New Cyber Security Rule Proposed by Google and Big Tech to Make Doing Business in India Easier Tougher

According to the companies, the new directive will have a negative impact on cyber security for Indian businesses.

HIGHLIGHTS

1. Eleven organisations have voiced their dissatisfaction with CERT-directives. In's

2. CERT-In has made it mandatory to report cyberattacks within six hours.

3. The organisations claim that the directive will make doing business in India more difficult.

In a joint letter to the government, 11 international bodies with tech giants like Google, Facebook, and HP as members said that India's new directive, which mandates reporting of cyberattack incidents within six hours and storing users' logs for five years, will make it difficult for companies to do business in the country. On May 26, a joint letter was sent to Indian Computer Emergency Response Team (CERT-In) director general Sanjay Bahl by 11 organisations that primarily represent technology companies based in the United States, Europe, and Asia.

International organisations have expressed concern that the directive, as written, will have a negative impact on cybersecurity for Indian businesses and create a fragmented approach to cyber security across jurisdictions, jeopardising India's and its allies' security posture in the Quad countries, Europe, and beyond.

"The onerous nature of the requirements may also make doing business in India more difficult for companies," the letter stated.

Information Technology Industry Council (ITI), Asia Securities Industry & Financial Markets Association (ASIFMA), Bank Policy Institute, BSA - The Software Alliance, Coalition to Reduce Cyber Risk (CR2), Cybersecurity Coalition, Digital Europe, techUK, US Chamber of Commerce, US-India Business Council, and US-India Strategic Partnership Forum are among the international organisations that have expressed concern.

Companies must report any cyber breach to CERT-In within six hours of becoming aware of it, according to a new directive issued on April 28.

It requires data centres, virtual private server (VPS) providers, cloud service providers, and virtual private network (VPN) service providers to validate the names of subscribers and customers who hire services, as well as the period of hiring, the subscribers' ownership patterns, and to keep records for a period of five years or longer, as required by law.

To ensure cyber security in the area of payments and financial markets for citizens, IT companies must keep all information obtained as part of Know-Your-Customer (KYC) and records of financial transactions for a period of five years, according to the directive.

International organisations have expressed concern about the 6-hour deadline for reporting cyber incidents and have demanded that it be increased to 72 hours.

"CERT-In has provided no justification for the 6-hour timeline, nor has it been proportioned or aligned with global standards. Such a timeline is unnecessarily short and adds to the complexity at a time when organisations should be concentrating on the difficult task of understanding, responding to, and remediating a cyber incident "According to the letter.

It added that, in the case of the six-hour deadline, entities would be unlikely to have enough information to make a reasonable determination of whether a cyber incident has occurred, triggering the notification.

The international organisations claim that their member companies have advanced security infrastructures and high-quality internal incident management procedures, which will result in more efficient and agile responses than a government-directed instruction for a third-party system with which CERT-In is unfamiliar.

The current definition of reportable incidents, which includes activities like probing and scanning, is far too broad, according to the joint letter, given that probes and scans are commonplace.

It claims that CERT-clarification In's to the directive states that logs are not required to be stored in India, but that this is not stated in the directive.

"Even if this change is made, we have concerns about some of the types of log data that the Indian government is requiring to be provided upon request, as some of it is sensitive and, if accessed, could create new security risks by providing insight into an organization's security posture," the letter stated.

Internet service providers routinely collect customer information, according to the joint letter, but extending these obligations to VSPs, CSPs, and VPN providers is burdensome and onerous.

"IP addresses are not assigned by data centre providers. Collecting and recording all IP addresses assigned to customers by ISPs will be a difficult task for the data centre provider. When IP addresses are assigned dynamically, this could be a near-impossible task "According to the letter,

According to the global bodies, storing the data locally for the customer's life cycle and then for five years will necessitate storage and security resources, the costs of which must be passed on to the customer, who has not specifically requested that this data be stored after their service termination.

We agree with the government's goal of enhancing cyber security. Despite the recent release of a FAQs document intended to clarify the directive, we remain concerned about the CERT-In directive. "Because the FAQ is not a legal document, it does not provide companies with the legal certainty required to conduct everyday business," ITI senior director of policy Courtney Lang said.

Furthermore, according to Lang, the CERT-In FAQ does not address problematic provisions, such as the six-hour reporting deadline.

"We continue to urge CERT-In to put the directive on hold and hold a stakeholder meeting to fully address the concerns raised in the letter," Lang said.