ITI raises concerns against India’s proposed cybersecurity directive; says it could undermine security goals

The global tech trade association, Information Technology Industry Council (ITI), has raised concerns around the Indian Computer Emergency Response Team’s (CERT-In) directive related to information security practices, procedure, prevention, response and reporting of cyber incidents for safe and trusted internet. In the letter to CERT-In, ITI underscored its support of the government’s effort to improve cybersecurity but cautioned that currently drafted provisions, specifically the incident reporting obligations, may have severe consequences for businesses and customers without solving the genuine security concerns.

In the letter to the CERT-In, Kumar Deep, country manager, India, ITI, said, “As both producers and users of cybersecurity products and services, ITI’s members have extensive experience working with governments around the world to advance and implement robust and effective cybersecurity policies. The directive has the potential to improve India’s cybersecurity posture if appropriately developed and implemented, however certain provisions in the bill, including counterproductive incident reporting requirements, may negatively impact Indian and global enterprises and undermine cybersecurity. We request that the government allow a wider stakeholder consultation with industry before finalising on the directive. We are hopeful of a favourable government response.”

ITI’s specific concerns include the mandatory reporting of cyber incidents within 6 hours of noticing, the requirement to enable logs of all ICT systems and maintain them securely within Indian jurisdiction for a rolling period of 180 days, the overbroad definition of reportable incidents, and the requirement that companies connect to the servers of Indian government entities. In the letter, ITI requests that CERT-In consider the following:

• Delay the period of implementation of the stated directive (currently 60 days post April 28, 2022) to allow time to address the concerns raised;
• Revise the directive to address the concerning provisions with regard to incident reporting obligations, including related to the reporting timeline, scope of covered incidents and logging data localisation requirements; and
• Launch a wider stakeholder consultation to ensure that the directive can be effectively implemented in a revised format, including that CERT-In open a detailed technical consultation for public reply.