Google, Big Tech Say New Cybersecurity Rule to Make Doing Business in India Tougher

The companies say the new directive will have a detrimental impact on cybersecurity for organisations that operate in India.

Google, Big Tech Say New Cybersecurity Rule to Make Doing Business in India Tougher

Photo Credit: Pexels/ Sora Shizamaki

The international bodies have raised concern over the timeline provided for cyber incident reporting

Highlights
  • Eleven bodies have expressed concerns about CERT-In's directions
  • CERT-In has mandated reporting of cyberattack incidents within six hours
  • The bodies say the directive will make it tough to do business in India
Advertisement

India's new directive which mandates reporting of cyberattack incidents within six hours and storing users' logs for 5 years will make it difficult for companies to do business in the country, 11 international bodies having tech giants like Google, Facebook and HP as members said in a joint letter to the government. The joint letter written by 11 organisations that mainly represent technology companies based in the US, Europe and Asia was sent to the Indian Computer Emergency Response Team (CERT-In) director general Sanjay Bahl on May 26.

The international bodies have expressed concerned that the directive, as written, will have a detrimental impact on cybersecurity for organisations that operate in India, and create a disjointed approach to cybersecurity across jurisdictions, undermining the security posture of India and its allies in the Quad countries, Europe and beyond.

"The onerous nature of the requirements may also make it more difficult for companies to do business in India," the letter said.

The global bodies that have jointly expressed concern include Information Technology Industry Council (ITI), Asia Securities Industry & Financial Markets Association (ASIFMA), Bank Policy Institute, BSA - The Software Alliance, Coalition to Reduce Cyber Risk (CR2), Cybersecurity Coalition, Digital Europe, techUK, US Chamber of Commerce, US-India Business Council and US-India Strategic Partnership Forum.

The new directive issued on April 28 mandates companies to report any cyber breach to CERT-In within six hours of noticing it.

It mandates data centres, virtual private server (VPS) providers, cloud service providers and virtual Private Network (VPN) service providers to validate names of subscribers and customers hiring the services, period of hiring, ownership pattern of the subscribers etc. and maintain the records for a period of 5 years or longer duration as mandated by the law.

As per the directive, IT companies need to maintain all information obtained as part of Know-Your-Customer (KYC) and records of financial transactions for a period of five years to ensure cybersecurity in the area of payments and financial markets for citizens.

The international bodies have raised concern over the 6-hour timeline provided for cyber incident reporting and demanded that it should be increased to 72 hours.

"CERT-In has not provided any rationale as to why the 6-hour timeline is necessary, nor is it proportionate or aligned with global standards. Such a timeline is unnecessarily brief and injects additional complexity at a time when entities are more appropriately focused on the difficult task of understanding, responding to, and remediating a cyber incident," the letter said.

It said in case of the six-hour mandate, entities will also unlikely have sufficient information to make a reasonable determination of whether a cyber incident has in fact occurred that would warrant the triggering of the notification.

The international bodies said that their member companies operate advanced security infrastructures with high-quality internal incident management procedures, which will yield more efficient and agile responses than a government directed instruction regarding a third-party system that CERT-In is not familiar with.

The joint letter said that the current definition of reportable incidents, to include activities such as probing and scanning, is far too broad given probes and scans are everyday occurrences.

It said that the clarification provided by CERT-In to the directive mentions that logs are not required to be stored in India but the directive does not mention it.

"Even if this change is made, however, we have concerns about some of the types of log data that the Indian government is requiring be furnished upon request, as some of it is sensitive and, if accessed, could create new security risk by providing insight into an organisation's security posture," the letter said.

The joint letter said that internet service providers commonly collect customer information but extending these obligations to VSP, CSP and VPN providers is burdensome and onerous.

"A data centre provider does not assign IP addresses. It will be an onerous task for the data centre provider to collect and record all IP addresses assigned to their customers by ISPs. This could be a nearly impossible task when IP addresses are dynamically assigned," letter said.

The global bodies said that storing the data locally for the life cycle of the customer and thereafter for five years will require storage and security resources for which the costs must be passed on to the customer, who notably has not asked for this data to be stored after their service termination.

"We share the government's goal to improve cybersecurity. However, we remain concerned about the CERT-In directive, despite the release of the recent FAQs document intended to clarify the directive, because the FAQ is not a legal document, it does not grant companies with the legal certainty required to conduct everyday business," ITI senior director of policy Courtney Lang said.

Lang said additionally, the FAQ issued by the CERT-In does not address problematic provisions, including the six-hour reporting timeline.

"We continue to urge CERT-In to pause implementation of the directive and open a stakeholder consultation to fully address the concerns articulated in the letter," Lang said.


How is Alexa faring in India? We discuss this on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.
Affiliate links may be automatically generated - see our ethics statement for details.
Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: Cybersecurity
Water On Moon May Have Come From Ancient Volcanic Eruptions: Study
Consumer Affairs Ministry Says Will Develop Framework to Protect Online Consumers From Fake Reviews
Facebook Gadgets360 Twitter Share Tweet Snapchat LinkedIn Reddit Comment google-newsGoogle News

Advertisement

Follow Us
© Copyright Red Pixels Ventures Limited 2024. All rights reserved.
Trending Products »
Latest Tech News »