Eleven significant tech-aligned industry associations from around the world have reportedly written to India’s Computer Emergency Response Team (CERT-In) to call for revision of the nation’s new infosec reporting and data retention rules, which they criticise as inconsistent, onerous, unlikely to improve security within India, and possibly harmful to the nations economy.
The rules were introduced in late April and are extraordinarily broad. For example, operators of datacenters, clouds, and VPNs, are required to register customers’ names, dates on which services were used, and even customer IP addresses, and store that data for five years.
Another requirement is to report over 20 types of infosec incident, even port scanning or attempted phishing, within six hours of detection. Among the reportable incidents are “malicious/suspicious activities” directed towards almost any type of IT infrastructure or equipment, without explanation of where to draw the line between malicious and suspicious activity.
The new rules attracted plenty of local criticism on grounds that a six-hour reporting window is too short, the requirement to record VPN users’ details is an attack on privacy, and that the requirements are too broad and therefore represent an onerous compliance burden.
CERT-In responded by publishing an FAQ that addressed some of the criticism directed at the new rules. But the FAQ remains very vague, offering only limited guidance without addressing matters such as what represents reportable “suspicious activities.
Indian outlet MediaNama on Saturday reported, along with numerous other Indian outlets, that eleven tech or tech-adjacent lobby groups have written to CERT-In to voice their objections to the new rules.
The alleged signatories are heavy hitters – the US Chamber of Commerce, The Alliance (BSA), Digital Europe, the Information Technology Industry Council, techUK, the Cybersecurity Coalition US Chamber of Commerce, the US-India Business Council, and the US-India Strategic Partnership Forum are among the signatories. The collective membership of the above organisations means almost every significant tech vendor is represented by a signatory to the letter.
Among the objections raised by the letter are:
- Six-hour reporting is unreasonable and required by no other nation or bloc;
- The FAQ has confused the situation – the rules require retained data to be stored within an Indian jurisdiction, but the FAQ says offshore storage is acceptable if it does not hinder Indian investigators;
- Storing customer data is burdensome, and creates a security risk;
- Some of the log data required is commercially sensitive;
- CERT-In’s rules allow reporting by PDF, using formats that are not machine-readable, meaning the stated aim of addressing intelligence gaps at CERT-in are unlikely to be met.
The letter to CERT-In suggests that the rules will make it hard for overseas companies to do business in India, put the country at odds with its allies, and result in costs being passed on to consumers. The groups call for new consultation to revise the rules.
CERT-In has to date been silent in the face of criticism. India’s minister for Skill Development and Entrepreneurship and Electronics and Information Technology, Rajeev Chandrasekhar, has brushed aside criticism too, saying that VPN providers that don’t like the rules can choose to leave the country.
The Register has contacted minister Chandrasekhar and CERT-in for comment on the letter. ®