Global Tech Industry Body Seeks Revision in India's Directive on Reporting of Cybersecurity Breach

US-based technology industry body ITI, having global tech firms such as Google, Facebook, IBM and Cisco as its members, has sought a revision in the Indian government's directive on reporting of cyber security breach incidents. ITI said that the provisions under the new mandate may adversely impact organisations and undermine cybersecurity in the country.

ITI country manager for India Kumar Deep, in a letter to CERT-In chief Sanjay Bahl dated May 5, asked for a wider stakeholder consultation with the industry before finalising on the directive.

"The directive has the potential to improve India's cybersecurity posture if appropriately developed and implemented, however, certain provisions in the bill, including counterproductive incident reporting requirements, may negatively impact Indian and global enterprises and undermine cybersecurity," Deep said.

Indian Computer Emergency Response Team (CERT-In) on April 28 issued a directive asking all government and private agencies, including internet service providers, social media platforms and data centres, to mandatorily report cybersecurity breach incidents to it within six hours of noticing them.

The new circular issued by the CERT-In mandates all service providers, intermediaries, data centres, corporates and government organisations to mandatorily enable logs of all their ICT (Information and Communication Technology) systems and maintain them securely for a rolling period of 180 days and the same shall be maintained within the Indian jurisdiction.

ITI has raised concerns over the mandatory reporting of breach incidents within six hours of noticing, to enable logs of all ICT systems and maintain them within Indian jurisdiction for 180 days, the overbroad definition of reportable incidents and the requirement that companies connect to the servers of Indian government entities.

Deep, in the letter, said that the organisations must be given 72 hours to report an incident in line with global best practices and not just six hours.

ITI said that the government's mandate to enable logs of all covered entities' information and communications technology systems, maintain logs "securely for a rolling period of 180 days" within India and make them available to the Indian government upon request is not a best practice.

"It would make such repositories of logged information a target for global threat actors, in addition to requiring significant resources (both human and technical) to implement," Deep said.

ITI also raised concern on the requirement that "all service providers, intermediaries, data centres, body corporate and government organisations shall connect to the NTP servers of Indian labs and other entities for synchronisation of all their ICT systems clocks".

The global body said that the provisions could negatively affect companies' security operations as well as the functionality of their systems, networks and applications.

ITI said that the government's current definition of reportable incident to include activities such as probing and scanning is far too broad given probes and scans are everyday occurrences.

"It would not be useful for companies or CERT-In to spend time gathering, transmitting, receiving and storing such a large volume of insignificant information that arguably will not be followed up on," Deep said.

ITI has asked the government to defer timeline for implementation of the new directive and launch a wider consultation with all stakeholders for its effective implementation.

ITI demanded CERT-In to "revise the directive to address the concerning provisions with regard to incident reporting obligations, including related to the reporting timeline, scope of covered incidents and logging data localisation requirements".