back to article Industry pushes back against India's data security breach reporting requirements

Opposition is building to India's recently introduced rules on reporting computer security breaches, which have come under fire for being impractical, ineffective, and impinging on privacy. The rules were introduced without fanfare in late April by CERT-In, the nation's government-run computer emergency response team that has …

  1. Neil Barnes Silver badge

    Responding at 4am may not be effective...

    Perhaps if enough execs lose sleep over it, they might try further hardening the systems against such abuse?

    1. Mike 137 Silver badge

      Re: Responding at 4am may not be effective...

      "if enough execs lose sleep over it"

      They probably won't. The IT department will most likely be guided 'unofficially' towards delaying discovery.

      However 6 hours is objectively much to short. The actual process of discovery (including confirmation with reasonable confidence of being right) can take days at least. Even the general 72 hour rule has apparently caused massive over-notification of trivial incidents in the UK (reported by the ICO). The deadline can be reached before anyone on site really knows what happened yet, leading to vague or inaccurate notifications or mis-assessment of the significance of events.

      Considering that the time between data breaches occurring and their discovery is commonly still in the order of 100s of days, both limits seem a bit disproportionate.

      1. Anonymous Coward
        Anonymous Coward

        Re: Responding at 4am may not be effective...

        I work in the NHS. We report confirmed breaches or those we cannot quickly confirm to the ICO within 72 hours as the alternative is the ICO criticising us for being slow, not taking out responsibilities seriously enough etc.

        This just increases our workload and theirs, they are chronically slow to respond now compared to 2017 and before. They don't have the capacity to manage, yet their own guidelines mean we have little option but to do so.

        We have no issue logging these incidents or suspected incidents though, but the quality of the follow up investigations is dire and our own internal processes tend to be far more rigorous.

        Health services get a lot of stick for reporting the most incidents, but that's just the culture within the NHS - best to report and learn (especially medical mistakes, dosing errors etc) than to ignore and cause harm. The same cannot be said for any other area of the public or private sector. It will always be high because we are more cautious.

        1. Cynical Pie

          Re: Responding at 4am may not be effective...

          You also forget reporting of incidents is a mandatory part of the DSPT for NHS organisations and was for its previous iterations under the IG Toolkit.

          That's one reason why the NHS has always looked bad from a data security standpoint, they were the only organisation (and I use that collectively for all parts of the NHS) that was required to report its breaches.

          In terms of the 72 hr reporting requirement the ICO take quite a pragmatic view in my experience and are happy as long as a basic notification if filed within 72 hrs and you can then update it after the window with more details.

  2. Anonymous Coward
    Anonymous Coward

    nice CERT you've got there...

    ...would be a tragedy if it got DOSd by people strictly following your own rules!

    1. LDS Silver badge

      Re: nice CERT you've got there...

      Let's start to port-scan Indian IPs...

      Anyway this looks like the common attempt to sneak-in tracking activities (i.e. the VPN user tracking...) trying to hide them inside "needed cybersecurity practices"

  3. Andy The Hat Silver badge

    I love coincedences

    It has to be a coincedence that just as the UK have been talking to the Indians and "negotiating" new deals the Indians come out with something similarly convoluted to the UK's right to snoop laws ... "These 500 clauses mean we guarantee protection against misuse of individual's data, we guarantee the privacy of individual's data ... oh and clause 437.1.1.2.b subsection Q just allows us to legally snoop, slurp, store and track all your data without just cause or a warrant, share it with who we like and do it all with no oversight or legal comeback (apart from the threat of being sent a stern memo for being naughty every year by a Government appointed Data Overseer)"

  4. VoiceOfTruth Silver badge

    Best practice

    -> not aligned with global best practice of 72-hour reporting

    Can anyone tell me where this is written in stone? If my bank is hacked why is 72 hours the best practice?

    1. Persona Silver badge
      Coat

      Re: Best practice

      NOUN

      commercial or professional procedures that are accepted or prescribed as being correct or most effective.

      Based on this definition, best practice for banks would appear to be not to report anything.

    2. Michael Wojcik Silver badge

      Re: Best practice

      It's not "written in stone". It's a best practice, not a standard or law.

      It's best practice because it takes time to assess whether a portscan or DoS or other event is actually a breach, much less one of any significance. As it is, as someone mentioned upthread, even after 72 hours we get a lot of noise with insignificant events being reported. Scans, DoSes, and other automated attacks happen all the time. Reporting all of those makes it impossible to separate the wheat from the chaff; it's worse than not reporting at all.

      "my bank is hacked" is a meaningless phrase. It has no technical meaning. What matters are breaches and damage done, what's known and suspected and with what probability, what risks are present, what contingency plans are in place -- technical specifics. Your bank is "hacked", for some meaning of the term, every day, probably every hour. Everything on the public Internet is, to a first approximation. The public Internet itself is, with invalid BGP routing advertisements and the like (which number in the thousands per day).

      It's a harsh world. Panicking at every little thing does not help.

  5. Anonymous Coward
    Thumb Up

    Better more than less

    I have severe doubts that CERT-In will be able to handle the load. I suspect they have limited software in place to act on the data. And I don't know how useful they will be in assisting with successful hacks.

    But, quicker reports of hacking attempts, successful and unsuccessful, are objectively a good thing.

    Ideally, given good software and processing power, this could lead to warnings like 'DDOS attacks are targeting freight companies in New Dehli' which would alert those who have not been hit and assure those who have that they were not individually targeted.

    In successful hacks, this could lead to quicker actions instead of postmortems.

    And as a consumer I definitely want to know if a company I do business with was hacked well before the company figures the hack out and starts the PR process.

    Besides, if the tech behemoths are against it, it's probably an idea with some merit.

    1. Michael Wojcik Silver badge

      Re: Better more than less

      But, quicker reports of hacking attempts, successful and unsuccessful, are objectively a good thing.

      I'm afraid that's simply incorrect. Faster and more voluminous reporting of attacks is not an absolute good.

      For reporting to be of any use whatsoever, it has to be limited as much as possible, to a high probability, to events of interest. The vast majority of "hacking attempts" under any reasonable definition (as I noted above, phrases like "hacking attempts" are largely meaningless, but let's pretend they correspond to some useful concept) should most definitely not be reported. If we insist on reporting them, companies might as well run a client that just sends a continual stream of reports to the observer; that would be equivalent and more efficient.

  6. Kev99 Silver badge

    To me it just seems the industry doesn't give a rat's rear about security, confidentiality, or protection of data. They're more concerned about cheap product, massive profits and keeping the stockmarket, and their back pockets, happy.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like