Tech-aligned industry associations say the new rules are inconsistent, onerous, unlikely to improve India’s cybersecurity. The rules could also harm the country's economy, they say.
In late April, the Indian Computer Emergency Response Team (CERT-In) (CERT-in) issued the Cyber Security Directions affecting VPN providers and cryptocurrency exchanges.
The CERT-In directions require VPN providers, datacenters and virtual asset providers to keep user information (names, email identifiers, contact numbers and IP addresses) for 5 years and to report cybersecurity breaches within 6 hours.
It is about more than 20 types of cyber incidents, including attempted phishing. Among the incidents to be reported are "malicious/suspicious" activities, but the difference between malicious and suspicious activity is not specified.
In addition to the media and local IT-companies, 11 tech groups spoke out against the new rules, including:
- United States Chamber of Commerce (USCC);
- TechUK;
- US-India Business Council (USIBC);
- Information Technology Industry Council (ITI);
- as well as Facebook (banned and recognized as extremist in the Russian Federation), Google, Apple, Amazon, Microsoft, and others.
The signatories are calling for increasing the reporting timeline to 72 hours, saying the latter timeline is “in alignment with global best practices”, including stating that storing customer data is burdensome, and creates a security risk.
“Our companies operate advanced security infrastructures. (...) A more appropriate approach might be asking that providers demonstrate that their incident and risk management procedures meet international standards, such as those contained in ISO 27000 certifications”,
the letter says.
Rajeev Chandrasekhar, India's Minister of State for Electronics and IT, had earlier said that companies that would not adhere to the norms would be free to exit the country.
