Industry says India’s new cybersecurity regulations go way too far

Placeholder while loading article actions

Good morning! Today marks the 15th anniversary of the first release of the iPhone. Oh, how things have changed…

Below: Tina Peters loses a race to be the GOP nominee for Colorado secretary of state, and researchers say a China-linked propaganda campaign has an unusual target. First:

India’s new rules are a cautionary tale for cyber regulators

In April, Indian cybersecurity officials announced ambitious plans to require all companies – large and small – to promptly report breaches to authorities.

But the requirements have gone too far and carry significant risks, the groups say.

Under the rules issued by India’s Computer Emergency Response Team, known as CERT-In, businesses and government agencies must report incidents such as hacks and data leaks within six hours of discovery.

Industry groups have strongly criticized the rules. Certain provisions of the rules “could have serious consequences for businesses and their global customers without addressing the real security concerns,” the industry group Information Technology Industry Council (ITI) warned in a May letter.

Indian authorities partially delayed the rollout this week, when the requirements were due to come into force, by postponing the rules for small and medium-sized businesses for another three months.

But the senior director of ITI Courtney Lang told me industries wanted the rules delayed for all businesses so they could work with the government to make compliance more practical, calling many of the current requirements “somewhat impractical”.

  • “Unfortunately, India is taking a rather novel approach to incident reporting obligations,” Lang said. “And so we’re in a bit of a wait-and-see mode to see how things actually unfold.”

Another industry group expressed similar concerns. The rules “will undermine incident investigation and response, including the deployment of defensive measures,” Venkatesh Krishnamoorthy, BSA’s country manager for India | The Software Alliance, said in a statement.

  • Both BSA and ITI have called for the six-hour notice period to be extended to at least 72 hours, the time required by the US reporting bill. Six hours after learning of a breach, organizations are still responding to the breach itself and should focus on that, they said in letters to Indian officials.

India’s information laws are a warning to the United States and other governments seeking to force companies to disclose when they have been hacked. Governments have imposed such rules to try to understand how serious cybercrime is at a time when organizations are facing waves of cyberattacks.

A new US law will require organizations in 16 critical industries to report major cybersecurity incidents within 72 hours. Passage of this law required work in Congress, where it was delayed last year.

Indian regulations are much broader than US law:

  • Companies must log activity on their networks and retain these logs for six months. Logs “should be provided to CERT-In with the reporting of any incident or when commissioned/directed by CERT-In,” he said.
  • Data centers, virtual private networks, and cloud security companies are required to obtain customer information and retain that data for five years. The authorities have also postponed this requirement until September.
  • Cryptocurrency wallet companies, exchanges, and other businesses must retain “know your customer” information about their users for five years.
  • It also requires companies “to take action or provide any such information or assistance” to CERT-In when instructed to do so, a request the groups say is too far.

Digital rights groups have called on Indian authorities to get rid of the measures. Access Now and more than a dozen organizations have called on Indian authorities to ‘remove’ the rules, saying in a letter that they would ‘weaken cybersecurity, amplify the risk of surveillance, especially for journalists and human rights defenders. human rights, and undermine the right to privacy in India.”

  • A group of cybersecurity experts warned this week that the regulations “would have negative implications in practice and hinder efficiency, while putting privacy and online security at risk”.

If the intent of the rules is to tackle cybercrime, a key question is whether the rules are proportional, Prateek Waghrethe policy director of the Internet Freedom Foundation, an Indian digital rights organization, told me. “I think we would say that’s not a proportionate way to go because if you’re concerned with cybercrime, the answer is not to monitor or record mass data.”

Waghre also raised concerns about the process, including the lack of “any kind of open public consultation.” Additionally, the requirements themselves are ambiguous, it can be difficult for Indian authorities to respond effectively to incidents with so much data, and it could lead companies to collect more data whether or not they “can afford it”. , the ability, to keep that secure,” Waghre said.

India’s Ministry of Electronics and Information Technology, the organization above CERT-In, did not respond to a request for comment on the rules. But Indian authorities have defended the rules. “Implementing the measures prescribed in these instructions will facilitate the timely detection and mitigation of breaches and the effective investigation of cybercrimes,” they said in response to “frequently asked questions” about the rules last month. .

