New cyber security rule to make doing business in India tougher, say global tech bodies

India’s new directive which mandates reporting of cyberattack incidents within six hours and storing users’ logs for 5 years will make it difficult for companies to do business in the country, 11 international bodies having tech giants like Google, Facebook and HP as members said in a joint letter to the government.

The joint letter written by 11 organisations that mainly represent technology companies based in the US, Europe and Asia was sent to the Indian Computer Emergency Response Team (CERT-In) director general Sanjay Bahl on May 26.

The international bodies have expressed concerned that the directive, as written, will have a detrimental impact on cyber security for organisations that operate in India, and create a disjointed approach to cyber security across jurisdictions, undermining the security posture of India and its allies in the Quad countries, Europe and beyond.

The global bodies that have jointly expressed concern include Information Technology Industry Council (ITI), Asia Securities Industry & Financial Markets Association (ASIFMA), Bank Policy Institute, BSA – The Software Alliance, Coalition to Reduce Cyber Risk (CR2), Cybersecurity Coalition, Digital Europe, techUK, US Chamber of Commerce, US-India Business Council and US-India Strategic Partnership Forum.

The new directive issued on April 28 mandates companies to report any cyber breach to CERT-In within six hours of noticing it. It mandates data centres, Virtual Private Server (VPS) providers, cloud service providers and Virtual Private Network (VPN) service providers to validate the names of subscribers and customers hiring the services, period of hire, ownership pattern of the subscribers etc. and maintain the records for a period of 5 years or longer duration as mandated by the law.

The international bodies have raised concern over the 6-hour timeline provided for cyber incident reporting and demanded that it should be increased to 72 hours. “CERT-In has not provided any rationale as to why the 6-hour timeline is necessary, nor is it proportionate or aligned with global standards. Such a timeline is unnecessarily brief and injects additional complexity at a time when entities are more appropriately focused on the difficult task of understanding, responding to, and remediating a cyber incident,” the letter said.

The joint letter said that the current definition of reportable incidents, to include activities such as probing and scanning, is far too broad given probes and scans are everyday occurrences. It said that the clarification provided by CERT-In to the directive mentions that logs are not required to be stored in India but the directive does not mention it.

“Even if this change is made, however, we have concerns about some of the types of log data that the Indian government is requiring be furnished upon request, as some of it is sensitive and, if accessed, could create new security risk by providing insight into an organisation’s security posture,” the letter said.