Skip links

Industry pushes back against India’s data security breach reporting requirements

Opposition is building to India’s recently introduced rules on reporting computer security breaches, which have come under fire for being impractical, ineffective, and impinging on privacy.

The rules were introduced without fanfare in late April by CERT-In, the nation’s government-run computer emergency response team that has responsibility for incident management and wider infosec guidance.

CERT-In requires Indian organizations to report more than 20 types of infosec incidents within six hours of discovery – and it rates a ransomware attack, detection of a potentially malicious network probe, and a hijacked social media account on the same level of seriousness.

Other requirements include the capture and retention of VPN users’ personal information and even the IP addresses used to access the services. Organisations are also required to retain log files for 180 days and share them with CERT-In if the team deems them necessary for an investigation.

Indian organizations were given just sixty days to be ready for the requirements. As they apply to some very large entities, such as datacenter operators, achieving readiness is non-trivial.

Concern about the rules has been voiced within and outside India, the latter typified by global tech lobby group the Information Technology Industry Council (ITI) sending CERT-In a letter [PDF] that suggests the six-hour reporting requirement is not feasible, and is also not aligned with global best practice of 72-hour reporting.

The ITI stated that the 180-day logfile requirement is not best practice, and suggested that the list of reportable incidents is “far too broad” as it includes “everyday occurrences.”

“It would not be useful,” it added, “for companies or CERT-In to spend time gathering, transmitting, receiving, and storing such a large volume of insignificant information that arguably will not be followed up on.”

The requirement for all Indian organizations to use local network time servers also came in for criticism.

VPN providers have, predictably, opposed the rules on grounds that they invade users’ privacy. One such provider, ProtonVPN, openly offers procedures for India-based users to work around the rules.

India’s Internet Freedom Foundation has offered an extensive criticism of the regulations, arguing that they were formulated and announced without consultation, lack a data breach reporting mechanism that would benefit end-users, and include data localization requirements that could prevent some cross-border data flows.

The foundation also points out that the privacy implications of the rules – especially five-year retention of personal information – is a very significant requirement at a time when India’s Draft Data Protection Bill has proven so controversial it has failed to reach a vote in Parliament, and debate about digital privacy in India is ongoing and fierce.

Indian outlet Medianama has quoted infosec researcher Anand Venkatanarayanan, who claimed one way to report security incidents to CERT-In involves a non-interactive PDF that has to be printed out and filled in by hand.

Venkatanarayanan also pointed out that the rules’ requirement to report incidents as trivial as port scanning has not been explained – is it one PDF per IP address scanned, or can one report cover many IP addresses? CERT-In said it wanted the new reporting to improve its analytical capabilities, but has not explained how analog reports – faxes are also allowed – will help it to build a better incident database.

CERT-In has been silent on the rules since it announced them on April 28. The Register has contacted India’s Ministry of Electronics and Information Technology, CERT-In’s parent organization, seeking comment on the criticism above. We will update this story if we receive a substantive response. ®