India’s Computer Emergency Response Team (CERT-In) , the nation’s government-run computer emergency response team, in April, quietly released a new set of rules for reporting internet security breaches, and by the look of it, they’re pretty unpopular!
What’s infosec? Answer: Procedures or measures used to protect electronic data from unauthorized access or use.
Opposition is building to India’s recently introduced rules on reporting computer security breaches, which have come under fire for being impractical, ineffective, and impinging on privacy.
India’s Internet Freedom Foundation (IFF) has offered an extensive criticism of the regulations. IFF says the rules were formulated and announced without consultation, lack a data breach reporting mechanism that would benefit end-users, and include data localization requirements that could prevent some cross-border data flows.
Tech sources say that eleven ‘big guns’ of tech-aligned industry associations from around the world have written to CERT-In, requesting that the new infosec reporting and data retention rules, be revoked. They reportedly criticized the new regulations as inconsistent, onerous, unlikely to improve security within India, and possibly harmful to the nation’s economy.
The US Chamber of Commerce, The Alliance (BSA), Digital Europe, the Information Technology Industry Council, techUK, the Cybersecurity Coalition US Chamber of Commerce, the US-India Business Council, and the US-India Strategic Partnership Forum are reportedly among the signatories. The collective membership of the above signatory organisations covers virtually every significant tech vendor.
CERT-In has been silent and unresponsive on the rules since it announced them on April 28, according to media sources.
CERT-In requires Indian organizations to report more than 20 types of infosec incidents within six hours of discovery. It rates a ransomware attack (which is pretty serious stuff), detection of a potentially malicious network probe (like some seriously dark internet espionage), and a hijacked social media account (a very common occurrence) on the same level of seriousness.
Ransomware is a type of malware attack in which the attacker locks and encrypts the victim’s data and important files and then demands a payment to unlock and decrypt the data.
There are two phases of a malacious network probe-based attack. First, the malware will scan your network, either using a port scan or a ping sweep. If it locates a vulnerable device it will infect that device with the malware. Second, once installed, the host device becomes part of the infection matrix. They not only allow the bad guys into that network as and when they chose, the malware will also scan for other vulnerable devices on the Internet. And so the breach spreads as the malware copies itself from machine to machine to machine.
CERT-IN’s new rules include the capture and retention of VPN users’ personal information and even the IP addresses used to access the services. Organisations are also required to retain log files for 180 days and share them with CERT-In if the team deems them necessary for an investigation.
A VPN (virtual private network) is one of the best tools for ensuring your internet privacy. A VPN encrypts your connection and keeps you hidden while surfing, shopping, and banking online
The new rules attracted criticism in India on grounds that a six-hour reporting window is too short, the requirement to record VPN users’ details is an attack on privacy, and that the requirements are too broad and therefore represent an onerous compliance burden.
The IFF also points out that the privacy implications of the rules – especially five-year retention of personal information – comes at a time when India’s Draft Data Protection Bill has proven so controversial it has failed to reach a vote in Parliament, and debate about digital privacy in India is ongoing and fierce.
The requirement for infosec incidents to be reported within six hours has also been criticized. It could mean reports are filed in the wee small hours of the night, when they are unlikely to be acted on. Requiring staff to work all night to file incident reports is also felt to be unproductive.
Indian organizations were given just sixty days to be ready for the requirements. As they apply to some very large entities, such as data centre operators, achieving readiness in such a short time is no laughing matter.
Global tech lobby group the Information Technology Industry Council (ITI) has sent a message to CERT-In that suggests the six-hour reporting requirement is not feasible, and is also not aligned with global best practice of 72-hour reporting.
The ITI stated that the 180-day logfile requirement is not best practice, and suggested that the list of reportable incidents is “far too broad” as it includes “everyday occurrences.”
“It would not be useful,” it added, “for companies or CERT-In to spend time gathering, transmitting, receiving, and storing such a large volume of insignificant information that arguably will not be followed up on.”
The requirement for all Indian organizations to use local network time servers also came in for criticism.
CERT-In has to date been silent in the face of criticism. A tech website has reported that India’s minister for Skill Development and Entrepreneurship and Electronics and Information Technology, Rajeev Chandrasekhar, has brushed aside criticism too, saying that VPN providers that don’t like the rules can choose to leave the country.
Some of the objections that have been raised are: Six-hour reporting is unreasonable and required by no other nation or bloc; the rules require retained data to be stored within an Indian jurisdiction, but the FAQ says offshore storage is acceptable if it does not hinder Indian investigators; Storing customer data is burdensome, and creates a security risk; Some of the log data required is commercially sensitive.
The letter to CERT-In suggests that the rules will make it hard for overseas companies to do business in India, put the country at odds with its allies, and result in costs being passed on to consumers. The groups call for new consultation to revise the rules.