Global tech industry body seeks revision in India's directive on cyber security breaches

ITI said that the provisions under the new mandate may adversely impact organisations and undermine cyber security in the country.

Published: 07th May 2022 06:31 PM  |   Last Updated: 07th May 2022 06:31 PM   |  A+A-

cyber security

Image used for representational purpose only.


NEW DELHI: US-based technology industry body ITI, having global tech firms such as Google, Facebook, IBM and Cisco as its members, has sought a revision in the Indian government's directive on reporting of cyber security breach incidents.

ITI said that the provisions under the new mandate may adversely impact organisations and undermine cyber security in the country.

ITI country manager for India Kumar Deep, in a letter to CERT-In chief Sanjay Bahl dated May 5, has asked for a wider stakeholder consultation with the industry before finalising on the directive.

"The directive has the potential to improve India's cyber security posture if appropriately developed and implemented, however, certain provisions in the bill, including counterproductive incident reporting requirements, may negatively impact Indian and global enterprises and undermine cyber security," Deep said.

Indian Computer Emergency Response Team (CERT-In) on April 28, issued a directive asking all government and private agencies, including internet service providers, social media platforms and data centres, to mandatorily report cyber security breach incidents to it within six hours of noticing them.

The new circular issued by the CERT-In mandates all service providers, intermediaries, data centres, corporates and government organisations to mandatorily enable logs of all their ICT (Information and Communication Technology) systems and maintain them securely for a rolling period of 180 days and the same shall be maintained within the Indian jurisdiction.

ITI has raised concerns over the mandatory reporting of breach incidents within six hours of noticing, to enable logs of all ICT systems and maintain them within Indian jurisdiction for 180 days, the overbroad definition of reportable incidents and the requirement that companies connect to the servers of Indian government entities.

Deep, in the letter, said that the organisations must be given 72 hours to report an incident in line with global best practices and not just six hours.

ITI said that the government's mandate to enable logs of all covered entities' information and communications technology systems, maintain logs "securely for a rolling period of 180 days" within India and make them available to the Indian government upon request is not a best practice.

"It would make such repositories of logged information a target for global threat actors, in addition to requiring significant resources (both human and technical) to implement," Deep said.

ITI also raised concern on the requirement that "all service providers, intermediaries, data centres, body corporate and government organisations shall connect to the NTP servers of Indian labs and other entities for synchronisation of all their ICT systems clocks".

The global body said that the provisions could negatively affect companies' security operations as well as the functionality of their systems, networks and applications.

ITI said that the government's current definition of reportable incident to include activities such as probing and scanning is far too broad given probes and scans are everyday occurrences.

"It would not be useful for companies or CERT-In to spend time gathering, transmitting, receiving and storing such a large volume of insignificant information that arguably will not be followed up on," Deep said.

ITI has asked the government to defer timeline for implementation of the new directive and launch a wider consultation with all stakeholders for its effective implementation.

ITI demanded CERT-In to "revise the directive to address the concerning provisions with regard to incident reporting obligations, including related to the reporting timeline, scope of covered incidents and logging data localisation requirements".


Disclaimer : We respect your thoughts and views! But we need to be judicious while moderating your comments. All the comments will be moderated by the editorial. Abstain from posting comments that are obscene, defamatory or inflammatory, and do not indulge in personal attacks. Try to avoid outside hyperlinks inside the comment. Help us delete comments that do not follow these guidelines.

The views expressed in comments published on are those of the comment writers alone. They do not represent the views or opinions of or its staff, nor do they represent the views or opinions of The New Indian Express Group, or any entity of, or affiliated with, The New Indian Express Group. reserves the right to take any or all comments down at any time.

flipboard facebook twitter whatsapp