The directive of the Indian Computer Emergency Response Team (Cert-In) on reporting a cybersecurity incident within six hours from being aware of it and the lack of clarity on what constitutes a severe or a large-scale incident among other things could potentially “undermine incident investigation and response, including the deployment of defensive measures”, software policy group BSA has said.
“We recommend that the directions ask to provide an initial report of high-impact or severe cyber incidents as soon as practicable or within 72 hours of the confirmation of an incident, whichever is faster,” Venkatesh Krishnamoorthy, country manager India at BSA, the Software Alliance, said in a letter to the Ministry of Electronics and Information Technology on May 30.
Several other tech policy and business advocacy organisations have also raised concerns over Cert-In’s directives. The US India Business Council, the Cybersecurity Coalition, US Chamber of Commerce, the Bank Policy Institute, the Internet and Mobile Association of India, AccessNow and SFLC.in have written to the ministry and Cert-In, claiming that rules such as retaining customer details for five years by virtual private network (VPN) providers would “put people’s privacy at risk”.
“They expand the scope of mass surveillance, contravene globally recognised principles of necessity and proportionality, and data minimisation, and ultimately weaken cybersecurity. They effectively create new cybersecurity vulnerabilities in the form of databases of retained data that can be exploited by malicious actors,” AccessNow had said in a June 1 letter to Cert-In.
On April 28, Cert-In had come out with a set of guidelines for all companies, intermediaries, data centres and government organisations under which any data breach must be reported to the government within six hours of the organisation becoming aware of it.
These guidelines had also mandated that VPN service providers shall maintain all the information they had gathered as a part of know-your-customer rules and hand it over to the government as and when asked for it.
On May 18, the Ministry of Electronics and Information Technology came out with a set of frequently asked questions on the Cert-In guidelines during which it clarified certain aspects of how the six-hour norm would work, along with what details the VPN service providers would have to keep for five years.
Indicating the government’s tough stand on the issue, minister of state for information technology Rajeev Chandrasekhar had said VPN service providers which did not want to adhere to the latest cybersecurity guidelines were “free to leave India”.