US-based technology industry body ITI, a member of global tech firms such as Google, Facebook, IBM and Cisco, has sought amendments to the Indian government’s directive on reporting incidents of cyber security breaches. ITI said the provisions under the new mandate could adversely affect organizations and could undermine cyber security in the country.
ITI’s country manager for India, Kumar Deep, in a letter dated May 5 to CERT-in head Sanjay Behl, asked for extensive stakeholder consultations with the industry before finalizing the directive.
“The directive has the potential to improve India’s cyber security situation when appropriately developed and implemented, however, certain provisions in the bill, including adverse event reporting requirements, could negatively impact and undermine Indian and global enterprises.” can. Cyber securityDeep said.
The Indian Computer Emergency Response Team (CERT-In) on April 28 issued a directive to all government and private agencies, including internet service providers, social media platforms and data centers, to make it mandatory for all government and private agencies to notice incidents of cyber security breaches within six hours. asked to report.
The new circular issued by CERT-In mandates all service providers, intermediaries, data centres, corporates and government organizations to enable logs of all their ICT (Information and Communication Technology) systems and keep them securely for a rolling period of 180 days. Mandatory to maintain. It will be retained in Indian jurisdiction.
ITI has mandated reporting of incidents of violation within six hours of intimation, enabling logs of all ICT systems and maintaining them in Indian jurisdiction for 180 days, broad definition of reportable incidents and linking to companies’ servers. expressed concern over the need. Government of India Institutions.
Deep said in the letter that organizations should be given 72 hours, not just six, to report an incident in line with global best practices.
ITI said that the government will enable the logs of information and communication technology systems of all covered entities, to maintain logs “securely for a rolling period of 180 days” within India and to be made available to the Government of India on request. mandate is not best practice.
“This would make such repositories of logged information a target for global threat actors, in addition to the significant resources (both human and technical) that would need to be deployed,” Deep said.
ITI also raised concerns over the requirement that “all service providers, intermediaries, data centres, body corporates and government organizations shall connect to the NTP servers of Indian laboratories and other entities for synchronization of all their ICT system clocks”.
The global body said the provisions could negatively affect the security operations of companies as well as the functionality of their systems, networks and applications.
The ITI said the government’s current definition of a reportable incident is too broad to include activities such as investigation and scanning as investigations and scans are everyday occurrences.
“It would not be useful for companies or CERT-ins to spend time collecting, transmitting, receiving and storing such large amounts of insignificant information that would not be followed,” Deep said.
ITI has asked the government to defer the deadline for implementation of the new directive and initiate extensive consultations with all stakeholders for its effective implementation.
ITI sought CERT-In to revise the directive to “address relevant provisions with respect to incident reporting obligations, including reporting timeline, scope of covered incidents and logging data localization requirements”.