Holocaust denier Peters loses GOP primary for Colorado secretary of state

Pam Andersona former county clerk who led the Colorado County Clerks Association, easily defeated Mesa County Clerk Tina Peters for the Republican nomination for the state’s top election official. Anderson said Colorado’s elections are safe and fair, Axios reported.

Peters’ loss comes as she faces criminal charges related to a 2021 breach of Dominion voting machines. A grand jury accused Peters of sneaking a stranger into secure parts of his office while updating voting machines.

  • Peters denied the charges, saying they were politically motivated. “Nothing will come of it, no rules have been broken, no laws have been broken,” Peters said at a Republican event last month.

Peters is “unfit to serve as secretary of state and a threat to American democracy,” the Colorado secretary of state said. Jena Griswold (D) told The Cybersecurity 202 this week. Griswold, who ran unopposed in Tuesday’s primary and called Peters an “insider threat,” will face Anderson in November.

China-linked social media accounts pose as Texans to attack rare earth companies

The accounts attacked a rare earths processing facility being built in Texas, as well as a Canadian rare earths company and an American company that said they would build a new plant in Oklahoma, according to the company. Mandiant cybersecurity. The campaign “suggests that China could do more to undermine Western rivals in its rare earths industry, which it wants to use to strengthen international alliances,” writes Joseph Menn.

The propaganda campaign hasn’t garnered much engagement from genuine social media users, but it highlights how “Chinese propaganda efforts that only recently expanded beyond Asia continue to evolve and add sophistication,” Menn writes.

The network operates on 30 platforms and in seven languages, Mandiant said. “They are certainly still growing in terms of technique, but clearly they are getting a lot of resources. There are a lot of hands on the keyboards here”, vice president of Mandiant John Hultquist told the Washington Post. “They are becoming more and more aggressive.”

Canadian hacker accused of ransomware agrees to cooperate with US prosecutors

Sebastien Vachon-Desjardins agreed to plead guilty to four counts against him and faces up to 40 years in prison, Bloomberg News“, reports Jeff Stone. Prosecutors had accused Vachon-Desjardins of working to deploy NetWalker ransomware. Canadian authorities extradited Vachon-Desjardins to the United States in March.

Canadian authorities found 719 bitcoins during a search of Vachon-Desjardins’ home in 2021. The cryptocurrency, which was worth around $28 million when it was extradited, is now worth almost $15 million due to the changing value of the digital asset.

Michael Gableman faces new lawsuit for suppression of public records (Wisconsin State Journal)

Giuliani at center of Trump probe in Georgia (The New York Times)

Cybercriminals reportedly using deepfakes to apply for remote jobs (The Daily Dot)

Kentucky and Arkansas say abortion ban leaks used publicly available data (The Record)

AMD investigates data theft allegations (The Record)

Congresswoman promotes cyber insurance in changing political landscape (NextGov)

Crypto crash threatens stolen North Korea funds as it ramps up weapons testing (Reuters)

Israel has foiled 1,500 hacking attempts this year, cyber chief says (Haaretz)

BT asks UK for more time to remove Huawei core as ban nears (Bloomberg)

Son of Conti: Ransomware dabble in politics (The Record)

The link between AWM Proxy & the Glupteba botnet (Krebs on Security)

Big Tech silent on data collection as workers call for post-Roe action (Gerrit De Vynck, Caroline O’Donovan, Nitasha Tiku and Elizabeth Dwoskin)

Former Uber security chief faces charges of driving fraud (Bloomberg)

  • A House Science Committee panel is holding a hearing on “Privacy in the Age of Biometrics” today at 11 a.m.
  • Director of National Intelligence April Haines and Deputy Attorney General Lisa Monaco speak at an event hosted by the Silverado Policy Accelerator and Google today at 5:30 p.m.
  • Director of CISA jen easter speaks at the opening of the US Cyber ​​Open on Thursday.
  • The United Nations Institute for Disarmament Research is hosting a conference on Cyberstability and Critical Infrastructure Protection on July 5.

Thanks for reading. Until tomorrow.