Google, Big Tech Say New Cyber Security Rule to Make Doing Business in India Tougher

New directive in India that mandates reporting incidents of cyber attacks within six hours and storing user records for 5 years will make it more difficult for companies to do business in the country, 11 international bodies that have tech giants like Google, Facebook and HP also said members of the Joint letter to the government. The joint letter, written by 11 organizations representing mainly technology companies based in the US, Europe and Asia, was sent to the Director General of India’s Computer Emergency Response Team (CERT-In) Sanjay Bahl on May 26.

International bodies have expressed concern that the directive, as written, will have a detrimental effect on the cybersecurity of organizations operating in India, and create a disjointed approach to cybersecurity across jurisdictions, undermining the security position of India and its Quartet allies. countries, Europe and beyond.

“The onerous nature of the requirements may make it difficult for companies to do business in India,” the letter said.

Global bodies that have jointly expressed concerns include the Information Technology Industry Council (ITI), the Asia Securities Industry and Financial Markets Association (ASIFMA), the Bank Policy Institute, BSA – The Software Alliance, and the Coalition to Reduce Cyber ​​Risk (CR2). ), the Cybersecurity Coalition, Digital Europe, techUK, the US Chamber of Commerce, the US-Indian Business Council and the US-India Strategic Partnership Forum.

The new directive issued on April 28 authorizes companies to report a cyber breach to CERT-In within six hours of it being noticed.

It requires data centers, Virtual Private Server (VPS) providers, cloud service providers, and Virtual Private Network (VPN) service providers to validate the names of subscribers and clients renting services, period of employment, ownership pattern of subscribers etc., and maintain for a period of 5 years or more for the duration of Longer as required by law.

As per the directive, IT companies are required to keep all information obtained as part of the Know Your Customer (KYC) program and financial transaction records for a period of five years to ensure cybersecurity in the payments and financial markets of citizens.

International bodies have expressed concern about the 6-hour timeline provided for reporting cyber incidents and have called for it to be increased to 72 hours.

“The CERT-In team has not provided any rationale for the necessity of the 6-hour schedule, nor is it proportionate or compatible with global standards. Such a schedule is unnecessarily brief and adds more complexity at a time when entities are more focused on the challenging task of understanding, responding to and addressing an electronic incident.”

She said that in the case of the six-hour mandate, it was unlikely that the entities would have enough information to make a reasonable decision as to whether a cyber incident had actually occurred that would justify the release of the notification.

The international bodies said their member companies are running advanced security infrastructures with high-quality internal incident management procedures, which will result in more efficient and flexible responses to government-directed instructions regarding the third-party system that CERT-In is not aware of.

The joint letter said the current definition of reportable incidents, to include activities such as investigation and survey, is too broad given that investigations and checks happen daily.

She said the clarification given by CERT-In to the directive mentioned that records are not required for storage in India but the directive did not mention them.

“Even if this change is made, however, we have concerns about some types of log data that the Indian government is required to provide on request, as some of them are sensitive and, if accessed, could create new security risks by providing insight into the situation. organization’s security,” the letter stated.

The joint letter stated that ISPs typically collect customer information, but extending these obligations to VSP, CSP, and VPN providers is onerous and cumbersome.

“The data center provider does not assign IP addresses. It will be a tedious task for the data center provider to collect and record all IP addresses assigned to their clients by ISPs. This can be a nearly impossible task when IP addresses are assigned dynamically,” the message said.

The global bodies said storing data locally for the lifecycle of the customer and then for five years would require storage and security resources and that costs should be passed on to the customer, who did not specifically request that such data be stored after their end of service.

“We share the government’s goal of improving cybersecurity. However, we remain concerned about the CERT-In directive, despite the recent release of a FAQ document that aims to clarify the directive, since the FAQ is not a legal document, it does not give companies that have The legal certainty required to do day-to-day business,” said ITI’s Senior Director of Policy, Courtney Lange.

Additionally, the CERT-In FAQ does not address the problematic provisions, including the six-hour reporting schedule, Lang said.

“We continue to urge the Computer Emergency Response Team to temporarily suspend implementation of the directive and open consultations with stakeholders to fully address the concerns contained in the letter,” Lang said.

Leave a Reply

%d bloggers like this: