SUMMARY
Global business associations write to CERT-In DG, seek delay in the effective date of the new directives issued by the agency
The trade bodies have urged the government to engage in dialogue with relevant stakeholders before formulating its policies
The recent directives issued by the CERT-In may make it more difficult for companies to do business in India: Trade associations
A host of global business associations have expressed concerns over the ’onerous’ directives issued by the Indian Computer Emergency Response Team (CERT-In) recently.
In a letter to Sanjay Bahl, the director general of CERT-In, which was seen by The Economic Times, the business associations stated that the recent directives issued by CERT-In could have a ‘detrimental impact on cybersecurity’ for organisations that operate in India. It further added that these requirements may also make it more difficult for companies to do business in India.
The letter was signed by organisations such as the US Chamber of Commerce, the US-India Business Council, the US-India Strategic Partnership Forum, techUK, among others.
”This will create a disjointed approach to cybersecurity across jurisdictions, which in turn will undermine the security posture of India and its allies in the QUAD nations, Europe and beyond,” it added.
The matter at the centre of debate is the mandatory requirement of reporting cybersecurity incidents within a 6-hour timeline. Other areas of concern highlighted by the trade bodies include the mandate to furnish sensitive logs to the watchdog in the event of a cyberattack and the requirement for virtual private network (VPN) providers to retain subscriber information for at least 5 years after the cancellation of service by users.
“If left unaddressed, these provisions will have a significant adverse impact on organisations that operate in India with no commensurate benefit to cybersecurity”, the letter added.
The trade bodies also urged the government to reconsider the cyber incident reporting time and increase it to 72 hours from the current 6 hours. The associations also raised concerns regarding maintenance of ‘voluminous’ data, citing increased costs to the company.
“The technical requirements put forward in the directive will make cybersecurity worse, not better. The sheer volume of information required, wasted resources and fragmented approach will damage the global cybersecurity ecosystem and make us all less safe”, said one of the signees.
The associations that signed the letter belonged to a host of sectors and from a slew of countries such as the US, the UK and the EU. The bodies urged the government to engage in dialogue with relevant stakeholders before formulating its policies.
“We look forward to engaging with you further regarding these concerns and respectfully encourage you to delay the effective date of the directive and the associated implementation requirements for the underlying provisions until further consultations with stakeholders have taken place,” they said.
The latest directives of CERT-In have received criticism from many quarters. Many have pointed out that journalists and whistleblowers use VPNs, and furnishing activity logs could endanger their lives. Another set of new regulations that mandate reporting of cyber attacks within six hours has also been in the line of fire from industry experts. This new direction will come into effect from June 27.
