Cert-In’s directives on reporting cybersecurity incident lack clarity: software policy group BSA

By Kevin Colleran On Jun 5, 2022

New Delhi/Chennai: The Indian Computer Emergency Response Team (Cert-In)’s directives on reporting a cybersecurity incident within six hours from being aware of it, the lack of clarity on what constitutes a severe or a large-scale incident and other directives could potentially “undermine incident investigation and response, including the deployment of defensive measures”, software policy group BSA has said.

“We recommend that the directions ask to provide an initial report of high-impact or severe cyber incidents as soon as practicable or within 72 hours of the confirmation of an incident, whichever is faster,” Venkatesh Krishnamoorthy, Country Manager India of BSA, The Software Alliance said.

Tech policy and business advocacy groups such as the US India Business Council, the Cybersecurity Coalition, US Chamber of Commerce, the Bank Policy Institute, the Internet and Mobile Association of India, AccessNow and SFLC.in among others have also written to the Ministry of Electronics and Information Technology as well as Cert In contesting that the guidelines such as retaining of customer details for five years by VPN service providers would “put people’s privacy at risk”.

“They expand the scope of mass surveillance, contravene globally recognised principles of necessity and proportionality, and data minimisation, and ultimately weaken cybersecurity. They effectively create new cybersecurity vulnerabilities in the form of databases of retained data that can be exploited by malicious actors,” AccessNow had said in its June 1 letter to Cert In.

On April 28, Cert In had come out with a set of guidelines for all companies, intermediaries, data centres, and government organisation under which it had mandated that any data breach must be reported to the government within six hours of the organisation becoming aware of it.

These guidelines had also mandated that virtual private network (VPN) service providers shall maintain all the information they had gathered as a part of know-your-customer norms and hand it over to the government as and when asked for it.

Discover the stories of your interest

On May 18, the Ministry of Electronics and Information Technology came out with a set of frequently asked questions (FAQ) on the Cert In guidelines during which it clarified certain aspects of how the six-hour norm would work, along with what details the VPN service providers would have to keep for a period of five years.

Indicating the government’s tough stand on the issue, Minister of State for Information Technology Rajeev Chandrasekhar had then said that VPN service providers which did not want to adhere to the latest cyber-security guidelines issued by Cert In were “free to leave India”.

Stay on top of technology and startup news that matters. Subscribe to our daily newsletter for the latest and must-read tech news, delivered straight to your inbox.

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TheDailyCheck is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected] The content will be deleted within 24 hours.