11 organizations, including Big Tech such as Google, Facebook and HP have sent a joint petition to the Director of the Computer Emergency Response Team of India (CERT-In) after the country’s authorities issued a regulation. new regulations related to network security.
The new rule requires companies to report cyberattacks within six hours and keep user logs for at least five years. International technology companies believe that this content negatively affects their business in the country of billions of people.
In the petition letter, 11 organizations, mainly Big Tech in the US, Europe and Asia expressed concern that the content of the above regulation will negatively affect the network security protection of the company. companies operating in India, while creating separation of approaches for different jurisdictions. Since then, affecting the security posture of New Delhi and its allies in the Quartet (USA, Australia, Japan, India), in Europe and other regions.
“The complex nature of the requirements can also make it difficult for companies to do business in India,” the letter said.
Many international organizations also share this concern such as: Information Technology Industry Council (ITI), Asian Securities Industry & Financial Markets Association (ASIFMA), Banking Policy Institute, Union BSA software alliance, Cyber Risk Reduction Alliance (CR2), American Chamber of Commerce, US-India Business Council, US-India Strategic Partnership Forum, etc.
The new regulation, issued on April 28, requires companies to report any network breach to CERT-In within six hours of discovery.
Data centers, virtual private server (VPS) providers, cloud service providers, and VPN services must confirm the name of the subscriber, customer, service period, and ownership form. In addition, regulations are required to keep these records and financial transaction records for at least 5 years to ensure the safety of the payment sector and financial markets.
Companies and observers say that the timeline for reporting network incidents should be increased to 72 hours instead of 6 hours.
“CERT-In doesn’t give a specific reason why it’s 6 o’clock. That is not in line with global standards. Such a time is too short and adds to the complexity while the departments are focused on understanding, reacting and fixing the problem,” quoted the petition letter.
In addition, other content about data log storage, or requirements that apply to VSP, CSP and VPN providers are also considered troublesome and unnecessary.
“We share with the government’s goal of improving cybersecurity. However, we remain concerned about the regulation of CERT-In, despite the agency’s release of guidance documents (FAQs). The documents are not legal documents, so they don’t provide a solid basis for companies to conduct their day-to-day business,” said ITI senior policy director Courtney Lang.
Vinh Ngo (According to DevDiscourse)