India’s infosec reporting rules observed by just 15 orgs • The Register

India's absurd infosec reporting rules get just 15 followers
3 comment bubble on white
CERT-In was told its six-hour notification requirement was a bad idea – now it knows just how bad
iconSimon Sharwood
Wed 22 Mar 2023 // 03:30 UTC
India's rules requiring local organizations to report infosec incidents within six hours of detection have been observed by a mere 15 entities/

India's Computer Emergency Response team (CERT-In) revealed that low, low, level of compliance in response to a Right to Information (RTI) request filed by Indian tech news outlet MediaNama, which reported the news on Tuesday.

The rules requiring six-hour disclosure were announced without warning in April 2022, and justified by CERT-In as necessary to fill gaps in its understanding of the threats facing local organizations.

Analysts quickly pointed out that requiring organizations to report an incident just six hours after detecting it would likely lead to poor-quality reports being filed. The rules also used unhelpfully vague wording – such as "Unauthorized access of IT systems/data" – to describe reportable incidents, leaving Indian organizations unsure of what they were required to report.

CERT-In also dodged questions – The Register has received no response to multiple inquiries – regarding how it would ingest and analyze the flood of reports its rules would generate, and therefore how they would represent useful intelligence. The revelation that the CERT would accept faxed reports further complicated its ingestion and analysis task, as well as magnifying its absurdity.

International criticism of the scheme followed, as multinational entities complained the rules required them to store more data in India. Many also pointed out that six-hour reporting was vastly shorter than the global norm of 72 hours.

Cloud providers also pushed back, as the rules required them to submit logs generated by their customers' servers.

Indian companies, meanwhile, objected to the 60-day deadline for compliance with the law.

Some of the criticism hit home: India delayed the deadline for compliance, at least for small and medium businesses.

India set to extend deadline for absurd infosec reporting requirements
Global tech industry objects to India’s new infosec reporting regime
Big win for Big Tech as Indian IT minister signals reversal of data sovereignty plan
Indian government signals changes to infosec rules after industry consultation
MediaNama also found an answer to a parliamentary question about the number of cyberattacks detected in India during 2021 and 2022: around 1.4 million attacks were recorded in each year. It's likely that in 2022, at least half occurred after CERT-In's reporting requirements came into effect for some organizations.

While the parliamentary answer doesn't reveal how many entities suffered the reported attacks, 15 entities reporting within the six-hour deadline surely represents a tiny proportion of those required to observe the reporting rules.

Clearly, the rules aren't working.

India's government has declared the nation is now in a "techade" – during which information technology will supercharge the economy, improve government services, and make India a tech export superpower.

Maybe it will achieve those goals. But CERT-In clearly has as much work to do as anyone in pursuit of them. ®