Global tech bodies say new cyber security rule to make it harder to do business in India technology news

New Delhi: India’s new directive that makes it mandatory to report incidents of cyberattacks within six hours and store users’ logs for 5 years will make it difficult for companies to do business in the country, 11 international bodies whose members Google There are tech giants like Facebook and HP. Said in a joint letter to the government.

The joint letter, written by 11 organizations that mainly represent technology companies based in the US, Europe and Asia, was sent on May 26 to Sanjay Behl, director general of the Indian Computer Emergency Response Team (CERT-In).

International bodies have expressed concern that the directive, as written, will have detrimental effects on cyber security for organizations operating in India, and undermine the security posture of India and its allies for cyber security in jurisdictions. Will create a disjointed approach. Quad Countries, Europe and beyond.

“The difficult nature of the requirements may also make it difficult for companies to do business in India,” the letter said.

Global bodies that have jointly expressed concern include Information Technology Industry Council (ITI), Asia Securities Industry and Financial Markets Association (ASIFMA), Bank Policy Institute, BSA – Software Alliance, Coalition for Reducing Cyber ​​Risk (CR). 2), Cyber ​​Security Alliance, Digital Europe, TechUK, US Chamber of Commerce, US-India Business Council and US-India Strategic Partnership Forum.

The new directive, issued on April 28, mandates companies to report any cyber breach to CERT-In within six hours of giving notice.

It allows data centers, virtual private server (VPS) providers, cloud service providers and virtual private network (VPN) service providers to validate services such as the names of customers and customers, tenure of hiring, ownership patterns of customers, etc. Mandatory to do and maintain. Records for a period of 5 years or more as mandated by law.

As per the directive, IT companies are required to maintain records of all information received as part of Know Your Customer (KYC) and financial transactions for a period of five years to ensure cyber security in the areas of payments and financial markets. can be done. Citizen.

International bodies have raised concerns over the 6-hour time limit provided for cyber incident reporting and demanded that it be increased to 72 hours.

“CERT-In has not provided any rationale as to why the 6-hour timeline is necessary, nor is it in line with or aligned with global standards. Such timelines are unnecessarily brief and inject additional complexity into such timings. The daunting task of understanding, responding to and redressing a cyber incident is when institutions focus more appropriately,” the letter said.

It said that in the case of a six-hour mandate, entities would likely not have sufficient information to make a reasonable determination as to whether a cyber incident actually occurred that would warrant triggering the notification.

The international bodies stated that their member companies operate advanced security infrastructure with high-quality internal incident management processes, which will yield a more efficient and agile response than a government-directed directive about a third-party system, thereby CERT-In is not familiar.

The joint paper states that the current definition of reportable incidents is too broad to include activities such as investigation and scanning as investigations and scans are everyday occurrences.

It said that the clarification given in the directive by CERT-In mentions that the log is not required to be stored in India, but the directive does not mention it.

“Even if this change is made, however, we do have concerns about certain types of log data that need to be submitted upon request to the Government of India, as some of it is sensitive and if accessed.” may create new security risks by providing insight into the security posture of an organization,” the letter said.

The joint letter said that Internet service providers generally collect customer information but it is cumbersome and difficult to pass on these obligations to VSPs, CSPs and VPN providers.

“The data center provider does not assign IP addresses. It will be a tedious task for the data center provider to collect and record all the IP addresses assigned by ISPs to their customers. This can be an almost impossible task when the IP addresses are dynamically assigned. are done,” the letter said.

The global bodies said storing data locally for the life cycle of the customer and five years thereafter would require storage and security resources, for which the cost should be passed on to the customer, who specifically stored this data. Not told to do. after the termination of his service.

“We share the government’s goal to improve cyber security. However, we remain concerned about the CERT-in directive, despite the release of a recent FAQ document aimed at clarifying the directive, because The FAQ is not a legal document, it does not grant the legal certainty companies need to conduct everyday business, said Courtney Lang, senior director of ITI policy.

Lang said additionally, the FAQs issued by CERT-In do not address the problematic provisions, including the six-hour reporting timeline.

“We urge CERT-In to halt the implementation of the directive and open a stakeholder consultation to fully address the concerns expressed in the letter,” Lang said.

Source link

Sharing Is Caring:

Leave a Comment