India’s recently announced cyber security regulations, which force IT companies and cloud service providers to rapidly report cyber security incidents and store data, are facing growing concerns. Eleven industry groups from the European Union, the United Kingdom and the United States, including the US Chamber of Commerce and US-India Business The Council has written to the Indian Computer Emergency Response Team (CERT-In) to express its concern about the country’s cyber security regulations.
Industry groups said the “drastic nature” of the directive could make it more difficult for companies to do business in India. Big tech companies like Facebook, Google, Apple, Amazon and Microsoft are also among the signatories of the letter. These include the Asia Securities Industry and Financial Markets Association (ASIFMA), Bank Policy Institute, BSA, Coalition to Reduce Cyber Risk, Cyber Security Alliance, Digital Europe, Information. technology Industry Council (ITI), TechUK, US Chamber of Commerce, US-India Business Council (USIBC), and US-India Strategic Partnership Forum (USISPF).
These organizations join a wide range of stakeholders, including VPN providers and civil society, who have previously criticized CERT-In’s norms. Earlier, VPN providers also expressed concerns regarding the new rules as they believe the new rules will change the way they operate in the country.
Letter to CERT-In
The letter comes after CERT-In issued a set of clarifications on its guidelines in response to industry concerns about compliance burden. The rules were issued on April 28 and will take effect in 60 days.
However, in a letter addressed to CERT-In Director General Sanjay Bahl, the group said the new rules would have a “harmful effect” on cyber security for Indian businesses and create a fragmented approach to cyber security. , is harming the security situation of the country and its partners in the Quad countries, Europe and beyond.
They have raised concerns about the six-hour reporting time limit for cybersecurity incidents, requiring that companies provide sensitive logs to the government, the “overbroad” definition of reportable incidents, and requiring that virtual private networks (VPNs) ) Store data on your users for five years.
“If this is not taken into account, these provisions will have a significant adverse effect on the organizations that operate here” India With no similar benefit to cyber security,” added the letter as reported Indian Express,
Industry groups have urged an increase in the reporting time limit to 72 hours from the current six hours, claiming that the latter is in accordance with best practices across the world. According to the letter, CERT-In has not presented any justification for the six-hour time limit, nor has it been proportionate to or linked to the worldwide norms. Such a schedule is unreasonably short and adds to the complexity at a time when organizations must focus on the arduous process of understanding, responding and resolving a cyber disaster, the letter said.
The group of organizations also said: “Our companies operate advanced security infrastructure with high-quality internal incident management processes, which provide more efficient and agile responses than government-directed instructions regarding a third-party system.” which CERT-In is not familiar with. CERT-In should amend the directive to remove this provision.
They believe a more appropriate approach would be asking providers to demonstrate that their incident and risk management methods meet international standards, such as those found in the ISO-27000 certification. But Minister of State for Electronics and IT Rajiv Chandrasekhar had earlier said that the government was “very liberal” with a reporting time limit of six hours.
VPN providers concerns
According to the government, VPN providers have two months to comply with the laws and start data collection.
The reason given by CERT-in is that it requires the ability to investigate potential cybercrime, but VPN companies disagree, with some saying they will disobey orders.
Cyber security expert Sandeep Kumar Panda, CEO and co-founder of InstaSafe News18: “While everyone is still waiting for a clear data privacy law in this country, such a quietly issued new directive requiring an array of technology companies to introduce user data logging has led to more confusion among service providers.” creating.”
“Some of the biggest VPN companies state that they collect only minimal information about their users and also allow methods for their users to remain largely anonymous. Hence, their internal rules are now ready to bring them into conflict with the IT ministry,” he said.
The industry insider said that the list of data points that the government has directed to be stored is quite long as storing these data points for such a long period will cost the VPN vendors a lot as they have to store them in the cloud. Will have to do Moreover, the new guidelines would also require them to change their product which would be a big nuisance for VPN providers, he said.
Amit Jaju, Senior Managing Director, Ankur Consulting Group said. News18: “Some mandate for VPN service providers not to work as planned. VPN service providers have a global footprint and their India presence is primarily to enable users in other countries to navigate the Internet as a user from India. It is primarily used by overseas Indians to browse OTT platforms in India.”
Additionally, he said: “A cybercriminal planning an attack in India would not need a VPN server in India. The attacker could use a foreign server, or use any other compromised machine in India that could be such widely available to criminals.”
“Even if they [VPN service providers] Start logging in from your India server, attackers can still access foreign servers of VPN service providers which will remain out of preview of Indian authorities,” said the industry expert. However, VPN traders have been warned by Union Minister Chandrashekhar that they are free to leave the country if they do not follow the rules.
read all breaking news , today’s fresh news And IPL 2022 Live Updates Here.