India’s new directive that makes it mandatory to report cyber attack incidents within six hours and store users’ logs for 5 years will make it difficult for companies to do business in the country, among 11 international bodies such as Google, Facebook and HP. are tech giants, as members said in a joint letter to the government
The joint letter, written by 11 organizations that mainly represent technology companies based in the US, Europe and Asia, was sent on May 26 to Sanjay Behl, director general of the Indian Computer Emergency Response Team (CERT-In).
International bodies have expressed concern that the directive, as written, will have a detrimental impact on cyber security for organizations operating in India, and create a disjointed approach to cyber security, which will undermine the security posture. India and the Quad countries, its allies in Europe and beyond. “The difficult nature of the requirements may also make it difficult for companies to do business in India,” the letter said.
Global bodies that have jointly expressed concern include information technology Industry Council (ITI), Asia Securities Industry and Financial Markets Association (ASIFMA), Bank Policy Institute, BSA – Software Alliance, Coalition to Reduce Cyber Risk (CR2), Cyber Security Alliance, Digital Europe, TechUK, US Chamber of commerce, US – India Business Council and the US-India Strategic Partnership Forum. The new directive, issued on April 28, mandates companies to report any cyber breach to CERT-In within six hours of giving notice.
It allows data centers, virtual private server (VPS) providers, cloud service providers and virtual private network (VPN) service providers to validate services such as the names of customers and customers, tenure of hiring, ownership patterns of customers, etc. Mandatory to do and maintain. Records for a period of 5 years or more as mandated by law.
As per the directive, IT companies are required to maintain records of all information received as part of Know Your Customer (KYC) and financial transactions for a period of five years to ensure cyber security in the areas of payments and financial markets. can be done. Citizen.
International bodies have raised concerns over the 6-hour time limit provided for cyber incident reporting and demanded that it be increased to 72 hours. “CERT-In has not provided any rationale as to why the 6-hour timeline is necessary, nor is it in line with or aligned with global standards. Such timelines are unnecessarily brief and inject additional complexity into such timings. The daunting task of understanding, responding to and redressing a cyber incident is when institutions focus more appropriately,” the letter said.
It said that in the case of a six-hour mandate, the entities would likely not have sufficient information to make a reasonable determination as to whether a cyber incident actually occurred that would warrant triggering the notification. The international bodies stated that their member companies operate advanced security infrastructure with high-quality internal incident management processes, which will yield a more efficient and agile response than a government-directed directive about a third-party system, thereby CERT-In is not familiar.
The joint paper states that the current definition of reportable incidents is too broad to include activities such as investigation and scanning as investigations and scans are everyday occurrences. It said that the clarification given in the directive by CERT-In mentions that the log is not required to be stored in India, but the directive does not mention it.
Also read: Samsung cuts smartphone production by 30 million units: Report
“Even if this change is made, however, we do have concerns about certain types of log data that need to be submitted upon request to the Government of India, as some of it is sensitive and if accessed.” may create new security risk by providing insight into the security posture of an organization,” the letter said. It is cumbersome and difficult to access CSP and VPN providers.
“The data center provider does not assign IP addresses. It will be a tedious task for the data center provider to collect and record all the IP addresses assigned by ISPs to their customers. This can be an almost impossible task when the IP addresses are dynamically assigned. are done,” the letter said. The global bodies said storing data locally for the life cycle of the customer and five years thereafter would require storage and security resources, for which the cost should be passed on to the customer, who specifically stored this data. Not told to do. after the termination of his service.
“We share the government’s goal to improve cyber security. However, we remain concerned about the CERT-in directive, despite the release of a recent FAQ document aimed at clarifying the directive, because The FAQ is not a legal document, it does not grant the legal certainty companies need to conduct everyday business, said Courtney Lang, senior director of ITI Policy. The FAQs, including the six-hour reporting timeline, do not address the problematic provisions.
“We continue to urge CERT-In to pause the implementation of the directive and open a stakeholder consultation to fully address the concerns expressed in the letter,” Lang said.
,
read all breaking news , today’s fresh news And IPL 2022 Live Updates Here.