Global tech industry objects to India’s new infosec reporting regime

Eleven industry associations, representing every tech vendor that matters, warns of economic harm


Eleven significant tech-aligned industry associations from around the world have reportedly written to India’s Computer Emergency Response Team (CERT-In) to call for revision of the nation’s new infosec reporting and data retention rules, which they criticise as inconsistent, onerous, unlikely to improve security within India, and possibly harmful to the nations economy.

The rules were introduced in late April and are extraordinarily broad. For example, operators of datacenters, clouds, and VPNs, are required to register customers’ names, dates on which services were used, and even customer IP addresses, and store that data for five years.

Another requirement is to report over 20 types of infosec incident, even port scanning or attempted phishing, within six hours of detection. Among the reportable incidents are “malicious/suspicious activities” directed towards almost any type of IT infrastructure or equipment, without explanation of where to draw the line between malicious and suspicious activity.

The new rules attracted plenty of local criticism on grounds that a six-hour reporting window is too short, the requirement to record VPN users’ details is an attack on privacy, and that the requirements are too broad and therefore represent an onerous compliance burden.

CERT-In responded by publishing an FAQ that addressed some of the criticism directed at the new rules. But the FAQ remains very vague, offering only limited guidance without addressing matters such as what represents reportable “suspicious activities.

Indian outlet MediaNama on Saturday reported, along with numerous other Indian outlets, that eleven tech or tech-adjacent lobby groups have written to CERT-In to voice their objections to the new rules.

The alleged signatories are heavy hitters – the US Chamber of Commerce, The Alliance (BSA), Digital Europe, the Information Technology Industry Council, techUK, the Cybersecurity Coalition US Chamber of Commerce, the US-India Business Council, and the US-India Strategic Partnership Forum are among the signatories. The collective membership of the above organisations means almost every significant tech vendor is represented by a signatory to the letter.

Among the objections raised by the letter are:

  • Six-hour reporting is unreasonable and required by no other nation or bloc;
  • The FAQ has confused the situation – the rules require retained data to be stored within an Indian jurisdiction, but the FAQ says offshore storage is acceptable if it does not hinder Indian investigators;
  • Storing customer data is burdensome, and creates a security risk;
  • Some of the log data required is commercially sensitive;
  • CERT-In’s rules allow reporting by PDF, using formats that are not machine-readable, meaning the stated aim of addressing intelligence gaps at CERT-in are unlikely to be met.

The letter to CERT-In suggests that the rules will make it hard for overseas companies to do business in India, put the country at odds with its allies, and result in costs being passed on to consumers. The groups call for new consultation to revise the rules.

CERT-In has to date been silent in the face of criticism. India’s minister for Skill Development and Entrepreneurship and Electronics and Information Technology, Rajeev Chandrasekhar, has brushed aside criticism too, saying that VPN providers that don’t like the rules can choose to leave the country.

The Register has contacted minister Chandrasekhar and CERT-in for comment on the letter. ®

Similar topics

Broader topics


Other stories you might like

  • India shares its e-government tools with all as India Stack
    Identity, payments, data management – the lot – as digital public goods

    The Indian government has decided to share with the world the many e-governance tools it has created to run the country, under the name Indiastack.global.

    Prime minister Narendra Modi announced the stack yesterday, declaring "This offering of India to the Global Public Digital Goods repository will help position India as the leader in building Digital Transformation projects at a population scale and prove to be of immense help to other countries which are looking for such technology solutions."

    Such nations can now get their hands on India's identity service Aadhaar, the DigiLocker cloud storage locker, the CoWin Vaccination Platform, the Government e-Marketplace, and the Ayushman Bharat Digital Health Mission.

    Continue reading
  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • What to do about inherent security flaws in critical infrastructure?
    Industrial systems' security got 99 problems and CVEs are one. Or more

    The latest threat security research into operational technology (OT) and industrial systems identified a bunch of issues — 56 to be exact — that criminals could use to launch cyberattacks against critical infrastructure. 

    But many of them are unfixable, due to insecure protocols and architectural designs. And this highlights a larger security problem with devices that control electric grids and keep clean water flowing through faucets, according to some industrial cybersecurity experts.

    "Industrial control systems have these inherent vulnerabilities," Ron Fabela, CTO of OT cybersecurity firm SynSaber told The Register. "That's just the way they were designed. They don't have patches in the traditional sense like, oh, Windows has a vulnerability, apply this KB."

    Continue reading
  • Another VPN quits India, as government proposes social media censorship powers
    New Delhi now fighting criticism of eroding free speech and privacy with two proposed regulations

    India's tech-related policies continue to create controversy, with fresh objections raised to a pair of proposed regulation packages.

    One of those regulations is the infosec reporting and logging requirements introduced by India's Computer Emergency Response Team (CERT-In) in late April. That package requires VPN, cloud, and numerous other IT services providers to collect customers' personal information and log their activity, then surrender that info to Indian authorities on demand. One VPN provider, ExpressVPN, last week quit India on grounds that its local servers are designed not to record any logs so compliance would be impossible. ExpressVPN will soon route customers' traffic outside India.

    On Tuesday, another VPN – Surfshark – announced it would do likewise.

    Continue reading
  • Zero Trust: What does it actually mean – and why would you want it?
    'Narrow and specific access rights after authentication' wasn't catchy enough

    Systems Approach Since publishing our article and video on APIs, I’ve talked with a few people on the API topic, and one aspect that keeps coming up is the importance of security for APIs.

    In particular, I hear the term “zero trust” increasingly being applied to APIs, which led to the idea for this post. At the same time, I’ve also noticed what might be called a zero trust backlash, as it becomes apparent that you can’t wave a zero trust wand and instantly solve all your security concerns.

    Zero trust has been on my radar for almost a decade, as it was part of the environment that enabled network virtualization to take off. We’ve told that story briefly in our SDN book – the rise of microsegmentation as a widespread use-case was arguably the critical step that took network virtualization from a niche technology to the mainstream.

    Continue reading

Biting the hand that feeds IT © 1998–2022