India’s recently announced cybersecurity standards face a bigger pushback. Eleven industry bodies from countries in the European Union, the United Kingdom and the United States, including the United States Chamber of Commerce and the United States-India Business Council, wrote to the India’s Computer Emergency Response Team (CERT-In), raising concerns about its recent cybersecurity standards, arguing that the “onerous nature” of the directive may make it harder for companies to do business in India.
In a letter to Sanjay Bahl, the chief executive of CERT-In, the industry groupings said the cybersecurity directive will have a “detrimental impact on the cybersecurity of organizations operating in India and create a disjointed approach to cybersecurity in all jurisdictions, undermining the security posture of India and its allies in the Quad countries, Europe and beyond”.
In particular, they pointed to the six-hour deadline for reporting cybersecurity incidents, the requirements for companies to provide sensitive logs, an “overbroad” definition of reportable incidents, and the fact that virtual private networks (VPNs) will have to store data about their users for five years. years. “If left unaddressed, these provisions will have a significant negative impact on organizations operating in India without any commensurate cybersecurity benefit,” the letter said.
Buy now | Our best subscription plan now has a special price
The best of Express Premium
Signatories to the letter include major tech companies such as Facebook, Google, Apple, Amazon and Microsoft, as well as other tech companies, among their members. The signatories are: Asia Securities Industry & Financial Markets Association (ASIFMA), Bank Policy Institute, BSA, Coalition to Reduce Cyber Risk, Cybersecurity Coalition, Digital Europe, Information Technology Industry Council (ITI), techUK, US Chamber of Commerce, US-India Business Council (USIBC) and US-India Strategic Partnership Forum (USISPF). They join a wide range of stakeholders, including VPN providers and civil society, who have previously criticized CERT-In standards.
The CERT-In Cybersecurity Directive requires entities to report cybersecurity incidents to the agency within six hours. They also require VPN providers to store information such as the names, email IDs, contact numbers, and IP addresses (among others) of their customers for a period of five years. The letter comes a week after CERT-In released a set of clarifications to its rules after compliance burden concerns were raised by industry stakeholders. The rules were announced on April 28 and are due to come into effect after 60 days.
Industry groups have called for the reporting deadline to be increased from the currently mandated six hours to 72 hours, saying the latter deadline is “in line with global best practice”.
“A 6-hour deadline is too short. CERT-In has provided no rationale as to why the 6 hour time frame is necessary, proportionate or aligned with global standards. Such a timeline is unnecessarily short and adds additional complexity at a time when entities are more appropriately focused on the difficult task of understanding, responding to and remediating a cyber incident,” they said in the letter.
“Our companies operate advanced security infrastructures with high-quality internal incident management procedures, which will provide more efficient and agile responses than a government instruction regarding a third-party system that CERT-In does not know. CERT-In should revise the directive to remove this provision,” he added. “A more appropriate approach might be to require suppliers to demonstrate that their incident and risk management procedures comply with international standards, such as those contained in ISO 27000 certifications.”
However, Minister of State for Electronics and Computers Rajeev Chandrashekhar previously said the government was “too generous” with the six-hour reporting deadline. CERT-In’s Bahl, meanwhile, has previously said that countries like France, Japan, Indonesia and Singapore have even shorter deadlines for reporting cybersecurity incidents. Despite earlier concerns, the government decided to go ahead with the rules. Chandrashekhar also warned VPN companies that if they fail to meet the standards, they are free to leave the country.