wordpress blog stats
Connect with us

Hi, what are you looking for?

Global coalition criticises India’s cybersecurity directive

Tech and business associations raise ten key issues.

“We are concerned that the Directive, as written, will have a detrimental impact on cybersecurity for organizations that operate in India, and create a disjointed approach to cybersecurity across jurisdictions, undermining the security posture of India and its allies in the Quad countries, Europe, and beyond. The onerous nature of the requirements may also make it more difficult for companies to do business in India,” a coalition of eleven global business and tech associations said in a letter dated May 26 sent to CERT-In.

The cybersecurity directive issued by the Indian Computer Emergency Response Team (CERT-In) on April 28 has already been criticised by a long list of stakeholders, but this letter by a coalition of prominent industry associations (list below), which includes the US Chamber of Commerce, Cybersecurity Coalition, techUK, and Digital Europe, is the strongest opposition to the directive so far because these associations represent businesses of all sizes and from various sectors across the globe.

What are the issues raised by the coalition?

  1. Syncing time with NPL and NIC servers affects security operations: CERT-In wants companies to sync their system clocks to the NTP time servers of the National Physics Laboratory and the National Informatics Centre, but this requirement “is very concerning because it could negatively affect companies’ security operations as well as the functionality of their systems, networks, and applications, amongst other reasons,” the letter stated. While the FAQs released by the government give some leeway by allowing certain companies to use their own time source as long as it doesn’t deviate from NPL and NIC NTP servers, it is still problematic if the NTP servers are not synced with everyone else’s, the coalition argued.
    • Recommendation: The coalition urged CERT-In to remove this provision entirely.
  2. 6-hour reporting timeline is unnecessarily brief: The directive requires companies to report any cybersecurity incident within 6 hours of the company becoming aware of the incident, but this is “too short,” the associations pointed out. “CERT-In has not provided any rationale as to why the 6-hour timeline is necessary, nor is it proportionate or aligned with global standards. Such a timeline is unnecessarily brief and injects additional complexity at a time when entities are more appropriately focused on the difficult task of understanding, responding to, and remediating a cyber incident. Entities will also unlikely have sufficient information to make a reasonable determination of whether a cyber incident has in fact occurred that would warrant the triggering of the notification,” the letter stated.
    • Recommendation: The coalition recommended that CERT-In establish incident reporting timelines of at least 72 hours, commensurate with incident severity levels in alignment with global best practices.
  3. Tech companies are better equipped to handle incidents than a government agency: The directive allows CERT-In to issue orders to entities mandating them to take a certain action or provide information that may be of assistance to CERT-In. “Our companies operate advanced security infrastructures with high-quality internal incident management procedures, which will yield more efficient and agile responses than a government-directed instruction regarding a third-party system that CERT-In is not familiar with,” the associations argued.
    • Recommendation: The coalition wants this provision removed entirely. “A more appropriate approach might be asking that providers demonstrate that their incident and risk management procedures meet international standards, such as those contained in ISO 27000 certifications,” the letter stated.
  4. List of reportable incidents is too wide in scope: In an annexure, the directive lists out all the cyber incidents that must be mandatorily reported to CERT-In, but this list includes activities such as probing and scanning, which is “far too broad given probes and scans are everyday occurrences,” the associations complained. Reporting such information will “force companies to misallocate already scarce security budgets to produce data that cannot be effectively consumed by any security regulator and would likely be deemed of little consequence were it to be analyzed,” the letter added. Even though the FAQs attempt to narrow the scope of incidents, it merely says that “incidents of a severe nature” have to be reported, but what constitutes a severe incident is left up to interpretation, the letter further pointed out.
  5. The reporting process is outdated: CERT-In requires incidents to be reported in PDF as per the format provided on its website.  This “existing process for reporting incidents further exacerbates this problem, since it relies upon outdated methods, rather than machine-readable formats such as STIX and TAXII,” the letter pointed out.
  6. Localisation of logs not clear: The directive states that companies must store logs of their systems for 180 days within Indian jurisdiction, but the FAQs state that companies can store data outside of India as long as it does not negatively impact CERT-In’s investigations. The associations asked that the government revise the directive to reflect this change because FAQs do not carry the force of law and do not offer enough assurance to businesses operating in India.
  7. Some of the logs required are sensitive in nature: Even if there are relaxations on where the logs can be stored, there are still concerns about the types of log data that the Indian government is requiring to be furnished upon request, the coalition stated. “Some of it is sensitive and if accessed, could create new security risk by providing insight into an organization’s security posture,” it added.
  8. Log reporting is not in line with global standards: “Additionally, a requirement to furnish this volume of log data (or to furnish log data at all) goes beyond what has typically been included in incident reporting policy proposals elsewhere and is out of step with global best practices,” the associations stated.
  9. Collecting IP addresses of customers is burdensome and impractical:  The directive requires VPN, VPS, cloud service, and data centre providers to collect a list of information about their customers, but this is “burdensome and onerous,” the coalition argued. “For example, enterprise customers purchase internet connections from their ISP and the ISP is the party responsible for providing that customer with their IP address. A data centre provider does not assign IP addresses. It will be an onerous task for the data centre provider to collect and record all IP addresses assigned to their customers by ISPs. This could be a nearly impossible task when IP addresses are dynamically assigned.”
  10. Storing customer info is resource-intensive and poses a security threat: The directive further requires the service providers listed above to store the customer information for the lifecycle of the customer and thereafter for five years. This “will require storage and security resources for which the costs must be passed on to the customer, who notably has not asked for this data to be stored after their service termination. And, perhaps more importantly, this requirement creates a security threat for the sensitive data stored,” the associations said.

