Indian government signals changes to infosec rules after industry consultation

Indian media is reporting that the government has consulted with industry about its controversial infosec reporting rules, possibly resulting in concessions that slightly ease requirements for some businesses.

The rules, introduced on April 29 with no warning and a sixty-day compliance deadline, require organizations operating in India to report 22 different types of information security incidents within six hours of detection, maintain extensive logs of their own and customers' activities and provide that info to authorities as required, and use only network time protocol (NTP) servers provided by Indian authorities or synced to those servers.

The rules generated swift and widespread opposition on grounds that they were loosely worded, imposed enormous compliance burdens, made India less attractive to foreign tech companies, and would harm privacy. The requirement to report even trivial incidents within six hours was criticized as likely delivering a deluge of reports that would contribute little to the stated goal of securing intelligence with which to defend the nation. The Internet Society warned that insistence on using Indian NTP servers would create an unhelpful reliance on that infrastructure.

Critics also pointed out that India's Computer Emergency Response Team (CERT-In), the body overseeing the rules, offered a non-interactive PDF as one way to file incident reports, and allowed organizations to send that as an email attachment or even a fax. CERT-In offered zero evidence it had built tools to ingest and analyze incoming reports, furthering the argument that the rules imposed a considerable compliance burden without improving India's security capabilities.

• Another VPN quits India, as government proposes social media censorship powers
• BSA kicks multiple holes in India's infosec reporting rules
• India, Twitter brawl in public as latest content rules begin to bite
• ExpressVPN moves servers out of India to escape customer data retention law

The government's only response to such criticisms was issuing an FAQ in the hope of clarifying the rules' intent. But that FAQ instead sparked more criticism, because its language again lacked precision and the document lacked legislative force. Those trying to comply were left with more questions about how to interpret the rules.

All that criticism appears to have reached the ears of IT minister Rajeev Chandrasekhar, who convened a meeting to discuss the rules.

But it was the American Chamber of Commerce in India – not Chandrasekhar – that publicised the meeting.

Under the chairmanship of Mr. @Rajeev_GoI, Hon’ble Minister of State for Electronics and Information Technology, GoI @GoI_MeitY, @AmchamIndia participated in a consultation session on #CERT-In Directions 2022 and shared their #industry perspectives on the #Directives and #FAQs pic.twitter.com/oZYre4oW3B

— AMCHAM India (@AmchamIndia) June 13, 2022

Chandrasekhar retweeted the Chamber of Commerce, but his own feed and that of the Indian IT ministry are silent on what was discussed, or any outcomes.

India outlet MediaNama reports that some concessions were raised at the meeting, among them extending the compliance deadline and easing some requirements for smaller businesses.

CERT-In will reportedly create a portal for uploading incident reports, but the six-hour reporting deadline remains.

Indian authorities' official and social feeds were silent on the matter at the time of writing, and Indian government websites produced DNS errors when The Register checked for updates.

If local reports are correct, and India has softened its rules, the mooted changes won't be particularly popular. They don't address privacy concerns, NTP concentration, or change the six-hour reporting requirement that India insists is a global standard – despite other nations setting a 72-hour deadline. ®