India to require cybersecurity incident reporting within six hours

The Indian government has issued new directives requiring organizations to report cybersecurity incidents to CERT-IN within six hours, even if those incidents are port or vulnerability scans of computer systems.

This requirement was promoted by India's Computer Emergency Response Team (CERT-In), who states it has identified specific gaps causing difficulties in security incident analysis and response, and to address them, it needs to impose more aggressive measures.

These measures and various other provisions were published via a notice yesterday and were integrated into section 70B of the Information Technology (IT) Act, 2000, so they are part of the Indian law, entering into force in 60 days.

Instant notice about incidents

The most notable new requirement is that any internet service provider, intermediary, data center, or government organization, shall report these incidents to CERT-In within six hours of noticing them.

The same applies to incidents reported to these entities by third parties, so these service providers must ensure that incoming tips aren’t lost or ignored but timely processed and evaluated.

The types of cybersecurity incidents that will have to be reported to CERT-In are the following:

• Targeted scanning/probing of critical networks/systems
• Compromise of critical systems/information
• Unauthorized access to IT systems/data
• Defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code links to external websites, etc.
• Malicious code attacks such as the spreading of viruses/worm/trojan/bots/ spyware/ransomware/cryptominers
• Attack on servers such as database, mail, and DNS and network devices such as Routers
• Identity Theft, spoofing, and phishing attacks
• Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
• Attacks on Critical infrastructure, SCADA and operational technology systems, and Wireless networks
• Attacks on applications such as E-Governance, E-Commerce, etc.
• Data Breach
• Data Leak
• Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers
• Attacks or incidents affecting Digital Payment systems
• Attacks through Malicious mobile Apps
• Fake mobile Apps
• Unauthorized access to social media accounts
• Attacks or malicious/ suspicious activities affecting cloud computing systems/servers/software/applications
• Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to Big Data, Blockchain, virtual assets, virtual asset exchanges, custodian wallets, robotics, 3D and 4D Printing, additive manufacturing, and drones

For proper coordination, all of the entities mentioned above will be required to connect to the NTP server of the National Informatics Center (NIC) or that of the National Physical Laboratory (NPL) and synchronize their system clocks with them.

Finally, all system logs of the aforementioned service providers must be maintained securely within Indian jurisdiction for a rolling period of 180 days and shall be provided to CERT-In along with any security incident reports or when requested by the agency.

Retaining user data

The new guidelines also include a section on VPS (virtual private server) and VPN (virtual private network) service providers, who will now be obliged to maintain a record of their users.

The data acquisition period stretches for five years after the cancellation or withdrawal of the user registration, or even longer if future regulations mandate so.

The data that will be maintained includes the following:

• Validated names of subscribers/customers hiring the services
• Period of hire, including dates
• IPs allotted to / being used by the members
• Email address and IP address, and time stamp used at the time of registration / on-boarding
• The purpose for engaging the services
• Validated address and contact numbers
• Ownership pattern of the subscribers/customers leasing services 

The same will apply to virtual asset (cryptocurrency) service providers, including exchanges and wallet management services, who will now retain customer details for at least five years.

Bleeping Computer discussed the potential impact of these new requirements with Beenu Arora, the founder of Cyble, a cyber-intelligence firm with a strong presence in India, and he expects a challenging implementation.

While the government's intent is noteworthy, complying with this directive will not be an easy task as it will require organizations to appoint additional staff and devote significant management time to meet the reporting requirements.

The industry is already grappling with a massive shortage of skilled cyber security professionals, and considering that a typical organization experiences several cyber-attacks daily, reporting each of these attacks to CERT-IN in a prescribed format could pose an operational challenge.

An automated incident reporting platform that allows individual organizations to submit their incident reports seamlessly to CERT-IN could help in ensuring more effective implementation. - Beenu Arora

India to require cybersecurity incident reporting within six hours