Concerned by lack of stakeholder engagement

The coalition also expressed its concerns over the absence of stakeholder engagement by CERT-In before releasing such a “significant cybersecurity proposal.” The letter includes this statement by the Organization for Economic Cooperation and Development (OECD) emphasising the importance of stakeholder consultations :

“Stakeholder engagement is a crucial element of regulatory policy. It helps to ensure that regulations are in the public interest by involving those that are affected by regulations, including citizens, businesses, civil society and other community members. Stakeholder engagement improves the quality of rule making by collecting ideas, expertise and evidence from stakeholders about policy problems to be solved and possible solutions to address them. It also ensures that regulation is user-centred and responds to the needs of those governed. By consulting all affected parties, stakeholder engagement enhances the inclusiveness of policies and supports the development of a sense of ownership of regulations. This in turn strengthens trust in government, social cohesion and compliance with regulations.”

When releasing the FAQs document,  Minister of State for Electronics and Information Technology Rajeev Chandrasekhar said that industry stakeholders were consulted but there was no need to hold public consultations because the aam aadmi (common man) is not impacted by the directive. But based on the letter by the coalition, it appears that even industry stakeholders were not properly consulted.

What does the coalition want CERT-In to do next?

The coalition of associations encourages CERT-In to:

  1. Delay the implementation of the directive to allow time to conduct further stakeholder
    consultations and address technical and other concerns
  2. Launch a broad stakeholder consultation including a detailed technical consultation for
    public reply
  3. Revise the directive to address the various concerns

Which associations have signed the letter?

  1. Asia Securities Industry & Financial Markets Association (ASIFMA)
  2. Bank Policy Institute
  3. BSA | The Software Alliance
  4. Coalition to Reduce Cyber Risk (CR2)
  5. Cybersecurity Coalition
  6. Digital Europe
  7. Information Technology Industry Council (ITI)
  8. techUK
  9. U.S. Chamber of Commerce
  10. U.S.-India Strategic Partnership Forum

Also Read:

Have something to add? Post your comment and gift someone a MediaNama subscription.

Advertisement. Scroll to continue reading.
Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.

Views

News

The Delhi High Court should quash the government's order to block Tanul Thakur's website in light of the Shreya Singhal verdict by the Supreme...

News

Releasing the policy is akin to putting the proverbial 'cart before the horse'.

News

The industry's growth is being weighed down by taxation and legal uncertainty.

News

Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.

News

Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.

You May Also Like

News

Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

Advert

135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...

News

Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

News

By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Name:*
Your email address:*
*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