alignment with global best practices. “Doing so will ensure that companies are able to focus on responding appropriately to an incident and that any information provided to the government is contextualized,” ITI said. The Council also sent to CERT its report on Global Policy Principles for Security Incident Reporting. This recommendation is in line with what cybersecurity experts told MediaNama. “Singapore’s personal data protection law provides a 3-day window, similar to the GDPR’s breach reporting requirements,” Vijayant Singh, Ikigai Law, told us. “Is CERT really expecting people to report incidents at midnight? Does CERT have the capacity to actually accept this,” another researcher, Srinivas Kodali asked.
  2. Logging information might become a target for global threat actors: Companies must mandatorily enable logs of all their systems and maintain them securely for a rolling period of 180 days and the same should be maintained within the Indian jurisdiction. These should be provided to CERT-In along with reporting of any incident or when ordered by CERT-In. This is not a best practice because it would make such repositories of logged information a target for global threat actors, in addition to requiring significant resources (both human and technical) to implement, ITI stated in its letter. Suman Kar, CEO of cybersecurity firm Banbreach, told us that this direction is problematic because we don’t know how CERT will handle the data. “Until and unless CERT produces a document that lists the chain of custody that they are going to follow, the kind of storage that they are going to use. For example, if they say, we are going to keep the logs encrypted at all times, whether it is at rest or in transit or in use, we want to keep it encrypted. Then, you know there’s a semblance of privacy preservation. Otherwise, it’s a matter of time before things start leaking. The other thing is CERT doesn’t tell us whether they are going to share this with anyone else or not,” Kar said.
  3. Reporting incidents like probing and scanning is impractical: CERT has increased the number of reportable incidents bringing in incidents like data leaks, unauthorised access to social media accounts, and attacks on cloud computing, AI/ML, and blockchain systems.  “The current definition of reportable incident to include activities such as probing and scanning is far too broad given probes and scans are everyday occurrences. It would not be useful for companies or Cert-In to spend time gathering, transmitting, receiving, and storing such a large volume of insignificant information that arguably will not be followed up on,” ITI noted. “If I run a dense organisation, on average I get 100,000 IPs trying to scan or brute force my servers in 1 hour. Should I send a PDF form with 100,000 IPs,” Venkatanaryanan remarked to MediaNama.
  4. Connection to NTP servers can affect security: CERT wants companies to connect to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL) or to servers traceable to these NTP servers for synchronisation of their systems clocks. This is “very concerning because it could negatively affect companies’ security operations as well as the functionality of their systems, networks, and applications, amongst other reasons,” ITI noted. While ITI has pointed out security concerns, experts who spoke with MediaNama talked about the impracticality of this specific direction. Cybersecurity researcher Anand Venkatanarayanan said that companies will prefer to use their own time servers because they know nothing about NIC’s servers. “In a system where everything is dependent on time drift not being more than certain nanoseconds or milliseconds, the most important infrastructure piece is the time server. Now, if you are running a 25,000 data centre, why would you want to use NIC’s time server. Does it make any sense at all? And what is the configuration of NIC’s time server, you don’t know that. What’s the latency? You don’t know that. We rely on a technology called Anycast to reduce latency. Is NIC’s time server Anycast? The answer is no.” Venkatanarayanan remarked.

What ITI wants the government to do next

ITI Council has requested CERT to:

  1. Delay the period of implementation of the directive (currently 60 days from April 28, 2022) to allow time to address the concerns raised
  2. Revise the directive to address the concerning provisions with regard to incident reporting obligations, including related to the reporting timeline, scope of covered incidents and logging data localization requirements
  3. Launch a wider stakeholder consultation to ensure that the directive can be effectively implemented in its revised format. CERT should also open a detailed technical consultation for a public reply, ITI Council said.

“As both producers and users of cybersecurity products and services, ITI’s members have extensive experience working with governments around the world to advance and implement robust and effective cybersecurity policies. […] We request that the government allow a wider stakeholder consultation with industry before finalising on the directive. We are hopeful of a favourable government response.” —Kumar Deep, ITI’s Country Manager

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Advertisement. Scroll to continue reading.

Also Read:

Have something to add? Subscribe to MediaNama here and post your comment.

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.

Views

News

Studying the 'community' supporting the late Sushant Singh Rajput (SSR) shows how Twitter was gamed through organized engagement

News

Do we have an enabling system for the National Data Governance Framework Policy (NDGFP) aiming to create a repository of non-personal data?

News

A viewpoint on why the regulation of cryptocurrencies and crypto exchnages under 2019's E-Commerce Rules puts it in a 'grey area'

News

India's IT Rules mandate a GAC to address user 'grievances' , but is re-instatement of content removed by a platform a power it should...

News

There is a need for reconceptualizing personal, non-personal data and the concept of privacy itself for regulators to effectively protect data

You May Also Like

News

Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

Advert

135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...

News

By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

News

Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Name:*
Your email address:*
*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