Industry associations and lobbying groups including US Chamber of Commerce (USCC), US-India Business Council (USIBC), The Software Alliance (BSA) and others have come together to request Indian Computer Emergency Response Team (CERT-In) to address their concerns regarding the April 29 directions, which they say will have "significant adverse impact on organisations that operate in India".
In a letter dated May 26 to Sanjay Bahl, the director-general of CERT-In, the industry associations, said, "While we share CERT-In’s objective of ensuring the resilience of critical infrastructure entities, we are concerned that the Directive, as written, will have a detrimental impact on cybersecurity for organizations that operate in India, and create a disjointed approach to cybersecurity across jurisdictions, undermining the security posture of India and its allies in the Quad countries, Europe, and beyond. The onerous nature of the requirements may also make it more difficult for companies to do business in India."
Apart from USCC, USIBC, and BSA, the industry associations that were signatories of the letter are Asian Securities Industry and Financial Markets Association (ASIFMA), Bank Policy Institute (BPI), Coalition to Reduce Cyber Risk (CR2), US India Strategic Partnership Forum Cybersecurity Coalition, Digital Europe, techUK and Information Technology Industry Council (ITI).
They urged CERT-In to delay the implementation of the directive to conduct further stakeholder consultations, launch a broader stakeholder consultation including a technical consultation for public reply, and revise the directive in regards to the directions' various requirements.
As a whole, these lobbying groups and industry associations represent lakhs of major companies across the globe. This is also the stiffest opposition that the directions have received, which until now were largely being criticised by singular VPN companies from across the globe, such as NordVPN, Surfshark and others due to one of the direction's mandate of requiring service providers to maintain logs of customers for 5 years.
However, it is not just the provisions regarding VPN that had irked different quarters of the industry. Concerns were also raised regarding other provisions, following which CERT-In a week back released a FAQ on the directions.
"We recognize that CERT-In recently released a set of FAQs related to the Directive aimed at addressing questions that stakeholders have raised with regard to implementation. However, given the FAQs do not carry the force of law, they do not offer enough assurance to businesses operating in India," the letter read.
The lobby groups and industry associations in the letter said that they continue to have concerns regarding the mandatory reporting of cybersecurity incidents within a six-hour timeline, the definition of reportable cybersecurity incidents and so on. "If left unaddressed, these provisions will have a significant adverse impact on organizations that operate in India with no commensurate benefit to cybersecurity," the letter read.
Remove time server requirement
They urged CERT-In to remove the requirement of body corporates adhering to time servers of National Physical Laborarty (NPL) and National Informatics Centre (NIC). "The requirement.. is very concerning because it could negatively affect companies' security operations as well as the functionality of their systems, networks and applications amongst other reasons".
CERT-In had attempted to address these concerns in the FAQ they had issued a week back, but this too "could be problematic" the letter said. "While the FAQs note that organisations are allowed to use a standard time source other than the National Physical Laboratory and National Informatics Centre “as long as the accuracy of time is maintained by ensuring that the time source used conforms to time provided by NTP Servers of NPL and NIC,” this could still be problematic if the NTP servers are not synced with everyone else’s, they added.
Incident reporting time is too short
The CERT-In directions mandate that cybersecurity incidents affecting body corporates have to be reported within six hours. The associations and lobby groups said that the 6-hour timeline was too short. "CERT-In has not provided any rationale as to why the 6-hour timeline is necessary, nor is it proportionate or aligned with global standards," it read
While releasing the FAQ at a press conference a few days back, officials of CERT-In, while justifying the six-hour mandate, had claimed that in countries like France, Indonesia etc, the timeline was much shorter. In a fact check, MediaNama recently showed that there was more to the claims made by the CERT-In officials.
"Such a timeline is unnecessarily brief and injects additional complexity at a time when entities are more appropriately focused on the difficult task of understanding, responding to, and remediating a cyber incident. Entities will also unlikely have sufficient information to make a reasonable determination of whether a cyber incident has in fact occurred that would warrant the triggering of the notification," it read, while requesting CERT-In to extend the reporting time period to 72 hours.
Remove provision of mandatory action
In the letter, the industry associations and lobby groups also said that they have concerns regarding the mandate of cybersecurity-impacted companies to 'take action' or 'provide information' as and how it has been directed by CERT-in in the directions. The groups said that the companies have their own internal incident management procedures which were more efficient and agile.
While asking CERT-In to remove this directive, the group of associations said, "A more appropriate approach might be asking that providers demonstrate that their incident and risk management procedures meet international standards, such as those contained in ISO 27000 certifications."
Definition of incidents very broad
In the letter, industry associations have opined that although CERT-In has attempted to limit the scope of reportable cybersecurity incidents, the ambit of it still remained too broad.
"Although the FAQs attempt to narrow the scope of incidents that are to be reported within 6-hours by adding language like ‘incidents of a severe nature,’ we believe that the definition remains too broad to be practically implementable," it read.
Logging requirements, huge compliance burden
While expressing concern regarding types of log data that CERT-In has asked companies to maintain, the industry associations said that some of these data can be very sensitive in nature, and it "could create new security risk by providing insight into an organisation's security posture".
It also said that the volume of data that CERT-In is asking companies to furnish "goes beyond" what is normally done worldwide. "Finally this will impose a huge burden on organisations' security teams in an environment where security resources (including personnel) are at a premium," it read.
Regarding VPN data
The groups also drew the attention of CERT-In to the requirement of virtual service providers (VSP), and virtual private network (VPN) to collect customer information. Although earlier, VPN service providers had criticised this requirement citing privacy concerns, the criticism of the industry lobby group is regarding compliance requirements.
"For example, enterprise customers purchase internet connections from their ISP and the ISP is the party responsible for providing that customer with their IP address. A data center provider does not assign IP addresses. It will be an onerous task for the data center provider to collect and record all IP addresses assigned to their customers by ISPs. This could be a nearly impossible task when IP addresses are dynamically assigned," it added.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
