India's new directive which mandates reporting of cyberattack incidents within six hours and storing users' logs for 5 years will make it difficult for companies to do business in the country, 11 international bodies having tech giants like Google, Facebook and HP as members said in a joint letter to the government.
The joint letter written by 11 organisations that mainly represent technology companies based in the US, Europe and Asia was sent to the Indian Computer Emergency Response Team (CERT-In) director general Sanjay Bahl on May 26.
The international bodies have expressed concerned that the directive, as written, will have a detrimental impact on cyber security for organisations that operate in India, and create a disjointed approach to cyber security across jurisdictions, undermining the security posture of India and its allies in the Quad countries, Europe and beyond. "The onerous nature of the requirements may also make it more difficult for companies to do business in India," the letter said.
The global bodies that have jointly expressed concern include Information Technology Industry Council (ITI), Asia Securities Industry & Financial Markets Association (ASIFMA), Bank Policy Institute, BSA – The Software Alliance, Coalition to Reduce Cyber Risk (CR2), Cybersecurity Coalition, Digital Europe, techUK, US Chamber of Commerce, US-India Business Council and US-India Strategic Partnership Forum. The new directive issued on April 28 mandates companies to report any cyber breach to CERT-In within six hours of noticing it.
It mandates data centres, Virtual Private Server (VPS) providers, cloud service providers and Virtual Private Network (VPN) service providers to validate names of subscribers and customers hiring the services, period of hiring, ownership pattern of the subscribers etc. and maintain the records for a period of 5 years or longer duration as mandated by the law.
As per the directive, IT companies need to maintain all information obtained as part of Know-Your-Customer (KYC) and records of financial transactions for a period of five years so as to ensure cyber security in the area of payments and financial markets for citizens.
The international bodies have raised concern over the 6-hour timeline provided for cyber incident reporting and demanded that it should be increased to 72 hours. "CERT-In has not provided any rationale as to why the 6-hour timeline is necessary, nor is it proportionate or aligned with global standards. Such a timeline is unnecessarily brief and injects additional complexity at a time when entities are more appropriately focused on the difficult task of understanding, responding to, and remediating a cyber incident," the letter said.
It said in case of the six-hour mandate, entities will also unlikely have sufficient information to make a reasonable determination of whether a cyber incident has in fact occurred that would warrant the triggering of the notification. The international bodies said that their member companies operate advanced security infrastructures with high-quality internal incident management procedures, which will yield more efficient and agile responses than a government directed instruction regarding a third-party system that CERT-In is not familiar with.
The joint letter said that the current definition of reportable incidents, to include activities such as probing and scanning, is far too broad given probes and scans are everyday occurrences. It said that the clarification provided by CERT-In to the directive mentions that logs are not required to be stored in India but the directive does not mention it.
"Even if this change is made, however, we have concerns about some of the types of log data that the Indian government is requiring be furnished upon request, as some of it is sensitive and, if accessed, could create new security risk by providing insight into an organisation's security posture," the letter said. The joint letter said that internet service providers commonly collect customer information but extending these obligations to VSP, CSP and VPN providers is burdensome and onerous.
"A data centre provider does not assign IP addresses. It will be an onerous task for the data centre provider to collect and record all IP addresses assigned to their customers by ISPs. This could be a nearly impossible task when IP addresses are dynamically assigned," letter said. The global bodies said that storing the data locally for the life cycle of the customer and thereafter for five years will require storage and security resources for which the costs must be passed on to the customer, who notably has not asked for this data to be stored after their service termination.
"We share the government's goal to improve cyber security. However, we remain concerned about the CERT-In directive, despite the release of the recent FAQs document intended to clarify the directive, because the FAQ is not a legal document, it does not grant companies with the legal certainty required to conduct everyday business," ITI senior director of policy Courtney Lang said. Lang said additionally, the FAQ issued by the CERT-In does not address problematic provisions, including the six-hour reporting timeline.
"We continue to urge CERT-In to pause implementation of the directive and open a stakeholder consultation to fully address the concerns articulated in the letter," Lang said.