Why new CERT-In rules will be game changer in India's cyber security space

CERT-In, the nodal agency that deals with cybersecurity threats in India, recently issued guidelines to report cyber incidents, putting the entire security landscape and VPN services providers in a state of flux. Experts believe that though the rules are very broad in nature, this is the first time that a mechanism is being put in India that makes reporting cyber incidents mandatory.

On April 28, CERT-In came out with directions and guidelines relating to information security practices, which will come into effect in 60 days and will impact industry players like data centres, VPN services provider, VPN providers, cloud services provider among others.

Though most of the players that Business Standard spoke to said that the intention of these guidelines are in the right direction, the nature of legislation will be very broad.

Pavan Duggal, Supreme Court lawyer and cyber law expert, said: “India so far does not have any cyber security law, and even the Information Technology Act 2020 is silent on it. The recent guidelines that CERT-In has issued as well as its move to make these directions fall under the purview of sub section (6) of section 70B of Information Technology Act 2020, are crucial. The intent here is that the internet should not be misused and if there is a breach of cybersecurity, then it should be traceable.”

Duggal added: “There may be some concerns but it also has several opportunities. For instance, it is for the first time an attempt is being made to make it mandatory on enterprises, government bodies and all other services providers to report a cyber-incidence. If one does not, then they will have to face the law. This is significant because cyberattacks have gone up multifold and several times the user never comes to know that their data has been breached.”

Some of the rules that are becoming a concern include reporting any cyber incident within six hours of it coming to light, calling upon VPN providers and VPN services providers to share the information of their customers and why they are taking the services, disclosing ownership patterns and maintaining customer details and usage for a 5-year period.

Venkatesh Sundar, co founder and CMO, Indusface believes that though the reasons for enforcing all this is understandable, with regard to the VPN services, the steps are directly conflicting and counter-productive to the very purpose and benefits of VPN for legitimate purposes.

“This step directly attacks the core benefit the VPN service offers to its users and why users chose to use a VPN service (for their own safety and privacy and not for just illegal stuff). I can see why this has triggered an immediate extreme reaction from VPN providers to quit the country. I personally feel, there could have been a better middle ground - that is to make the VPN providers abide by laws of the countries and policies of restricted sites and not allow them to be able to grant access to services that are banned in the country,” said Sundar.

VPN or virtual private network allows a user to securely connect them with the internet. When one uses VPN to connect to the internet, all their traffic is sent through an encrypted tunnel, which grants them anonymity as their real IP and address are hidden and they are safer on the internet.

One of the biggest features of VPN is no log policy--they do not log user information, which means users can find information that is both legitimate and relevant and protects their privacy as well. With this mandate that benefit goes away.

VPN is also used by businesses, especially with more people opting to work from home or anywhere. Enterprises make use of VPN to keep their data and internal applications safe from the open internet.

Last year, the Parliamentary Standing Committee on Home Affairs' had suggested permanently blocking the use of virtual private networks, which was criticised by users online as well as industries that use VPN. 

The report by the committee, tabled on August 10, 2021 stated: "The Committee notes with anxiety the technological challenge posed by Virtual Private Network (VPN) services and Dark Web that can bypass cyber security walls and allow criminals to remain anonymous online. As of date, VPN can easily be downloaded, as many websites are providing such facilities and advertising them. The Committee, therefore, recommends that the Ministry of Home Affairs should coordinate with the Ministry of Electronics and Information Technology to identify and permanently block such VPNs with the help of internet service providers." 

Several players said this will force VPN players to shift their businesses out of India. But that would still not be of much use. “If VPN players think they can circumvent the law by moving out of India, then the IT Act 2020 provision 75 is applicable to legal entities outside of India so long as the offence impacts computers and networks located in India,” explains Duggal.

Data storage

Among the other guidelines is the need to keep the data of users for five years. This will mean increased investments in storage requirements.

Sandip Kumar Panda, Co-Founder and CEO at Instasafe comments, “The directive on storing VPN user data for a period of 5 years has created a lot of confusion among service providers. Currently, different service providers have different policies and take on user data. Some of the biggest VPN companies state they collect only minimal information about their users and also allow for ways for their users to remain largely anonymous. Hence, their internal rules are now set to bring them into confrontation with the IT ministry.”

He added: “The list of data points that CERT-In has directed to store is quite exhaustive as storing these data points for such a long period will cost enormously to VPN vendors since they would have to store these in the cloud. Moreover, these guidelines would also require them to change their product which will be a major nuisance for the VPN providers. While everyone is still awaiting for a clear Data Privacy Law in this country, such a quietly issued new directive requiring an array of technology companies to start logging user data is creating even more confusion among the service providers.”

Six hours to report, a challenge

The guidelines also mandate that any cyber incidence needs to be reported within six-hours of the incidence. Security experts are worried that instead of focusing on resolving a breach that may have happened they will now have to focus on giving such reports to the nodal agency.

“The guidelines will bring in the much needed transparency in reporting cyber incidents, but I think the six-hour mandate is a bit aggressive. Globally, too where such mechanisms are in place the timeline to report is 24 hours to 36 hours,” said Rajesh Garg, CDO and head of cybersecurity practice, Yotta Infrastructure.

For a lot of security services providers this will mean redrawing of their contracts with the customers first. “Most providers will have to go back to their customers because their contracts with the customers don't allow them to disclose a lot of these things. Moreover, when an attack happens, as a service provider I want to focus on resolving the issue and avoiding a breach, and now we are to send a report within six-hours of a cyber-incidence,” said Pankit Desai, co-founder and CEO, Sequretek.

Solution

Sundar of Indusface believes that a better approach would have been to get the guidelines for VPNs than users. “If a VPN service is used to access the services that are blocked by the Indian government, then they are breaking the law. Even today you can access blocked content by using a VPN service provider. Instead of users, then you can go after the VPN service provider. Collecting user information would directly hit the legitimate benefit that a VPN service provides to access legitimate information.”

The approach should have been to bring VPN services providers and VPN servers rather than the user. Since I can use a VPN service to access the VPN server allowing me that access is recognized as opposed to bring after the users you can go after the VPN service providers say that if you want to allow access from Indian IPs, then those Indian IP should be subjected to the same policies and then I or grant or services are not allowed within the IPs.

Duggal also has a word of caution, by a single stroke of secondary legislation, the government has offered umbrella cyber security directions for all the companies. Any or all of the service providers can be pulled up for non-compliance of these directions. And there is no choice but to comply. “But the bigger concern is and that needs to be addressed is if the CERT-In has adequate wherewithal to enforce this and also if they have the requisite checks and balances in place to see that these rules are not misused,” he added.