The US-based ITI organization, whose members include global technology companies such as Google, Facebook, IBM and Cisco, has called for a revision of the Indian government’s directive on cybersecurity incident reporting. ITI said the provisions of the new mandate could adversely affect organizations and undermine cybersecurity in the country.
ITI India Manager Kumar Deep, in a letter to CERT CEO Sanjay Ball on May 5, called for a broader stakeholder consultation with industry before finalizing the directive.
“The directive has the potential to improve India’s position on cybersecurity if properly developed and implemented, but some provisions in the bill, including requirements for reporting unproductive incidents, could negatively affect Indian and global businesses and undermine cybersecurity. Said Deep.
India’s Computer Emergency Response Team (CERT-In) issued a directive on April 28 asking all government and private agencies, including Internet service providers, social media platforms and data centers, to report mandatory incidents of breaches. of cybersecurity within six hours of being spotted.
The new circular issued by CERT-In obliges all service providers, intermediaries, data centers, corporations and government organizations to authorize the log files of all their ICT (information and communication technology) systems and to keep them secure for a continuous period of time. 180 days and the same will be maintained within the jurisdiction of India.
ITI was concerned about the mandatory reporting of incidents of infringements within six hours of the sighting in order to allow all ICT systems to be registered and maintained within Indian jurisdiction for 180 days, too broad a definition of reported incidents and the requirement for companies to connect to the servers of Indian government institutions.
Deep said in the letter that organizations should be given 72 hours to report an incident in line with world best practices, not just six hours.
ITI said that the government’s mandate to allow log files on all covered ICT systems, to maintain “secure for 180 days secure” log files in India and provide them to the Indian government on request is not the best good practice.
“This would make such repositories of registered information a target for participants in global threats, in addition to requiring significant resources (both human and technical) to implement,” Deep said.
ITI also expressed concern about the requirement for “all service providers, intermediaries, data centers, corporate and government organizations to connect to the NTP servers of Indian laboratories and other entities to synchronize all their ICT clock clocks”.
The global organization said the regulations could negatively affect companies’ security operations, as well as the functionality of their systems, networks and applications.
ITI said the government’s current definition of a reported incident, including activities such as drilling and scanning, is too broad, given that probing and scanning are daily events.
“It would not be useful for companies or CERT-In to spend time collecting, transmitting, receiving and storing so much insignificant information that is unlikely to be traced,” Deep said.
ITI has asked the government to postpone the implementation of the new directive and to launch a wider consultation with all stakeholders on its effective implementation.
ITI asked CERT-In to “revise the Directive to address the relevant provisions regarding incident reporting obligations, including those related to the reporting schedule, the scope of the incidents covered and the requirements for the localization of registration data”.