The requirements of CERT-In may make doing business in India difficult: Global groupings
Concerned about the “onerous” character of India’s cybersecurity watchdog’s recent guidelines, global business groups have warned the federal government that the rules could have a “detrimental impact on cybersecurity” for companies doing business in India.
They said CERT-requirements In may make it more difficult for companies to do business in India in a letter to Sanjay Bahl, Director General of the CERT-In (Indian Computer Emergency Response Team), co-signed by the US Chamber of Commerce, US-India Business Council, US-India Strategic Partnership Forum, techUK, and others on Thursday.
According to the letter, this will result in a fragmented approach to cybersecurity across jurisdictions, undermining India’s and its allies’ security posture in the Quad countries (Japan, Australia, India, and the United States), Europe, and beyond.
It further stated that the cybersecurity watchdog’s recently posted FAQs do not have the legal authority and do not provide sufficient assurance to enterprises operating in India.
“If left unchecked, these rules will have a major negative impact on enterprises operating in India, with no proportional benefit to cybersecurity,” the groups wrote.
The necessity to report cybersecurity issues within a 6-hour timeframe and what the letter referred to as an “overbroad” definition of reportable incidents are two of the most contentious requirements.
It also stated that the requirement for companies to provide sensitive logs to the CERT-In and respond to incidents as mandated by the agency was raising concerns. It also raised concerns about the requirement for Virtual Service Providers (VSP), Cloud Service Providers (CSP), and Virtual Private Network (VPN) providers to keep certain subscriber data for at least 5 years after service cancellation.
Among the contentious requirements is the requirement to report cybersecurity incidents within six hours and the ‘overbroad’ definition of reportable incidents, as described in the letter.
Fragmented approach
“The directive’s technical requirements will make cybersecurity worse, not better,” said Ari Schwartz, Coordinator of the Cybersecurity Coalition. The sheer volume of information required, squandered resources, and fragmented approach will harm the global cybersecurity ecosystem, making us all less safe.”
The Asia Securities Industry & Financial Markets Association (ASIFMA), Bank Policy Institute, BSA – The Software Alliance, Coalition to Reduce Cyber Risk (CR2) Cybersecurity Coalition, Digital Europe, and the Information Technology Industry Council are among the other organizations (ITI). The associations represent a diverse cross-section of industries, spanning businesses of various sizes, sectors, and countries such as the EU, the United Kingdom, and the United States.
They also stated that stakeholder engagement is a “critical component of regulatory policy,” which is especially important in highly technical and impactful policy areas such as cybersecurity.
“We look forward to engaging with you further regarding these concerns,” the associations said. “We respectfully encourage you to delay the effective date of the Directive and the associated implementation requirements for the underlying provisions until further consultations with stakeholders have taken place.”
The industry groups also asked CERT-In to remove the requirement to connect to NTP servers, while encouraging the agency to establish a “feasible incident reporting timeline” of at least 72 hours.
It also expressed concerns about the requirement to provide voluminous log data, claiming that it will place a significant burden on organizations’ security teams in an environment where security resources (including personnel) are scarce.