In a letter to Sanjay Bahl, Director General of the CERT-In (Indian Computer Emergency Response Team) on Thursday, co-signed by bodies such as US Chamber of Commerce, US-India Business Council, US-India Strategic Partnership Forum and techUK and others, they said CERT-In’s requirements may also make it more difficult for companies to do business in India.
This will create a disjointed approach to cybersecurity across jurisdictions, which in turn will undermine the security posture of India and its allies in the Quad countries (Japan, Australia, India and the US), Europe and beyond, the letter—reviewed by ET—stated.
It also pointed out that the recently released FAQs by the cybersecurity watchdog do not carry the force of law and do not offer enough assurance to businesses operating in India.
“If left unaddressed, these provisions will have a significant adverse impact on organizations that operate in India with no commensurate benefit to cybersecurity,” the groupings said.
Among the contentious requirements are the mandate to report cybersecurity incidents within a 6-hour timeline and what the letter termed as the ‘overbroad’ definition of reportable incidents.
Discover the stories of your interest
Further, it said that the requirement for companies to furnish sensitive logs to the CERT-In and respond to an incident as mandated by the agency were also raising alarm. It also highlighted the requirement for Virtual Service Providers (VSP), Cloud Service Providers (CSP), and Virtual Private Network (VPN) providers to record certain subscriber information for at least 5 years after service cancellation as an area of concern.
Fragmented approach
“The technical requirements put forward in the directive will make cybersecurity worse, not better,” Ari Schwartz, Coordinator, Cybersecurity Coalition said. “The sheer volume of information required, wasted resources and fragmented approach will damage the global cybersecurity ecosystem and make us all less safe.”
The other associations include the Asia Securities Industry & Financial Markets Association (ASIFMA), Bank Policy Institute, BSA – The Software Alliance, Coalition to Reduce Cyber Risk (CR2) Cybersecurity Coalition, Digital Europe and the Information Technology Industry Council (ITI). The associations represent a broad cross-section of industry, spanning businesses of different sizes, different sectors and from countries including the EU, UK, and the US.
They also made a point that stakeholder engagement is a ‘crucial element of regulatory policy,’ particularly relevant in highly technical and impactful areas of policymaking such as cybersecurity.
“We look forward to engaging with you further regarding these concerns and respectfully encourage you to delay the effective date of the Directive and the associated implementation requirements for the underlying provisions until further consultations with stakeholders have taken place,” the associations said.
The industry groupings also requested CERT-In to remove the provision that mandates connection to NTP servers while encouraging the agency to establish a ‘feasible incident reporting timeline’ of at least 72 hours.
It also flagged concerns about the requirement to furnish voluminous log data saying it will impose a huge burden on organizations’ security teams in an environment where security resources (including personnel) are at a premium.