The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Industry says new Indian cyber regs go way too far

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Good morning! Today marks the 15th anniversary of the iPhone first going on sale. Oh, how things have changed

Below: Tina Peters loses a race to be the GOP nominee for Colorado secretary of state, and researchers say a China-linked propaganda campaign has an unusual target. First:

India’s new rules are a cautionary tale for cyber regulators

In April, Indian cybersecurity officials announced ambitious plans to require all businesses – large and small – to quickly report breaches to authorities.

But the requirements went too far and have significant risks, groups say. 

Under the rules issued by India’s Computer Emergency Response Team, known as CERT-In, firms and government agencies have to report incidents like hacks and data leaks within just six hours of learning of them.

Industry groups have sharply criticized the rules. Some provisions in the rules “may have severe consequences for enterprises and their global customers without solving the genuine security concerns,” the industry group Information Technology Industry Council (ITI) warned in a May letter

Indian authorities partially delayed the rollout this week, when the requirements were supposed to go into effect, by postponing rules for small and medium businesses for three additional months.

But ITI senior director Courtney Lang told me industries wanted the rules delayed for all companies so they could have worked with the government to make compliance more practical, calling many of the current requirements “somewhat unworkable.”

  • “Unfortunately, India is taking a pretty unprecedented approach to incident reporting obligations,” Lang said. “And so we are a bit in wait-and-see mode to see how things actually unfold.”

Another industry group offered similar concerns. The rules “will undermine incident investigation and response, including the deployment of defensive measures,” Venkatesh Krishnamoorthy, the India country manager of BSA | The Software Alliance, said in a statement.

  • BSA and ITI have both called for the six-hour notification deadline to be extended to at least 72 hours, the timeline that the U.S. reporting bill requires. Six hours after learning of a breach, organizations are still responding to the breach itself and should be focused on that, they said in letters to Indian officials.
In the U.S.

India's news laws are a warning to the U.S. and other governments seeking to force firms to disclose when they’ve been hacked. Governments have imposed such rules to try to understand how bad cybercrime is at a time when organizations face wave after wave of cyberattack. 

A new U.S. law will require organizations in 16 critical sectors to report major cybersecurity incidents within 72 hours. Passing that into law took work in Congress, where it was delayed last year.

India’s regulations are much more broad than the U.S. bill:

  • Firms have to log activity on their networks and hold on to those logs for six months. The logs “should be provided to CERT-In along with reporting of any incident or when ordered/directed by CERT-In,” it said.
  • Data centers, virtual private networks and cloud-security firms are required to get customer information and hold on to that data for five years. Authorities also delayed that requirement until September.
  • Cryptocurrency wallet firms, exchanges and other firms have to maintain “know-your-customer” information on their users for five years.
  • It also requires firms “to take action or provide information or any such assistance” to CERT-In when ordered to, an ask that groups say is too far.
More pushback

Digital rights groups have called for Indian officials to get rid of the measures. Access Now and more than a dozen organizations called on Indian authorities to “withdraw” the rules, saying in a letter that they “would weaken cybersecurity, amplify the risk of surveillance, particularly for journalists and human rights defenders, and jeopardize the right to privacy in India.”

  • A group of cybersecurity experts this week warned that the regulations would “have negative implications in practice and impede effectiveness, while endangering online privacy and security.”

If the intention of the rules is to go after cybercrime, a key question is whether the rules are proportional, Prateek Waghre, the policy director of the Internet Freedom Foundation, an Indian digital rights organization, told me. “I think we would say that it's not a proportionate way to go about doing it because if you're concerned with cybercrime, the answer is not to surveil or to log data en masse.”

Waghre also noted concerns about the process, including lack of “any sort of open, public consultation.” Also, the requirements themselves are ambiguous, it may be difficult for Indian authorities to respond to incidents effectively with so much data, and it could result in firms amassing more data although they “may or may not have the wherewithal, the ability, to keep that secure,” Waghre said.

India’s Ministry of Electronics and Information Technology, the organization above CERT-In, did not respond to a request for comment on the rules. But Indian authorities have defended the rules. “Implementation of the measures mandated in these directions will facilitate timely detection & mitigation of breaches and effective investigation of cybercrimes,” they said in response to “frequently asked questions” about the rules last month. 

