According to the corporations, the new directive will have a negative impact on cyber security for Indian businesses.
In a joint letter to the government, 11 international bodies with tech giants like Google, Facebook, and HP as members said that India’s new directive, which mandates reporting of cyberattack incidents within six hours and storing users’ logs for five years, will make it difficult for companies to do business in the country.
On May 26, a joint letter was issued to Indian Computer Emergency Response Team (CERT-In) director general Sanjay Bahl by 11 organisations that primarily represent technology corporations situated in the United States, Europe, and Asia.
International organisations have expressed concern that the directive, as written, will have a negative impact on cybersecurity for Indian businesses and create a fragmented approach to cyber security across jurisdictions, jeopardising India’s and its allies’ security posture in the Quad countries, Europe, and beyond.
“The onerous nature of the standards may also make doing business in India more challenging for firms,” the letter stated.
Information Technology Industry Council (ITI), Asia Securities Industry & Financial Markets Association (ASIFMA), Bank Policy Institute, BSA – The Software Alliance, Coalition to Reduce Cyber Risk (CR2), Cybersecurity Coalition, Digital Europe, techUK, US Chamber of Commerce, US-India Business Council, and US-India Strategic Partnership Forum are among the international organisations that have expressed concern.
Companies must notify any cyber breach to CERT-In within six hours of becoming aware of it, according to a new directive released on April 28.
It requires data centres, virtual private server (VPS) providers, cloud service providers, and virtual private network (VPN) service providers to validate the names of subscribers and customers who hire services, as well as the period of hiring, the subscribers’ ownership patterns, and to keep records for a period of five years or longer, as required by law.
To ensure cyber security in the field of payments and financial markets for citizens, IT organisations must save all information received as part of Know-Your-Customer (KYC) and records of financial transactions for a period of five years, according to the regulation.
International organisations have expressed worry about the 6-hour deadline for reporting cyber incidents and have urged that it be increased to 72 hours.
“CERT-In has presented no justification for the 6-hour timeline, nor has it been proportioned or linked with global standards.
Such a schedule is unreasonably short and adds to the complexity at a time when organisations should be concentrating on the tough process of comprehending, responding to, and remediating a cyber incident “According to the letter.
It said that, in the case of the six-hour deadline, organisations would be unlikely to have enough information to make a reasonable decision of whether a cyber incident has occurred, prompting the notification.
The international organisations claim that their member companies have advanced security infrastructures and high-quality internal incident management procedures, which will result in more efficient and agile responses than a government-directed instruction for a third-party system with which CERT-In is unfamiliar.
The existing definition of reportable incidents, which includes operations like probing and scanning, is far too wide, according to the joint letter, considering that probes and scans are commonplace.
It claims that CERT-clarification In’s to the directive states that logs are not required to be stored in India, but that this is not stated in the directive.
“Even if this change is made, we have concerns about some of the types of log data that the Indian government is requiring to be provided upon request, as some of it is sensitive and, if accessed, could create new security risks by providing insight into an organization’s security posture,” the letter stated.
Internet service providers routinely gather user information, according to the joint letter, but extending similar requirements to VSPs, CSPs, and VPN providers is costly and onerous.
“IP addresses are not assigned by data centre providers.
Collecting and recording all IP addresses allocated to clients by ISPs will be a difficult process for the data centre provider.
When IP addresses are issued dynamically, this could be a near-impossible process “According to the letter,
According to the global bodies, storing the data locally for the customer’s life cycle and then for five years will necessitate storage and security resources, the costs of which must be passed on to the customer, who has not specifically requested that this data be stored after their service termination.
“We agree with the government’s goal of enhancing cyber security.
Despite the recent release of a FAQs document intended to clarify the directive, we remain concerned about the CERT-In directive because the FAQ is not a legal document and does not provide companies with the legal certainty required to conduct everyday business “Courtney Lang, ITI’s senior director of policy, stated.
Furthermore, according to Lang, the CERT-In FAQ does not address problematic requirements, such as the six-hour reporting deadline.
“We continue to encourage CERT-In to put the directive on hold and host a stakeholder meeting to thoroughly address the issues raised in the letter,” Lang added.