Cert-In’s directives on reporting cybersecurity incident lack clarity: software policy group BSA

New Delhi/Chennai: The Indian Computer Emergency Response Team (Cert-In)’s directives on reporting a cybersecurity incident within six hours from being aware of it, the lack of clarity on what constitutes a severe or a large-scale incident and other directives could potentially “undermine incident investigation and response, including the deployment of defensive measures”, software policy group BSA has said.

“We recommend that the directions ask to provide an initial report of high-impact or severe cyber incidents as soon as practicable or within 72 hours of the confirmation of an incident, whichever is faster,” Venkatesh Krishnamoorthy, Country Manager India of BSA, The Software Alliance said.

Tech policy and business advocacy groups such as the US India Business Council, the Cybersecurity Coalition, US Chamber of Commerce, the Bank Policy Institute, the Internet and Mobile Association of India, AccessNow and SFLC.in among others have also written to the Ministry of Electronics and Information Technology as well as Cert In contesting that the guidelines such as retaining of customer details for five years by VPN service providers would “put people’s privacy at risk”.

“They expand the scope of mass surveillance, contravene globally recognised principles of necessity and proportionality, and data minimisation, and ultimately weaken cybersecurity. They effectively create new cybersecurity vulnerabilities in the form of databases of retained data that can be exploited by malicious actors,” AccessNow had said in its June 1 letter to Cert In.

On April 28, Cert In had come out with a set of guidelines for all companies, intermediaries, data centres, and government organisation under which it had mandated that any data breach must be reported to the government within six hours of the organisation becoming aware of it.

These guidelines had also mandated that virtual private network (VPN) service providers shall maintain all the information they had gathered as a part of know-your-customer norms and hand it over to the government as and when asked for it.

On May 18, the Ministry of Electronics and Information Technology came out with a set of frequently asked questions (FAQ) on the Cert In guidelines during which it clarified certain aspects of how the six-hour norm would work, along with what details the VPN service providers would have to keep for a period of five years.

Indicating the government’s tough stand on the issue, Minister of State for Information Technology Rajeev Chandrasekhar had then said that VPN service providers which did not want to adhere to the latest cyber-security guidelines issued by Cert In were “free to leave India”.

Stay on top of technology and startup news that matters. Subscribe to our daily newsletter for the latest and must-read tech news, delivered straight to your inbox.