Page Loader
Home / News / Technology News / ITI seeks revision of CERT-In directive on cybersecurity breaches
ITI seeks revision of CERT-In directive on cybersecurity breaches
CERT-in wants companies to be connected to NIC or NPL servers for synchronization of their system clocks (Photo credit: Getty images)

ITI seeks revision of CERT-In directive on cybersecurity breaches

By Athik Saleh
May 07, 2022
11:17 am
What's the story

The Indian Computer Emergency Response Team (CERT-In) recently issued a new directive to government and private agencies, mandating the reporting of cybersecurity incidents. Following this, the Information Technology Industry Council (ITI), a US-based tech body, has asked CERT-In to revise its directive. In a letter written to CERT-IN, ITI's country manager for India, Kumar Deep, sought a wider stakeholder consultation before finalizing the directive.

Context

Why does this story matter?

The new directive from CERT-In has brought the debate on cybersecurity and government overreach to the forefront. The directive has already seen opposition from several companies and cybersecurity companies. The involvement of ITI, an organization that has some of the biggest names in the industry as its members, is certainly a boost for those that oppose the order.

Directive

Directive seeks compulsory reporting of breaches within 6 hours

The directive issued by CERT-In on April 28 mandates internet service providers, data centers, and social media platforms, among others, to report cybersecurity breaches within six hours of noticing them. It also requires such organizations to enable logs of their ICT systems and maintain them for a rolling period of 180 days. These companies are also reportedly required to connect to Indian government servers.

The letter

ITI seeks 72 hours to report incidents of breaches

In his letter to the CERT-In chief Sanjay Bahl, Deep said that organizations must be given 72 hours to report breaches. And, about enabling logs and maintaining them for 180 days, he said that apart from requiring significant resources, such a rule will also make the logged information vulnerable. He also criticized the "overbroad" definition of "reportable incidents" as per the CERT-IN circular.

Quote

Directive should be implemented appropriately: ITI country manager

"The directive has the potential to improve India's cyber security posture if appropriately developed and implemented," the ITI country manager further said. He then asked the Indian government to "revise the directive to address the concerning provisions with regard to incident reporting obligations, including [provisions] related to the reporting timeline, scope of covered incidents, and logging data localization requirements."