“We have concerns with several of the incident reporting obligations, including the mandatory reporting of cyber incidents within 6 hours of noticing, the requirement to enable logs of all ICT systems and maintain them securely within Indian jurisdiction for a rolling period of 180 days, the overbroad definition of reportable incidents, and the requirement that companies connect to the servers of Indian government entities,” the Information Technology Industry Council (ITI) said in its letter dated May 5 to the Indian Computer Emergency Response Team’s (CERT-In). ITI represents some of the largest tech companies in the world including Apple, Amazon, Meta, Google, and Microsoft.
CERT-In, which is the government-appointed nodal agency tasked with performing cybersecurity-related functions in the country, issued a cybersecurity directive on April 28 and has since received strong pushback from cybersecurity experts for lacking clarity and being impractical.
“While we appreciate that with this Directive CERT-In is seeking to improve cybersecurity, we fear that as drafted and without significant revisions the Directive may negatively impact Indian and global enterprises and actually undermine cybersecurity in India. […] If left unaddressed, these provisions may have severe consequences for enterprises and their global customers without solving the genuine security concerns,” ITI said.
Dear reader, we urgently need to build capacity to cover the fast-moving tech policy space. For that, our independent newsroom is counting on you. Subscribe to MediaNama today, and help us report on the policies that govern the internet.
What issues does ITI have with the cybersecurity directive
- 6-hours to report incidents is not in line with global standards: According to the directive, all companies must mandatorily report cyber incidents to CERT-In within 6 hours of noticing such incidents or being brought to notice about such incidents. ITI has asked CERT to provide feasible incident reporting timelines of at least 72 hours, commensurate with incident severity levels in alignment with global best practices. “Doing so will ensure that companies are able to focus on responding appropriately to an incident and that any information provided to the government is contextualized,” ITI said. The Council also sent to CERT its report on Global Policy Principles for Security Incident Reporting. This recommendation is in line with what cybersecurity experts told MediaNama. “Singapore’s personal data protection law provides a 3-day window, similar to the GDPR’s breach reporting requirements,” Vijayant Singh, Ikigai Law, told us. “Is CERT really expecting people to report incidents at midnight? Does CERT have the capacity to actually accept this,” another researcher, Srinivas Kodali asked.
- Logging information might become a target for global threat actors: Companies must mandatorily enable logs of all their systems and maintain them securely for a rolling period of 180 days and the same should be maintained within the Indian jurisdiction. These should be provided to CERT-In along with reporting of any incident or when ordered by CERT-In. This is not a best practice because it would make such repositories of logged information a target for global threat actors, in addition to requiring significant resources (both human and technical) to implement, ITI stated in its letter. Suman Kar, CEO of cybersecurity firm Banbreach, told us that this direction is problematic because we don’t know how CERT will handle the data. “Until and unless CERT produces a document that lists the chain of custody that they are going to follow, the kind of storage that they are going to use. For example, if they say, we are going to keep the logs encrypted at all times, whether it is at rest or in transit or in use, we want to keep it encrypted. Then, you know there’s a semblance of privacy preservation. Otherwise, it’s a matter of time before things start leaking. The other thing is CERT doesn’t tell us whether they are going to share this with anyone else or not,” Kar said.
- Reporting incidents like probing and scanning is impractical: CERT has increased the number of reportable incidents bringing in incidents like data leaks, unauthorised access to social media accounts, and attacks on cloud computing, AI/ML, and blockchain systems. “The current definition of reportable incident to include activities such as probing and scanning is far too broad given probes and scans are everyday occurrences. It would not be useful for companies or Cert-In to spend time gathering, transmitting, receiving, and storing such a large volume of insignificant information that arguably will not be followed up on,” ITI noted. “If I run a dense organisation, on average I get 100,000 IPs trying to scan or brute force my servers in 1 hour. Should I send a PDF form with 100,000 IPs,” Venkatanaryanan remarked to MediaNama.
- Connection to NTP servers can affect security: CERT wants companies to connect to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL) or to servers traceable to these NTP servers for synchronisation of their systems clocks. This is “very concerning because it could negatively affect companies’ security operations as well as the functionality of their systems, networks, and applications, amongst other reasons,” ITI noted. While ITI has pointed out security concerns, experts who spoke with MediaNama talked about the impracticality of this specific direction. Cybersecurity researcher Anand Venkatanarayanan said that companies will prefer to use their own time servers because they know nothing about NIC’s servers. “In a system where everything is dependent on time drift not being more than certain nanoseconds or milliseconds, the most important infrastructure piece is the time server. Now, if you are running a 25,000 data centre, why would you want to use NIC’s time server. Does it make any sense at all? And what is the configuration of NIC’s time server, you don’t know that. What’s the latency? You don’t know that. We rely on a technology called Anycast to reduce latency. Is NIC’s time server Anycast? The answer is no.” Venkatanarayanan remarked.
What ITI wants the government to do next
ITI Council has requested CERT to:
- Delay the period of implementation of the directive (currently 60 days from April 28, 2022) to allow time to address the concerns raised
- Revise the directive to address the concerning provisions with regard to incident reporting obligations, including related to the reporting timeline, scope of covered incidents and logging data localization requirements
- Launch a wider stakeholder consultation to ensure that the directive can be effectively implemented in its revised format. CERT should also open a detailed technical consultation for a public reply, ITI Council said.
“As both producers and users of cybersecurity products and services, ITI’s members have extensive experience working with governments around the world to advance and implement robust and effective cybersecurity policies. […] We request that the government allow a wider stakeholder consultation with industry before finalising on the directive. We are hopeful of a favourable government response.” —Kumar Deep, ITI’s Country Manager
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- Why India Should Not (Yet) Mandate Companies To Adopt A Specific Time Source
- CERT-In Wants Cybersecurity Incidents Reported Within 6 Hours
- Why India’s New Cybersecurity Directive Is A Bad Joke
- VPN Providers Call India’s New Rules Worse Than China, Russia
Have something to add? Subscribe to MediaNama here and post your comment.