India slightly softens infosec incident reporting and data retention rules

But also makes it plain that offshore entities must comply


India has slightly softened its controversial new reporting requirements for information security incidents and made it plain they apply to multinational companies.

The rules were announced with little advance warning in late April and quickly attracted criticism from industry on grounds including the requirement to report 22 different types of incident within six hours, a requirement to register personal details of individual VPN users, and retention of many log files for 180 days.

India’s government yesterday responded by publishing an FAQ [PDF] about the new rules.

Some of the guidance in the document will be welcome, for example the clarification that minor security incidents such as the takeover of a social media account are not subject to the six-hour reporting requirement. Instead, only “incidents of severe nature … on any part of the public information infrastructure including backbone network infrastructure”, data breaches, or events that endanger public safety must be reported at speed.

The requirement to use only a pair of Indian network time protocol (NTP) servers also appears to have eased, with the FAQ allowing use of other NTP servers that synch with the two approved Indian operators.

The document also spells out requirements for entities that may operate in India without having a physical presence in the nation. Such organisations must appoint a point of contact to liaise with India’s Computer Emergency Response Team (CERT-In), which administers the new rules. Non-Indian organisations may store data such as logfiles offshore, but are required to make it available to CERT-In.

The FAQ reiterates previous assertions that the new rules are needed to secure Indian industry, government, and society, and states they were devised after consultation with relevant stakeholders that began in early March 2022 – less than eight weeks before the rules were published.

But the document does not address criticism of the new rules. Objections to retention of data about VPN users and their activities are not addressed. The document instead explains the requirement as a national security imperative and dismisses privacy concerns. The technical burden of logfile retention is not addressed, other than with oblique references to requirements for resilience and security of files so that they can be provided to CERT-In.

The document does acknowledge that the new rules will see CERT-In likely collect a lot of personal information from incident reports, and that those reports will include descriptions of organisations’ IT systems that would be very valuable to certain parties. Assurances that CERT-In is bound by privacy laws, and governed by chain-of-custody requirements, are offered to those who worry about sharing information with the organisation.

But if offers no explanation about how CERT-In will use the documents it collects to analyse security incidents, a matter of interest as organisations are allowed to file reports in formats such as PDF or Fax that do not lend themselves to automated ingestion or analysis.

India’s Software Freedom Law Centre has expressed concerns the FAQ is not binding, making it poor guidance, and has vowed to seek information on who participated in the consultation process. VPN providers have again criticised the rules’ requirements, leading minister of state for electronics and IT Rajeev Chandrashekhar to suggest they should leave India if they don’t like its laws.

But CERT-In and minister Chandrashekhar aren’t budging – and the June 27 deadline for meeting the new rules’ requirements remains in place. ®

Broader topics


Other stories you might like

  • Another VPN quits India, as government proposes social media censorship powers
    New Delhi now fighting criticism of eroding free speech and privacy with two proposed regulations

    India's tech-related policies continue to create controversy, with fresh objections raised to a pair of proposed regulation packages.

    One of those regulations is the infosec reporting and logging requirements introduced by India's Computer Emergency Response Team (CERT-In) in late April. That package requires VPN, cloud, and numerous other IT services providers to collect customers' personal information and log their activity, then surrender that info to Indian authorities on demand. One VPN provider, ExpressVPN, last week quit India on grounds that its local servers are designed not to record any logs so compliance would be impossible. ExpressVPN will soon route customers' traffic outside India.

    On Tuesday, another VPN – Surfshark – announced it would do likewise.

    Continue reading
  • Indian government signals changes to infosec rules after industry consultation
    Reports suggest SMBs will get more time, but core elements including six-hour reporting requirement remain

    Indian media is reporting that the government has consulted with industry about its controversial infosec reporting rules, possibly resulting in concessions that slightly ease requirements for some businesses.

    The rules, introduced on April 29 with no warning and a sixty-day compliance deadline, require organizations operating in India to report 22 different types of information security incidents within six hours of detection, maintain extensive logs of their own and customers' activities and provide that info to authorities as required, and use only network time protocol (NTP) servers provided by Indian authorities or synced to those servers.

    The rules generated swift and widespread opposition on grounds that they were loosely worded, imposed enormous compliance burdens, made India less attractive to foreign tech companies, and would harm privacy. The requirement to report even trivial incidents within six hours was criticized as likely delivering a deluge of reports that would contribute little to the stated goal of securing intelligence with which to defend the nation. The Internet Society warned that insistence on using Indian NTP servers would create an unhelpful reliance on that infrastructure.

    Continue reading
  • Indian government issues confidential infosec guidance to staff – who leak it
    Bans VPNs, Dropbox, and more

    India's government last week issued confidential information security guidelines that calls on the 30 million plus workers it employs to adopt better work practices – and as if to prove a point, the document quickly leaked on a government website.

    The document, and the measures it contains, suggest infosec could be somewhat loose across India's government sector.

    "The increasing adoption and use of ICT has increased the attack surface and threat perception to government, due to lack of proper cyber security practices followed on the ground," the document opens.

    Continue reading

Biting the hand that feeds IT © 1998–2022