The Software Alliance (BSA), a trade group whose members include Microsoft, Salesforce, Amazon Web Services and Cisco, among others, has urged the ministry of electronics and information technology (MeitY) to pause the implementation of the April 29 directions of the Indian Computer Emergency Response Team (CERT-In) as it could hurt “commercial operations, investments and R&D activities” of businesses.
In a letter dated May 30, addressed to additional secretary in MeitY Rajendra Kumar and director general (DG) in CERT-In Sanjay Bahl, BSA specifically pointed out that the FAQ document that CERT-In brought out in May as a means of clarification to the April 29 directions, were not legally binding. “The fact that the document is not legally binding means neither BSA nor any other organisation can effectively rely on the FAQs to ensure compliance with the directions. This could hurt their commercial operations, investments and R&D activities,” the BSA said.
As a whole, the trade body urged the MeitY to pause implementation of the directions until the clarifications issued in the FAQ are incorporated into the April 29 directions. The BSA also recommended several changes to the directions, which they requested that MeitY also consider.
“We are concerned about the broad scope of notifiable cyber incidents, the lack of a risk-based threshold, and the short timeline for reporting in the Directions. These provisions will undermine incident investigation and response, including the deployment of defensive measures,” Venkatesh Krishnamoorthy, country manager, India, BSA, said in a statement.
This is the second time that BSA has written to the government. Earlier on May 26, BSA along with 10 other lobby groups and industry bodies representing major companies across the world wrote to the CERT-In DG, highlighting their concerns with the directions, and requested the ministry to pause its implementation.
Collection of user information
In a slew of recommendations that BSA requested MeitY to incorporate in the directions, the trade body said that CERT-In’s provision of collecting more user information as mandated in the provision of keeping logs, including customer name, IP addresses, etc, for five years will not deter cybercrimes. “The linkage between collecting additional data and effective cybersecurity incident responses is also unclear,” said BSA.
With regards to cloud service providers, BSA said that while getting customers on board, payment and contact details are collected. “This should be considered as sufficient,” it added. BSA also pointed out that phone numbers and credits have KYC (know your customer) processes associated with it, and that storing such information again will prove to be ‘duplicative’.
The trade body also pointed out that a mandate to store such information for five years will place a burden on organisations. “Such information could include personal data of individuals and organisations are bound by both privacy as well as confidentiality obligations to customers not to disclose this information or retain it for longer than it is necessary,” said the letter.
The trade body also said that provision of storing logs will present operational challenges for organisations.
Recommendation: The BSA urged MeitY to delay the implementation of the provision and conduct a consultation on the matter so that they understand the objectives of these steps, “as it will require significant time, effort and investments to develop onboarding processes”.
Certain definitions are vague
The trade body pointed out the scope of ‘severe’ and ‘large-scale’ incidents were not defined properly. Similarly, BSA said, “Definitions of ‘data breach’ and ‘data leak’ do not establish a threshold based on risk—meaning that all data breaches or leaks would have to be reported.”
“For instance, a minor incident involving an email being sent inadvertently to an incorrect recipient(s) within an organisation could be categorised as a ‘data breach’ internally; however, the ensuing risk is rather low, with possibly no impact on individuals or the organisation,” the letter read.
Recommendation: BSA urged CERT-In to define a guidance to determine ‘high-impact’ or ‘severe incidents’, adding that the principles should also be applicable to data breaches and data leaks.
Revise reporting timeline
The BSA said that the current reporting time of cybersecurity incidents of six hours as laid down in the April 29 directions will not facilitate better coordination or a more effective response of individuals and organisations affected by a cyberattack.
The trade group said that the first 24-72 hours after an organisation is affected by a cyberattack is very crucial. “This is a critical period, since there is a consistent need to react in unexpected ways to new information as it is discovered,” said the letter.
It continued, “So, it is essential that information systems personnel maintain consistent, focused attention on investigation, containment, and remediation without pressure to guess or otherwise devote scarce resources to activities that detracts from these primary pursuits.”
Recommendation: BSA urged CERT-In to extend the reporting timeline to 72 hours as it will allow organisations to identify information and aid in incident investigation and response. It also pointed out that 72-hour reporting periods are common across different countries and regions.
The Software Alliance raised concerns on the directions’ requirement of keeping localised logs and its impact on global cybersecurity. The BSA also said that FAQs do not address the issue of excessive log keeping.
Recommendation: The trade body said that a FAQ clarification on logs, which is not present in the CERT-In directions, should be incorporated in the document. IT also urged that customers should be made the point of contact for cybersecurity incidents in cloud environments, rather than the cloud service providers.
The BSA pointed out that CERT-In’s provision that reporting cybersecurity incidents was the responsibility of all associated organisations—including, for instance, a body that was affected by a cybersecurity incident and also a third-party provider associated with the body—was challenging.
“This can be problematic, since third-party service providers are not in a position to know if an incident is severe or large-scale and, therefore, cannot make a risk-based determination. Only the affected end user-facing entity will have knowledge of the impact, and it will be able to share incident information of the appropriate quality with the CERT-In,” the letter read.
Recommendation: The BSA requested to change this provision.
BSA’s members include: Adobe, Alteryx, Altium, Amazon Web Services, Atlassian, Autodesk, Aveva, Bentley Systems, Box, Cisco, CNC/Mastercam, Dassault, DocuSign, Dropbox, IBM, Informatica, Intel, MathWorks, Microsoft, Nikon, Okta, Oracle, PTC, Rockwell, Salesforce, SAP, ServiceNow, Shopify, Siemens Industry Software, Splunk, Trend Micro, Trimble Solutions, Twilio, Unity Technologies, Workday, Zendesk and Zoom Video Communications.
The submissions by lobby groups and industry associations are being viewed as the stiffest opposition that the directions have received, which until now were largely being criticised by individual VPN companies across the globe, such as NordVPN, Surfshark and others due to one of the direction's mandate of requiring service providers to maintain logs of customers for five years.On June 2, British Islands-incorporated ExpressVPN announced that it has removed its servers from India, while citing the directions.