India’s new directive that makes it mandatory to report cyber attack incidents within six hours and store users’ logs for 5 years will make it difficult for companies to do business in the country, among 11 international bodies such as Google, Facebook and HP. The tech giants are, as members said in a joint letter to the government written by 11 organizations that mainly represent technology companies based in the US, Europe and Asia, the Indian Computer Emergency Response Team (CERT- Inn) Director General Sanjay Behl was sent.
International bodies have expressed concern that the directive, as written, would have detrimental effects on Cyber security For organizations that operate in India, and create a disjointed approach to cyber security across jurisdictions, the Quad countries, in Europe and beyond, undermine the security position of India and its allies.
“The difficult nature of the requirements may also make it difficult for companies to do business in India,” the letter said.
Global bodies that have jointly expressed concern include Information Technology Industry Council (ITI), Asia Securities Industry and Financial Markets Association (ASIFMA), Bank Policy Institute, BSA – Software Alliance, Coalition for Reducing Cyber Risk (CR). 2), Cyber Security Alliance, Digital Europe, TechUK, US Chamber of Commerce, US-India Business Council and US-India Strategic Partnership Forum.
New directive issued on April 28 mandates companies to report any cyber breach CERT-In Within six hours of noticing it.
It mandates data centers, virtual private server (VPS) providers, cloud service providers and virtual Private Network (VPN) service providers validate the names of customers and customers hiring services, duration of hiring, ownership patterns of customers, etc. and maintain records for a period of 5 years or more as mandated by law .
As per the directive, IT companies are required to maintain all information received as part of know your Customer (KYC) and records of financial transactions for a period of five years to ensure cyber security in the area of payments and financial markets for citizens.
International bodies have raised concerns over the 6-hour time limit provided for cyber incident reporting and demanded that it be increased to 72 hours.
“CERT-In has not provided any rationale as to why the 6-hour timeline is necessary, nor is it in line with or aligned with global standards. Such timelines are unnecessarily brief and inject additional complexity into such timings. The daunting task of understanding, responding to and redressing a cyber incident is when institutions focus more appropriately,” the letter said.
It said that in the case of a six-hour mandate, the entities would likely not have sufficient information to make a reasonable determination as to whether a cyber incident actually occurred that would warrant triggering the notification.
The international bodies stated that their member companies operate advanced security infrastructure with high-quality internal incident management processes, which will yield a more efficient and agile response than a government-directed directive about a third-party system, thereby CERT-In is not familiar.
The joint paper states that the current definition of reportable incidents is too broad to include activities such as investigation and scanning as investigations and scans are everyday occurrences.
It said that the clarification given in the directive by CERT-In mentions that the log is not required to be stored in India, but the directive does not mention it.
“Even if this change is made, however, we do have concerns about certain types of log data that need to be submitted upon request to the Government of India, as some of it is sensitive and if accessed.” may create new security risks by providing insight into the security posture of an organization,” the letter said.
The joint letter said that Internet service providers generally collect customer information but it is cumbersome and difficult to pass on these obligations to VSPs, CSPs and VPN providers.
“The data center provider does not assign IP addresses. It would be a tedious task for the data center provider to collect and record all the IP addresses assigned by ISPs to their customers. This can be an almost impossible task when the IP addresses are dynamically assigned. are done,” the letter said.
The global bodies said storing data locally for the life cycle of the customer and five years thereafter would require storage and security resources, for which the cost should be passed on to the customer, who specifically stored this data. Not told to do. after the termination of his service.
“We share the government’s goal to improve cyber security. However, we remain concerned about the CERT-in directive, despite the release of a recent FAQ document aimed at clarifying the directive, because The FAQ is not a legal document, it does not grant the legal certainty companies need to conduct everyday business, said Courtney Lang, senior director of ITI policy.
Lang said additionally, the FAQs issued by CERT-In do not address the problematic provisions, including the six-hour reporting timeline.
“We continue to urge CERT-In to pause the implementation of the directive and open a stakeholder consultation to fully address the concerns expressed in the letter,” Lang said.