An industry group representing large global Big Tech firms asked the Ministry of Electronics & Information Technology to soften provisions on its cybersecurity directive requiring companies to disclose security incidents in six hours.
The lobby, BSA, represents Microsoft, Amazon Web Services, IBM, Cisco, and Zoom, among others. It asked the government to pause the directive’s implementation — due later this month — until clarifications are incorporated into the text itself.
BSA posted a copy of the letter it sent to MEITY on its website. Note that BSA doesn’t have VPN providers as members, some of whom are considering pulling out servers from India in response to these rules. ExpressVPN has already done so.
Requiring incidents to be disclosed within 6 hours — a tight timeline with little precedent in other countries — was counterproductive, BSA argued. “An organization’s understanding and evidence as to the cause and scope of an incident are often vague and fluid” in the first 24–72 hours after an incident, BSA said.
“A 72-hour period allows a reporting organization to identify information to aid in incident investigation and response, including the deployment of defensive measures, and will ensure that the information provided is grounded in fact, rather than initial speculation.”
BSA also said that the industry would need more time to keep records of user data, and asked MEITY to reduce the scope of the information the industry would have to collect from users.
“Notably, current onboarding practices for cloud service providers involve collecting payment and contact details and an OTP based confirmation, and this should be considered as sufficient. Phone numbers and credit cards already have a KYC process associated with them and further validation will be duplicative,” the BSA said in its letter. The directive requires companies to keep information on all their users ready to provide to India’s Computer Emergency Response Team in the event of a breach.
Lastly, BSA said that customer businesses using cloud services should be the ones to register with the IT Ministry and provide incident notifications. “ Only the affected, end-user facing entity will have knowledge of the impact, and it will be able to share incident information of the appropriate quality with the CERT-In,” BSA said.
“Ultimately, this effort to incorporate the clarifications into the Directions, and further consideration of the issues noted above, would be most fruitful if done in consultation with industry,” BSA said.
The request from the firms comes even as the government has been on a spree of proposing rules that have been deemed impossible to comply with (VPN providers being asked to maintain logs of users) to a direct infringement on ownership rights (revoking suspensions on social platforms ) and now this compliance.
The six hour compliance requirement seems to assume that cybersecurity risks and attacks are the sort of smash and grab attacks involving thieves in the offline world. That cyber attacks can be planned and executed over even months, and even be activated and deactivated without the firm being the wiser for it, has obviously escaped the government rule makers completely. Not a good advertisement for ease of doing business.