India’s recently announced cybersecurity rules, which force IT companies and cloud service providers to report cybersecurity incidents swiftly and store data, are facing growing concerns. Eleven industry groups from the European Union, United Kingdom and United States, including US Chamber of Commerce and US-India Business Council, have written to the Indian Computer Emergency Response Team (CERT-In) to express their concerns about the country’s cybersecurity rules.
The industry groups said the directive’s “onerous nature” might make it more difficult for companies to do business in India. Big tech corporations such as Facebook, Google, Apple, Amazon and Microsoft, as well as others are among signatories to the letter. It also includes Asia Securities Industry & Financial Markets Association (ASIFMA), Bank Policy Institute, BSA, Coalition to Reduce Cyber Risk, Cybersecurity Coalition, Digital Europe, Information Technology Industry Council (ITI), techUK, US Chamber of Commerce, US-India Business Council (USIBC), and US-India Strategic Partnership Forum (USISPF).
These organisations join a wide range of stakeholders, including VPN providers and the civil society, who have previously criticised CERT-In’s norms. Earlier, VPN providers also expressed concerns related to the new rules as they believe that the new regulations will alter how they operate in the country.
The letter to CERT-In
The letter comes after CERT-In issued a set of clarifications on its guidelines in response to industry concerns about compliance burdens. The regulations were issued on April 28 and will take effect in 60 days.
In the letter, however, addressed to Sanjay Bahl, who is the director-general of CERT-In, the group said the new rules will have a “detrimental impact” on cybersecurity for Indian businesses and will create a fragmented approach to cybersecurity across jurisdictions, hurting the country’s and its partners’ security posture in the Quad countries, Europe and beyond.
They have raised concerns about the six-hour reporting deadline for cybersecurity incidents, the requirement that companies provide sensitive logs to the government, an “overbroad” definition of reportable incidents, and the requirement that virtual private networks (VPNs) store data on their users for five years.
“If left unaddressed, these provisions will have a significant adverse impact on organisations that operate in India with no commensurate benefit to cybersecurity,” added the letter as reported by The Indian Express.
The industry groups have urged for the reporting deadline to be extended from the current six hours, which according to them is “too short”, to 72 hours, claiming that the latter is in accordance with worldwide best practices. According to the letter, CERT-In has presented no justification for the six-hour timeline, nor has it been proportioned or linked with worldwide norms. Such a schedule is unreasonably short and adds to the complexity at a time when organisations should be concentrating on the tough process of comprehending, responding to, and remediating a cyber disaster, the letter added.
The group of organisations also said: “Our companies operate advanced security infrastructures with high-quality internal incident management procedures, which will yield more efficient and agile responses than a government-directed instruction regarding a third-party system that CERT-In is not familiar with. CERT-In should revise the directive to remove this provision.”
They believe that a more appropriate approach will be asking providers to demonstrate that their incident and risk management methods satisfy international standards, such as those found in ISO-27000 certifications. But Rajeev Chandrashekhar, minister of state for electronics and IT, has previously stated that the government was being “too lenient” with the six-hour reporting deadline.
Concerns of VPN Providers
According to the government, VPN providers have two months to comply with the laws and begin data collection.
The reason given by CERT-In is that it requires the ability to investigate potential cybercrime, but the VPN companies disagree, with some stating that they will defy the orders.
Cybersecurity expert Sandip Kumar Panda, CEO and co-founder of Instasafe, told News18: “While everyone is still waiting for a clear data privacy law in this country, such a quietly issued new directive requiring an array of technology companies to start logging user data is creating more confusion among the service providers.”
“Some of the biggest VPN companies state they collect only minimal information about their users and also allow for ways for their users to remain largely anonymous. Hence, their internal rules are now set to bring them into a confrontation with the IT ministry,” he added.
The industry insider said the list of data points that the government has directed to store is quite exhaustive as storing these data points for such a long period will cost enormously to VPN vendors since they will have to store these in the cloud. Moreover, the new guidelines will also require them to change their product that will be a major nuisance for the VPN providers, he added.
Amit Jaju, senior managing director at Ankura Consulting Group, told News18: “Certain mandates to make VPN service providers may not work as planned. VPN service providers have a global footprint and their India presence is mainly focused on providing users in other countries to navigate the internet as a user from India. This is used predominantly by overseas Indians to browse OTT platforms in India.”
Additionally, he said: “A cybercriminal planning an attack in India would not necessarily need a VPN server in India. The attacker can use an overseas server, or use any other compromised machine in India that is widely available to such criminals.”
“Even if they [VPN service providers] start logging from their India servers, attackers can still use the overseas servers of VPN service providers which will remain outside the preview of Indian authorities,” said the industry expert. However, VPN businesses have been cautioned by union minister Chandrashekhar that if they do not follow the rules, they are free to leave the country.
Read all the Latest News , Breaking News and IPL 2022 Live Updates here.