ITI seeks revision of CERT-In directive on cybersecurity breaches
The Indian Computer Emergency Response Team (CERT-In) recently issued a new directive to government and private agencies, mandating the reporting of cybersecurity incidents. Following this, the Information Technology Industry Council (ITI), a US-based tech body, has asked CERT-In to revise its directive. In a letter written to CERT-IN, ITI's country manager for India, Kumar Deep, sought a wider stakeholder consultation before finalizing the directive.
- The new directive from CERT-In has brought the debate on cybersecurity and government overreach to the forefront. The directive has already seen opposition from several companies and cybersecurity companies.
- The involvement of ITI, an organization that has some of the biggest names in the industry as its members, is certainly a boost for those that oppose the order.
The directive issued by CERT-In on April 28 mandates internet service providers, data centers, and social media platforms, among others, to report cybersecurity breaches within six hours of noticing them. It also requires such organizations to enable logs of their ICT systems and maintain them for a rolling period of 180 days. These companies are also reportedly required to connect to Indian government servers.
In his letter to the CERT-In chief Sanjay Bahl, Deep said that organizations must be given 72 hours to report breaches. And, about enabling logs and maintaining them for 180 days, he said that apart from requiring significant resources, such a rule will also make the logged information vulnerable. He also criticized the "overbroad" definition of "reportable incidents" as per the CERT-IN circular.
"The directive has the potential to improve India's cyber security posture if appropriately developed and implemented," the ITI country manager further said. He then asked the Indian government to "revise the directive to address the concerning provisions with regard to incident reporting obligations, including [provisions] related to the reporting timeline, scope of covered incidents, and logging data localization requirements."