Making sense of India’s latest cybersecurity guidelines
On 28 April, the Computer Emergency Response Team-India (CERT-In), the country’s nodal body responsible for cybersecurity, issued new cybersecurity guidelines. From cyberattacks to virtual private networks (VPN), from cryptocurrencies to information and communications technology (ICT) systems, the guidelines touched on multiple issues with wide-ranging and long-term impacts. While the guidelines have received a mixed response from cybersecurity experts, there has been a pushback from industry bodies, companies and service providers. If not recalled and revised before the guidelines become effective in end-June, it will lead to the beginning of a tumultuous phase in India’s tryst with cyberspace.
Unpacking the guidelines
Issued under the Information Technology (IT) Act of 2000, the CERT-In guidelines have four major directives. First, it mandates that any cyber incident has to be reported within six hours of noticing it (or becoming aware) to CERT-In by the involved company, government organisation, data centre, intermediary or service provider. Second, companies and organisations have to “mandatorily enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days”. To be stored “within the Indian jurisdiction”, these details have to be provided to CERT-In whenever required. Third, virtual private server, Cloud service and VPN service providers as well as data centres have to obtain and store information about their customers including contact details and used IP addresses for five years after they withdraw or cancel their registration. Fourth, those involved in the cryptocurrency business, including exchanges and wallet providers, have to maintain records of all transactions as well as user details for a period of five years.
These guidelines, which do not cover individual citizens, will come into effect 60 days after their issuance — that is, in end-June. The directives are mandatory in nature and failure to comply with them may attract penal provisions of sub-section (7) of section 70B of the IT Act (2000).
Why were the guidelines needed?
India has been a recipient of incessant cyberattacks over the past few years. With millions of new users joining the Internet even as cyber awareness remains woefully low, points of vulnerabilities have increased rapidly. India, along with Japan and Australia, was the most attacked country in Asia in the year 2021. According to CERT-In figures, there were 1,402,809 cyber incidents in 2021. About 78 per cent of Indian companies were targets of ransomware attacks and incurred losses running into millions of dollars. And by all accounts, 2022 is going to be even more challenging.
Implications: the good and the bad
Seen in the light of the concerning trends discussed above, the CERT-In guidelines do appear timely and indicate a sense of urgency in the government machinery to address the rising threats in the cyber domain. But, regardless of how well-meaning it might be, the guidelines have raised a serious debate in both academia and the industry over privacy and implementation concerns.
The most vociferous criticism has come from VPN companies. While some of them, including NordVPN, have indicated their plans to leave the Indian market, others are evaluating their options. ExpressVPN has already exited the Indian market by closing down its physical servers in India while promising Indian users access to its services through virtual servers located in Singapore and the UK. The guidelines strike at the very core of their business models — providing a secure tracking-free private online environment. As Pratik Kanjilal has argued, “the order is a clever way of putting VPNs out of business in India without actually banning them”; this avoids, according to him, the ire of international bodies and press that an outright ban would have invited. Interestingly, corporate VPNs have been left out of this directive, sparing them from a disruptive change.
The critical statements issued by VPN companies have been met by stern responses from the Indian government. Union Minister for Electronics and IT, Ashwini Vaishnaw, speaking to The Indian Express, dismissed the privacy concerns associated with CERT-In’s directives. His colleague and Minister of State for Electronics and IT asked the VPN service providers to either comply with the rules or leave India.
The directive for companies to keep a log of their ICT systems as well as report any incident within six hours has received mixed responses. While mandatory quick reporting may enable the CERT-In to mount effective countermeasures, six hours has been found by many to be a very short time period. Further, keeping a log of all ICT systems and making it available to the CERT-In not only raises privacy issues, but also requires the companies to put in place more resources and infrastructure.
In addition to VPN companies and some cybersecurity experts, there has been a pushback by industry bodies and companies too on the guidelines. On 28 May, The Indian Express reported a letter sent by 11 industry bodies, including the US Chamber of Commerce, US-India Business Council and the US-India Strategic Partnership Forum (USISPF), to the Director-General of CERT-In. This letter, which Facebook, Google, Apple and Amazon have also signed, states that the CERT-In directives will have a “detrimental impact on cybersecurity for organisations that operate in India, and create a disjointed approach to cybersecurity across jurisdictions, undermining the security posture of India and its allies in the Quad countries, Europe, and beyond”. It urges the government to change the reporting time to 72 hours from the “unnecessarily brief” six-hour timeline.
On 3 June, Reuters reported that the Internet and Mobile Association of India, a body representing companies including Facebook, Google and Reliance, had written to the Ministry of Electronics and IT raising multiple issues in the directives. They called for a one-year delay in the implementation of the directives and also proposed the extension of the reporting timeline to 72 hours. They warned that these guidelines will create an “environment of fear rather than trust”.
What lies ahead?
On 18 May, responding to the multiple queries and apprehensions that the guidelines have generated, the CERT-In released a clarificatory document listing frequently answered questions (FAQ). Despite the clarifications, there are many unknowns as well unknown unknowns — which is understandable, given the complexity of the cyber domain. The coming months are going to be tumultuous for companies and organisations in India as they navigate their engagement with cyberspace while adhering to CERT-In guidelines.
In face of mounting criticism and pushback, whether the government will recall the guidelines for revision or push ahead with the roll-out at end-June is not clear at this stage. Regardless of that, the government should show the same amount of urgency in bringing a comprehensive data protection law — which has been pending for many years now — to safeguard people’s interests as well as boost cybersecurity.