India set to extend deadline for absurd infosec reporting requirements

60 days becomes five months and counting, without any indication government can process or learn from flood of trivial incident reports

India's minister of state for electronics and information technology, Rajeev Chandrasekhar, has hinted strongly that he will again extend the deadline to comply with sweeping new information security reporting rules that were imposed as an essential national defence mechanism.

The unheralded rules were introduced in April 2022 and gave local organizations a 60-day deadline to put systems in place. After the deadline they were required to report many types of infosec incidents – even trivial ones like port scanning and phishing attempts – to India's Computer Emergency Response Team (CERT-In) within six hours of detection.

The rules attracted criticism from around the world on grounds that the requirements are onerous and vaguely worded, making compliance difficult. Worse, they would create a flood of trivial information that CERT-In would struggle to ingest – never mind use to meet the rules' stated intention of improving India's understanding of the cyber-threats the nation faces.

The rules were also criticized for being nonsensical, given requirements such as compelling cloud providers to submit logs of activities on clients' servers. The option to fax incident reports to CERT-In also raised eyebrows.

Another element of the rules requires clouds and VPN providers to register and report real names of users. VPNs quit India rather than comply.

Indian businesses also pushed back and the government eventually extended the compliance deadline by 90 days, to September 25.

Now, minister Chandrasekar has hinted strongly that the deadline will again be extended. In remarks to Indian newspaper The Economic Times he reportedly said "We are very clear. We will not make SMEs or MSMEs bear the burden of this additional compliance until they are ready."

Chandrasekar later retweeted the newspaper's report of his remarks, which rather confirms that the original 60-day deadline was impractical.

That deadline was not changed for large organizations, so presumably they have begun reporting incidents within six hours.

We use the word "presumably" because The Register has made multiple approaches to CERT-In, the Ministry of Electronics and Information Technology, and minister Chandrasekar's office to ask about compliance rates, and how CERT-In ingests and analyzes incident reports.

None have responded. So it remains unclear if India has secured the flow of infosec intelligence it sought, or is capable of using it to inform a response. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like