A recent direction by India’s Computer Emergency Response Team has raised concerns of additional compliance requirements that, experts say, will be financially burdensome for companies, apart from highlighting privacy issues.
Several provisions of the directions titled, “Directions under sub-section (6) of Section 70B of the Information Technology Act, 2000 relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet,” released on April 28, such as mandatory reporting of cybersecurity-related events within six hours, server time stamps, 180 days log back-up, and customer details of virtual private network (VPN) services, has worried the industry and cybersecurity experts in the last few days.
180-day log retention
The CERT-In guidelines said, “All service providers, intermediaries, data centres, body corporate and Government organisations shall mandatorily enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days and the same shall be maintained within the Indian jurisdiction. These should be provided to CERT-In along with reporting of any incident or when ordered / directed by CERT-In.”
Speaking to Moneycontrol, Agnidipta Sarkar, Group Chief Information Security Officer (CISO) at Biocon (comments made in personal capacity) pointed out that the need to retain logs for 180 days, which means every company will now need to have log retention capability, could mean additional expenses.
“Now, log retention takes up disk space. Here, we are talking about retention of logs, from security devices such as a firewall, or router, etc. Now depending on the model of these devices, one usually will have limited disk space, which can store up to one month of data. But here they are asking for six months of log records,” Sarkar explained.
So, Sarkar said, companies will have to extract their logs and will have to store it in log servers. “There are free log servers available, there are paid software available, there are software with additional features available. The most modern systems are the Security Information and Event Management (SIEM) but not everybody invests in an SIEM. So now, companies will have to buy storage capability which may run into lakhs, and also spend on log software, unless one is buying an open source software or a freeware,” Sarkar added.
6-hour reporting of cybersecurity events
“Any service provider, intermediary, data centre, body corporate and Government organisation shall mandatorily report cyber incidents as mentioned in Annexure I to CERT-In within six hours of noticing such incidents or being brought to notice about such incidents,” the CERT-In guidelines said.
Supratim Chakraborty, a partner in Khaitan and Co, said, “While it is understood that this is being brought to enforce mandatory reporting of almost all types of cybersecurity cases, it will be a burden for companies; whether they will be equipped to report such cases within six hours is highly questionable.”
Chakraborty pointed out that in January 2021, Cert-In had implemented similar guidelines regarding reporting cybersecurity incidents to the body and also to the victims of the cybersecurity incident. However, he said that the current form of the Information Technology Act does not state that a company has to inform the incident to data subjects, and thus added that the advisory went beyond the remit of the IT Act.
“After that advisory, many companies started receiving notices from Cert-In, asking if they reported the incident to them, the data subject. So, it became clear that the advisory was a real issue, and it created quite a bit of concern in the industry,” Chakraborty told Moneycontrol.
Some cybersecurity incidents happen on regular issues
The directions also specified 20 cybersecurity harms that any ‘body corporate’ will have to mandatorily report to the CERT-In. These include targeted scanning/probing of critical network/systems, compromise of critical systems, unauthorised access if IT systems, etc.
Agnidipta Sarkar pointed out that cybersecurity incidents such as ‘spoofing and phishing attacks’, which also find a mention in the CERT-In advisory, happen on a regular basis. “Some attacks like phishing and spoofing attacks, network scan, happen every day. Does it mean that if a company gets 10 phishing emails in a day, then it has to send 10 separate reports to the CERT-In every six hours?” he asked.
Sarkar said that this would mean that the volume of such reports will increase and that companies may well have to set up separate desks for this.
It is important to note that no information has been given in the guidelines in case someone wanted to approach Cert-IN for more clarity. "I am hoping the CERT will provide more details and engage with body corporates to thaw out open issues," Sarkar added.
Cybersecurity expert Anand Venkatanarayanan criticised the requirement of CERT-In that time servers of service providers, intermediaries, data centres, align to that of National Physical Laboratory and National Informatics Centre (NIC). Time servers or Network Time Protocol is a protocol that helps computers’ clock times be synchronised in a network; it also helps a lot in cybersecurity.
“True time is truly a complex piece of infrastructure... Every hyper-scalar *has* to build something like this. It is not a choice they have. Their business demands it,” Venkatanarayanan tweeted.
CERT-In also said that data centres, virtual private server (VPS) providers, cloud service providers and VPN service providers shall be required to register details such as names of subscribers/customers, period of hire, IPs allotted to the members, email address and IP addresses used at the time of registration, etc.Technology lawyer and Software Freedom Law Centre founder Mishi Choudhury, said, “It's high time that CERT-In took a proactive role in ensuring that citizens are protected and companies engage in improved information sharing and situational awareness. In the past, SFLC.in has had to move to courts for CERT-In to do its job on data breaches. We hope faster incident response times are instituted... Requirements to register VPN users, linking of identification to IP addresses raise serious privacy concerns and should be removed. CERT-In cannot take away the right to use certain tools in the garb of cyber security.”