BSA kicks multiple holes in India's infosec reporting rules

Strongly suggests extensive re-writes and consultation - backed up by Microsoft, Intel, AWS, and friends

Lobby group The Software Alliance (BSA)* has written to India's government, pointing out impractical requirements, inconsistencies, and flaws in the nation's recently announced infosec reporting rules. The organization says the problems can only be addressed with extensive consultations and a delay to implementation.

The BSA has already co-signed another letter that eleven tech and finance lobby groups sent to India's government, which requests changes to requirements such as extensive logging of user activities and reporting of even trivial infosec incidents within six hours of detection. That multi-party letter states that these rules will harm the nation's economy by discouraging foreign investment.

The Alliance's own document [PDF] raises issues not addressed in the multi-party letter – such as an argument that requiring cloud providers to supply logs of customers' activities is futile as clouds don't log what goes on inside resources rented by their customers.

"Customers control what event logs are generated by their workloads in the cloud, therefore, customers should be the point of contact to provide event logs," the letter states.

HCL and HP named in unflattering audit of India's biometric ID system


The letter also suggests that the requirement for cloud service providers to gather know your customer data is unnecessary duplication, as many customers pay by credit card – meaning their personal data is already collected by card issuers.

India's 60-day deadline to achieve compliance with its rules is also called out as insufficient, given the complexity of the reporting requirements. The letter points out that the rules require all user IP addresses to be logged, but that doing so is hard because "with people working remotely, many users have dynamic IP addresses that change regularly."

India's rules were announced in late April and come into effect on June 27. The BSA calls for a delay to the reporting requirement for user IP addresses while organizations figure out how to address the complexities involved in matching IP addresses to individuals.

Another issue of concern is that as the rules are currently phrased, it is unclear if service providers or end-user organizations are required to report infosec incidents – or if both must report the same incident. BSA wants clarification of that matter to avoid the confusion that would follow duplicate reports.

India's requirement for reports of infosec incidents to be filed within six hours is roundly criticized.

"Organizations likely will have little to no useful information to share after an initial 6-hour period beyond 'something happened'," the letter states. Such scanty information, the BSA argues, means that the Indian Computer Emergency Response Team (CERT-In), which will receive all reports required under the rules, "stands to be flooded with incomplete information that will not present actionable data or, even worse, will include inaccurate data that distracts its attention and resources in the midst of critical incident response."

The tone of the letter is polite, but its theme that the rules as currently constituted are a mess that won't meet the stated aim of improving India's cyber security is hard to miss.

The letter includes several calls for wider consultation and makes it plain the BSA is happy to participate.

CERT-In, India's minster for Information Technology Rajeev Chandrasekhar, and the ministry he leads have all to date rebuffed criticism, offering only an explanatory FAQ that slightly softens some reporting requirements.

But the BSA asserts that FAQ is itself problematic because it is not an official document.

The Alliance's letter concludes by stating dialogue about the rules would "result in CERT-In achieving our shared goal of a more secure future, while simultaneously supporting the growth of the Indian economy."

Indian prime minister Narendra Modi has spent much of 2022 using the word "Techade" to describe his policies to develop government digital services and grow India's economy over the next ten years by attracting foreign investment to the nation's technology services and manufacturing industries.

The BSA's roster of members – which includes the likes of AWS, Adobe, Microsoft, Cisco, Intel, Salesforce, IBM and SAP – are likely to be among the offshore entities that invest in India. And right now those vendors are telling India it has created a hostile business environment with ineffective infosec regulations. ®

*The Software Alliance is the renamed Business Software Association, and its formal brand is now "BSA | The Software Alliance". Like, the B doesn't stand for anything at all. That's just odd.

Similar topics

Broader topics

Other stories you might like

  • India shares its e-government tools with all as India Stack
    Identity, payments, data management – the lot – as digital public goods

    The Indian government has decided to share with the world the many e-governance tools it has created to run the country, under the name

    Prime minister Narendra Modi announced the stack yesterday, declaring "This offering of India to the Global Public Digital Goods repository will help position India as the leader in building Digital Transformation projects at a population scale and prove to be of immense help to other countries which are looking for such technology solutions."

    Such nations can now get their hands on India's identity service Aadhaar, the DigiLocker cloud storage locker, the CoWin Vaccination Platform, the Government e-Marketplace, and the Ayushman Bharat Digital Health Mission.

    Continue reading
  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Intuit pulls QuickBooks from India, uncomfortably quickly
    Walks away from enormous but parochial market, while leaving global development teams in place

    Accounting software colossus Intuit has decided to pull its QuickBooks product from India.

    The decision comes into effect on January 31 2023, after which QuickBooks products and service offerings for accountancy and small business customers will no longer be available in the world's second most populous country.

    "After careful consideration, the decision was made that we can no longer continue to deliver and support QuickBooks products that serve the needs of small businesses and accounting professionals across India," reads a notice posted yesterday.

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • Indian government signals changes to infosec rules after industry consultation
    Reports suggest SMBs will get more time, but core elements including six-hour reporting requirement remain

    Indian media is reporting that the government has consulted with industry about its controversial infosec reporting rules, possibly resulting in concessions that slightly ease requirements for some businesses.

    The rules, introduced on April 29 with no warning and a sixty-day compliance deadline, require organizations operating in India to report 22 different types of information security incidents within six hours of detection, maintain extensive logs of their own and customers' activities and provide that info to authorities as required, and use only network time protocol (NTP) servers provided by Indian authorities or synced to those servers.

    The rules generated swift and widespread opposition on grounds that they were loosely worded, imposed enormous compliance burdens, made India less attractive to foreign tech companies, and would harm privacy. The requirement to report even trivial incidents within six hours was criticized as likely delivering a deluge of reports that would contribute little to the stated goal of securing intelligence with which to defend the nation. The Internet Society warned that insistence on using Indian NTP servers would create an unhelpful reliance on that infrastructure.

    Continue reading

Biting the hand that feeds IT © 1998–2022