India slightly softens infosec incident reporting and data retention rules

But also makes it plain that offshore entities must comply


India has slightly softened its controversial new reporting requirements for information security incidents and made it plain they apply to multinational companies.

The rules were announced with little advance warning in late April and quickly attracted criticism from industry on grounds including the requirement to report 22 different types of incident within six hours, a requirement to register personal details of individual VPN users, and retention of many log files for 180 days.

India’s government yesterday responded by publishing an FAQ [PDF] about the new rules.

Some of the guidance in the document will be welcome, for example the clarification that minor security incidents such as the takeover of a social media account are not subject to the six-hour reporting requirement. Instead, only “incidents of severe nature … on any part of the public information infrastructure including backbone network infrastructure”, data breaches, or events that endanger public safety must be reported at speed.

The requirement to use only a pair of Indian network time protocol (NTP) servers also appears to have eased, with the FAQ allowing use of other NTP servers that synch with the two approved Indian operators.

The document also spells out requirements for entities that may operate in India without having a physical presence in the nation. Such organisations must appoint a point of contact to liaise with India’s Computer Emergency Response Team (CERT-In), which administers the new rules. Non-Indian organisations may store data such as logfiles offshore, but are required to make it available to CERT-In.

The FAQ reiterates previous assertions that the new rules are needed to secure Indian industry, government, and society, and states they were devised after consultation with relevant stakeholders that began in early March 2022 – less than eight weeks before the rules were published.

But the document does not address criticism of the new rules. Objections to retention of data about VPN users and their activities are not addressed. The document instead explains the requirement as a national security imperative and dismisses privacy concerns. The technical burden of logfile retention is not addressed, other than with oblique references to requirements for resilience and security of files so that they can be provided to CERT-In.

The document does acknowledge that the new rules will see CERT-In likely collect a lot of personal information from incident reports, and that those reports will include descriptions of organisations’ IT systems that would be very valuable to certain parties. Assurances that CERT-In is bound by privacy laws, and governed by chain-of-custody requirements, are offered to those who worry about sharing information with the organisation.

But if offers no explanation about how CERT-In will use the documents it collects to analyse security incidents, a matter of interest as organisations are allowed to file reports in formats such as PDF or Fax that do not lend themselves to automated ingestion or analysis.

India’s Software Freedom Law Centre has expressed concerns the FAQ is not binding, making it poor guidance, and has vowed to seek information on who participated in the consultation process. VPN providers have again criticised the rules’ requirements, leading minister of state for electronics and IT Rajeev Chandrashekhar to suggest they should leave India if they don’t like its laws.

But CERT-In and minister Chandrashekhar aren’t budging – and the June 27 deadline for meeting the new rules’ requirements remains in place. ®

Broader topics


Other stories you might like

  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading
  • Another VPN quits India, as government proposes social media censorship powers
    New Delhi now fighting criticism of eroding free speech and privacy with two proposed regulations

    India's tech-related policies continue to create controversy, with fresh objections raised to a pair of proposed regulation packages.

    One of those regulations is the infosec reporting and logging requirements introduced by India's Computer Emergency Response Team (CERT-In) in late April. That package requires VPN, cloud, and numerous other IT services providers to collect customers' personal information and log their activity, then surrender that info to Indian authorities on demand. One VPN provider, ExpressVPN, last week quit India on grounds that its local servers are designed not to record any logs so compliance would be impossible. ExpressVPN will soon route customers' traffic outside India.

    On Tuesday, another VPN – Surfshark – announced it would do likewise.

    Continue reading
  • Indian government issues confidential infosec guidance to staff – who leak it
    Bans VPNs, Dropbox, and more

    India's government last week issued confidential information security guidelines that calls on the 30 million plus workers it employs to adopt better work practices – and as if to prove a point, the document quickly leaked on a government website.

    The document, and the measures it contains, suggest infosec could be somewhat loose across India's government sector.

    "The increasing adoption and use of ICT has increased the attack surface and threat perception to government, due to lack of proper cyber security practices followed on the ground," the document opens.

    Continue reading
  • Indian government signals changes to infosec rules after industry consultation
    Reports suggest SMBs will get more time, but core elements including six-hour reporting requirement remain

    Indian media is reporting that the government has consulted with industry about its controversial infosec reporting rules, possibly resulting in concessions that slightly ease requirements for some businesses.

    The rules, introduced on April 29 with no warning and a sixty-day compliance deadline, require organizations operating in India to report 22 different types of information security incidents within six hours of detection, maintain extensive logs of their own and customers' activities and provide that info to authorities as required, and use only network time protocol (NTP) servers provided by Indian authorities or synced to those servers.

    The rules generated swift and widespread opposition on grounds that they were loosely worded, imposed enormous compliance burdens, made India less attractive to foreign tech companies, and would harm privacy. The requirement to report even trivial incidents within six hours was criticized as likely delivering a deluge of reports that would contribute little to the stated goal of securing intelligence with which to defend the nation. The Internet Society warned that insistence on using Indian NTP servers would create an unhelpful reliance on that infrastructure.

    Continue reading
  • FTC urged to probe Apple, Google for enabling ‘intense system of surveillance’
    Ad tracking poses a privacy and security risk in post-Roe America, lawmakers warn

    Democrat lawmakers want the FTC to investigate Apple and Google's online ad trackers, which they say amount to unfair and deceptive business practices and pose a privacy and security risk to people using the tech giants' mobile devices.

    US Senators Ron Wyden (D-OR), Elizabeth Warren (D-MA), and Cory Booker (D-NJ) and House Representative Sara Jacobs (D-CA) requested on Friday that the watchdog launch a probe into Apple and Google, hours before the US Supreme Court overturned Roe v. Wade, clearing the way for individual states to ban access to abortions. 

    In the days leading up to the court's action, some of these same lawmakers had also introduced data privacy bills, including a proposal that would make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading

Biting the hand that feeds IT © 1998–2022