The keys

Election denier Peters loses GOP primary for Colorado secretary of state

Pam Anderson, a former county clerk who led the Colorado County Clerks Association, handily defeated Mesa County Clerk Tina Peters for the Republican nomination for the state's top elections official. Anderson has affirmed that Colorado's elections are secure and fair, Axios reported.

Peters’s defeat comes as she faces criminal charges related to a 2021 breach of Dominion voting machines. A grand jury accused Peters of sneaking an outsider into secure parts of her office as the voting machines were being updated. 

  • Peters has denied the charges, saying that they’re politically motivated. “Nothing’s going to come of it, no rules were broken, no laws were broken,” Peters said at a Republican event last month.

Peters is “unfit to serve as secretary of state and a threat to American democracy,” Colorado Secretary of State Jena Griswold (D) told The Cybersecurity 202 this week. Griswold, who ran unopposed in Tuesday’s primary and has called Peters an “insider threat,” will face Anderson in November.

China-linked social media accounts posed as Texans to attack rare earths firms

The accounts attacked a rare earths processing facility being built in Texas, as well as a Canadian rare earths firm and a U.S. firm that said it would build a new Oklahoma plant, according to cybersecurity firm Mandiant. The campaign “suggests that China may go to new lengths to undercut Western rivals to its rare earths industry, which it wants to use to strengthen international alliances,” Joseph Menn writes

The propaganda campaign didn’t get much engagement from real social media users, but it highlights how “Chinese propaganda efforts that only recently expanded beyond Asia are continuing to evolve and add sophistication,” Menn writes.

The network operates across 30 platforms and in seven languages, Mandiant said. “They are definitely still growing in terms of technique, but it’s clear they are getting a lot of resources. There’s a lot of hands on keyboards here,” Mandiant Vice President John Hultquist told The Washington Post. “They keep getting more aggressive.”

Accused Canadian ransomware hacker agrees to cooperate with U.S. prosecutors

Sebastien Vachon-Desjardins agreed to plead guilty to four criminal charges against him and faces up to 40 years in prison, Bloomberg News’s Jeff Stone reports. Prosecutors had accused Vachon-Desjardins of working to deploy NetWalker ransomware. Canadian authorities extradited Vachon-Desjardins to the United States in March.

Canadian officials found 719 bitcoin when they searched Vachon-Desjardins’s home in 2021. The cryptocurrency, which was worth around $28 million when he was extradited, is now worth almost $15 million because of changes in the digital asset’s value.

Securing the ballot

Michael Gableman faces new lawsuit for deleting public records (Wisconsin State Journal)

Giuliani at center of Georgia’s Trump investigation (The New York Times)

Cyber insecurity

Cybercriminals are reportedly using deepfakes to apply for remote work jobs (The Daily Dot)

Kentucky, Arkansas say abortion ban leaks used publicly available data (The Record)

AMD investigating claims of stolen data (The Record)

Hill happenings

Congresswoman promotes cyber insurance amid shifting policy landscape (NextGov)

Global cyberspace

Crypto crash threatens North Korea's stolen funds as it ramps up weapons tests (Reuters)

Israel foiled 1,500 hacking attempts this year, cyber chief says (Haaretz)

BT asks UK for more time to remove Huawei core as ban approaches (Bloomberg)

Son of Conti: Ransomware tries its hand at politics (The Record)

The link between AWM Proxy & the Glupteba botnet (Krebs on Security)

Industry report

Big Tech silent on data collection as workers call for post-Roe action (Gerrit De Vynck, Caroline O'Donovan, Nitasha Tiku and Elizabeth Dwoskin)

Former Uber security chief must face driver fraud charges (Bloomberg)


  • A House Science Committee panel holds a hearing on “privacy in the age of biometrics” today at 11 a.m.
  • Director of National Intelligence Avril Haines and Deputy Attorney General Lisa Monaco speak at an event hosted by the Silverado Policy Accelerator and Google today at 5:30 p.m.
  • CISA Director Jen Easterly speaks at the opening of the U.S. Cyber Open on Thursday.
  • The United Nations Institute for Disarmament Research holds a conference on cyber stability and protecting critical infrastructure on July 5.

Secure log off

Thanks for reading. See you tomorrow.