India’s CERT Requires Fast Reporting of Cyber Incidents
New guidelines from India’s Computer Emergency Response team (CERT-In) require companies, data centers, service providers, and government agencies to report cyber incidents within six hours of detection. The covered organizations will also be required to maintain ICT system logs for a rolling period of 180 days and be prepared to submit them to CERT-In if requested. The new requirements take effect in late June.
There are a lot of flaws in this one. Simple example: “targeted” scanning/probing of networks is included in the incidents that need to be reported, which means a flood of incident reports of low value. Reporting in six hours is obviously a tough requirement, but the CERT-In reporting form has a lot of free-form text and FAX is OK for submission! So, reams of data flowing in but analysis can’t keep up – no increase in security. Large libraries of unread books do not make us smarter.
This regulation appears to be overly ambitious, and the author lacks the basic competence required to draft such a regulation. The broad definition of reportable incidents and the short reporting deadline will lead to a flood of meaningless reports. Requiring long log retention times without specifying what to log will incentivize organizations to enable less verbose logs. You will end up with more but less meaningful logs.
The timeline is short, 60 days. Twenty incident types are listed with a six-hour reporting window along with requirements to use their specified NTP service. While having a consistent time source is critical for correlation and aggregation, and you should make sure you're using a reliable NTP source, simply requiring use of a known authoritative service would be preferable to limiting the country to a single choice. The big tasks will be getting clarification of all the reporting requirements as well as establishing the communication channels and relationships needed. The reporting window is unusually small, GDPR uses 72 hours and the US is asking for 24 hours. Irrespective of the window size, make sure you know what needs reporting and how.
It seems like a very grand plan, with very few specific details set to be rolled out within the next 60 days. I don’t think this is realistic and to say it’s ambitious is an understatement. Specifically, just attempting to retain 180 days’ worth of logs will be difficult with all the supply chain shortages. Considering that a single firewall in a decent-sized enterprise will create several gigabytes of daily logs, I can’t imagine how many potential terabytes of records will be required to be retained from here on out in one of the most densely populated countries in the world. The other issue is what would constitute both an incident and detection. If companies decide to report to comply, CERT-In could potentially be seeing a large percentage of reported detections of false-positive or low priority events. How would the CERT-In triage a large influx of reports? Instead of systematically bringing up the regulations, CERT-In wants to collect as much data as possible and sort it out later. We know that this doesn’t typically end well. Maybe it would be ideal to buy storage now, ahead of the rush?