A global IT industry body is looking for a revision of India's Cybersecurity Breach Directive

A global IT industry body is looking for a revision of India's Cybersecurity Breach Directive ...

ITI, a US-based technology business, has sought a revision in the Indian government''s cyber security breach disclosure directive. According to ITI, the new requirement may sag adversely impact organizations and undermine cybersecurity in the country.

In a letter to CERT-In chief Sanjay Bahl, the ITI country manager for India said in a May 5th, that the industry would consult with the industry more carefully before finalizing the directive.

"The directive has the potential to improve India''s cybersecurity posture if properly developed and implemented," according to Deep. However, certain provisions in the bill, including counterproductive incident reporting limitations, may adversely affect Indian and global businesses and undermine cybersecurity.

On April 28, the Indian Computer Emergency Response Team (CERT-In) a letter requesting that all government and private organizations, including internet service providers, social media platforms, and data centres, to mandateorily report cybersecurity breach incidents to it within six hours after receiving the notice.

The CERT-In new circular has mandated that all service providers, intermediaries, data centres, industrials, and government agencies to mandateorily enable logs of all their ICT (Information and Communication Technology) systems and maintain them securely for a 180-day period. The same shall be maintained within the Indian jurisdiction.

ITI has expressed concern about the obligation of reporting breach incidents within six hours of noticing, allowing records of all ICT systems and maintaining them in Indian jurisdiction for 180 days, the broad definition of reported incidents, and the requirement that companies connect to the servers of Indian government agencies.

  • CERT-In Says Firms Must Report Cybersecurity Breaches Within 6 Hours

Deep, in his letter, said that organizations must be given 72 hours to reporting an incident in accordance with global best practices, rather than six hours.

The government''s duty to enable logs of all covered entities'' information and communications technology systems, maintain logs "securely for a rolling period of 180 days," according to ITI is not a bad practice.

"It would make such repositoryes of recorded information a target for global threat actors, outperforming significant human and technical resources," Deep said.

  • Cybersecurity Breach by Military Officials on WhatsApp Unearthed: Report

ITI expressed concern about the requirement that "all service providers, intermediaries, data centres, and bodies of government organisations, including Indian labs and other entities, connect to the NTP servers for synchronization of all their ICT systems clocks."

The global commission has claimed that these provisions could adversely affect companies'' security operations as well as the functionality of their systems, networks, and applications.

Given probes and scans, the government''s current definition of reportable incident to include investigations and scanning is far too broad.

"It would not be useful for companies or CERT-In to spend time gathering, transmitting, receiving, and storing a large amount of irrelevant information that is unlikely to be followed up on," Deep said.

ITI has asked the government to postpone the timeframe for the implementation of the new directive and initiate a wider consultation with all stakeholders in order to ensure its effective implementation.