Several business and industry associations with global links have raised concerns over the recent directive by the Indian Computer Emergency Response Team (CERT-In) regarding cybersecurity issues – primarily the provision to report such incidents within six hours, storage of subscriber data for five years and logging requirements.
Though the ministry of electronics and IT (MeitY) has issued a list of frequently asked questions (FAQs) regarding the directive, the companies feel that since the FAQs do not carry the force of law, they do not offer enough assurance to businesses operating in India.
“We continue to have concerns with the mandatory reporting of cybersecurity incidents within a six-hour timeline, the overbroad definition of reportable incidents, the requirement that companies furnish sensitive logs to the CERT-In, the requirement that companies take action to respond to an incident as mandated by CERT-In, the requirement for virtual service providers (VSP), cloud service providers (CSP), and the requirement that virtual private network (VPN) providers to record certain subscriber information for at least five years after service cancellation,” a multi-association letter to the government said.
The 11 associations include US-India Business Council, US chamber of commerce, ITI, Tech UK, US-India strategic partnership forum, Digital Europe, BSA, and Cybersecurity Coalition, among others.
The letter added that if left unaddressed, these provisions will have a significant adverse impact on organisations that operate in India with no commensurate benefit to cybersecurity. The directive was issued on April 28 and it will become effective after 60 days. Non-compliance of the new rules may attract penal provisions under the Information Technology (IT) Act.
The companies are basically seeking a delay in implementation of the directive so as to allow a stakeholder consultation to address the technical and other concerns. “Revise the directive to address concerns with regard to the NTP server connection requirements, incident reporting timelines, the requirement that companies take response or remediation action as directed by CERT-In, the definition and scope of covered incidents, the logging requirements, and the requirements pertaining to subscriber information of VSP, CSP and VPN providers,” the letter added.
The firms have sought that the timeline for reporting of incidents be at least 72 hours. Further, regarding storing of customer data for five years, it has been highlighted that internet service providers (ISPs) commonly collect the customer information, extending these obligations to VSP, CSP and VPN providers is burdensome and onerous. “Storing the data locally for the life cycle of the customer and thereafter for five years will require storage and security resources for which the costs must be passed on to the customers, who notably have not asked for this data to be stored after their service termination. And, perhaps more importantly, this requirement creates a security threat for the sensitive data stored,” the letter added.
Since it has been clarified by the government that logs are not required to be stored in India, the firms seek that CERT-In should revise the directive to reflect that. “Even if this change is made, however, we have concerns about some of the types of log data that the Indian government is requiring be furnished upon request, as some of it is sensitive and if accessed, could create new security risk by providing insight into an organisation’s security posture,” it stated.