Eleven Industry Groups Send Letter to CERT-In Explaining Concerns over New Cyber Rules

India’s recently announced cybersecurity rules, which force IT companies and cloud service providers to quickly report cybersecurity incidents and store data, is facing growing concerns. Eleven industry groups from the EU, UK and US, including the US Chamber of Commerce and the US-Indian Business Council, have written to India’s Computer Emergency Response Team (CERT-In) to express their concerns about the country’s cybersecurity rules.

Industry groups said the “onerous nature” of the guidance could make it difficult for companies to do business in India. Among the signatories to the letter are large technology companies such as Facebook, Google, Apple, Amazon and Microsoft, among others. It also includes the Asia Securities Industry and Financial Markets Association (ASIFMA), Banking Policy Institute, BSA, Cyber ​​Risk Reduction Coalition, Cyber ​​Security Coalition, Digital Europe, Information Technology Industry Council (ITI), techUK, American Chamber of Commerce, and the US and India. Business Council (USIBC), and US-India Strategic Partnership Forum (USISPF).

These organizations join a wide range of stakeholders, including VPN providers and civil society, who have previously criticized the CERT-In standards. Earlier, VPN providers also expressed concerns about the new rules as they believe the new regulations will change how they operate in the country.

Message to CERT-In

The message comes after CERT-In issued a set of clarifications about its guidelines in response to industry concerns about compliance burdens. The regulations were issued on April 28 and will take effect within 60 days.

However, in the letter to Sanjay Bahl, general manager of CERT-In, the group said the new rules would have a “harmful impact” on the cybersecurity of Indian companies and would create a fragmented approach to cybersecurity across jurisdictions. , which harms the security position of the country and its partners in the Quartet countries, Europe and beyond.

They have raised concerns about a six-hour reporting deadline for cybersecurity incidents, requirements that companies submit sensitive records to the government, a “broad” definition of reportable incidents, and requirements that virtual private networks (VPNs) store data on their users for a period of time. five years.

As stated in the letter, the letter added: “If these provisions are left unaddressed, they will have a significant negative impact on organizations operating in India without any commensurate benefit to cybersecurity.” Indian Express.

It has urged industry groups to extend the reporting deadline from the current six hours, which is considered “too short” according to them, to 72 hours, claiming the latter is in line with global best practice. According to the letter, the CERT-In team did not provide any justification for the six-hour schedule, nor did it fit or correlate with global standards. The letter added that such a timeline is unreasonably short and increases complexity at a time when organizations must focus on the challenging process of understanding, responding, and addressing a cyber catastrophe.

The group of organizations also said: “Our companies operate advanced security infrastructures with high-quality internal incident management procedures, which will result in more efficient and flexible responses to government-directed instructions in relation to a third-party system that CERT-In is unfamiliar with. The CERT-In team should Revise the guidance to remove this provision.”

They believe that the most appropriate approach would require service providers to demonstrate that their incident and risk management methods meet international standards, such as those found in ISO-27000 certifications. But Rajiv Chandrashekhar, Minister of State for Electronics and Information Technology, previously said the government was “too lenient” with the six-hour reporting deadline.

VPN Providers Concerns

According to the government, VPN providers have two months to comply with the laws and begin collecting data.
The reason given by CERT-In is that it requires the ability to investigate potential cybercrime, but VPN companies differ, with some stating that they will defy orders.

Cyber ​​security expert Sandeep Kumar Panda, CEO and co-founder of Instasafe, said: News 18: “While everyone is still waiting for a clear data privacy law in this country, such a quietly issued new directive requiring a group of tech companies to start logging user data is leading to more confusion among service providers.”

“Some of the biggest VPN companies state that they only collect minimal information about their users and also allow ways for their users to remain largely anonymous. Hence, their internal rules are now set up to put them in confrontation with the Ministry of Information Technology.”

The industry insider said the list of data points that the government has directed to store is quite comprehensive because storing these data points for a long time will cost VPN vendors significantly as they will have to store them in the cloud. On top of that, the new guidelines will also ask them to change their products which will be a major inconvenience to VPN providers, he added.

said Amit Jago, Senior Managing Director of Ankura Consulting Group News 18: “Certain mandates to make VPN service providers may not work as planned. VPN service providers have a global footprint and their presence in India is primarily focused on providing users in other countries to navigate the internet as a user from India. This is mostly used by Indians abroad. To browse OTT platforms in India.”

Additionally, he said, “A cybercriminal planning an attack in India would not necessarily need a VPN server in India. The attacker could use an external server, or use any other hacked device in India that is widely available to such criminals.”

“even if it was [VPN service providers] The industry expert said, starting from their India servers, attackers can still use the external servers of VPN service providers which will remain outside the preview of the Indian authorities. However, union minister Chandrashekhar has warned VPN companies that if they do not follow the rules, they are free to leave the country.

Read all the latest news, breaking news and live updates for IPL 2022 here.

Leave a Comment