BSA kicks multiple holes in India's infosec reporting rules
Strongly suggests extensive re-writes and consultation - backed up by Microsoft, Intel, AWS, and friends
Lobby group The Software Alliance (BSA)* has written to India's government, pointing out impractical requirements, inconsistencies, and flaws in the nation's recently announced infosec reporting rules. The organization says the problems can only be addressed with extensive consultations and a delay to implementation.
The BSA has already co-signed another letter that eleven tech and finance lobby groups sent to India's government, which requests changes to requirements such as extensive logging of user activities and reporting of even trivial infosec incidents within six hours of detection. That multi-party letter states that these rules will harm the nation's economy by discouraging foreign investment.
The Alliance's own document [PDF] raises issues not addressed in the multi-party letter – such as an argument that requiring cloud providers to supply logs of customers' activities is futile as clouds don't log what goes on inside resources rented by their customers.
"Customers control what event logs are generated by their workloads in the cloud, therefore, customers should be the point of contact to provide event logs," the letter states.
HCL and HP named in unflattering audit of India's biometric ID systemREAD MORE
The letter also suggests that the requirement for cloud service providers to gather know your customer data is unnecessary duplication, as many customers pay by credit card – meaning their personal data is already collected by card issuers.
India's 60-day deadline to achieve compliance with its rules is also called out as insufficient, given the complexity of the reporting requirements. The letter points out that the rules require all user IP addresses to be logged, but that doing so is hard because "with people working remotely, many users have dynamic IP addresses that change regularly."
India's rules were announced in late April and come into effect on June 27. The BSA calls for a delay to the reporting requirement for user IP addresses while organizations figure out how to address the complexities involved in matching IP addresses to individuals.
Another issue of concern is that as the rules are currently phrased, it is unclear if service providers or end-user organizations are required to report infosec incidents – or if both must report the same incident. BSA wants clarification of that matter to avoid the confusion that would follow duplicate reports.
India's requirement for reports of infosec incidents to be filed within six hours is roundly criticized.
"Organizations likely will have little to no useful information to share after an initial 6-hour period beyond 'something happened'," the letter states. Such scanty information, the BSA argues, means that the Indian Computer Emergency Response Team (CERT-In), which will receive all reports required under the rules, "stands to be flooded with incomplete information that will not present actionable data or, even worse, will include inaccurate data that distracts its attention and resources in the midst of critical incident response."
The tone of the letter is polite, but its theme that the rules as currently constituted are a mess that won't meet the stated aim of improving India's cyber security is hard to miss.
The letter includes several calls for wider consultation and makes it plain the BSA is happy to participate.
- ExpressVPN moves servers out of India to escape customer data retention law
- Indian stock markets given ten day deadline to file infosec report, secure board signoff
- India probes ZTE and Vivo over finances, sparking Chinese protests
- Indian government accuses Uber of jacking up prices for loyal customers
CERT-In, India's minster for Information Technology Rajeev Chandrasekhar, and the ministry he leads have all to date rebuffed criticism, offering only an explanatory FAQ that slightly softens some reporting requirements.
But the BSA asserts that FAQ is itself problematic because it is not an official document.
The Alliance's letter concludes by stating dialogue about the rules would "result in CERT-In achieving our shared goal of a more secure future, while simultaneously supporting the growth of the Indian economy."
Indian prime minister Narendra Modi has spent much of 2022 using the word "Techade" to describe his policies to develop government digital services and grow India's economy over the next ten years by attracting foreign investment to the nation's technology services and manufacturing industries.
The BSA's roster of members – which includes the likes of AWS, Adobe, Microsoft, Cisco, Intel, Salesforce, IBM and SAP – are likely to be among the offshore entities that invest in India. And right now those vendors are telling India it has created a hostile business environment with ineffective infosec regulations. ®
*The Software Alliance is the renamed Business Software Association, and its formal brand is now "BSA | The Software Alliance". Like, the B doesn't stand for anything at all. That's just odd.