As of July 1, businesses in India must comply with new regulations set forth by the country’s Computer Emergency Response Team of India (CERT-In) organization and the Ministry of Electronics and Information Technology (MeitY). These new directives require businesses to report any cyber incident within 6 hours – one of the shortest cybersecurity incident reporting windows.
The recent directives from the Computer Emergency Response Team of India (CERT-In) have caused quite a stir in the security community. Apart from mandatory reporting of cybersecurity-related events, organizations must sync server time stamps, maintain 180 days log back-up, and customer details of virtual private network (VPN) services for a period of five years. The rules [PDF] mention 20 cyber incidents to be reported, including data breaches, ransomware, and fake mobile apps. The new guidelines will come into effect from June end and will also be applicable to cloud service providers and virtual private server providers.
What does it mean for businesses?
CERT-In’s directive is a cause for concern for businesses in India. Domestic and global industry bodies like ITI are voicing their concern and the potential impact on every business.
- Impact on VPN providers
During the pandemic, a paramount cybersecurity tool has been a Virtual Private Network (VPN). According to a report by Atlas VPN, VPN usage in India exploded with a growth of 671% in 2020, totalling 348.7 million users by the first quarter of 2021. The growth is mainly attributed to the Indian governments growing restrictions on internet usage.
India joins a handful of countries, like Belarus, China, Iraq, North Korea, Oman, Russia, and the United Arab Emirates, that heavily regulate or outright ban VPN services. The new guidelines are a severe pushback to VPN providers in India. For many, it goes against their core USP of privacy, strict no-log policies, and their main selling point of anonymity. Companies like NordVPN and SurfShark are considering moving out in light of the guidelines. While CERT-In is said to issue a clarification on the April 28 directives, we are yet to see any shift in their stance on VPN privacy.
- Impact on crypto wallets
Joining the league of financial service regulators, CERT-In now requires virtual asset service, exchange, and wallet providers to maintain Know Your Customer (KYC) and financial transactions for five years. Experts suggest that these directives will form the foundation for crypto regulation in India. This follows the recent Union Budget announcement of a flat 30 percent tax on gains from cryptocurrencies and a 1 percent TDS on all crypto transactions.
Organizations must start syncing their system clocks with ICT systems and connect to the Network Time Protocol (NTP) server of the National Informatics Centre (NIC) or National Physical Laboratory (NPL). Syncing timestamps with distant servers raises latency issues. Large data centres would prefer a server that is nearby and trustworthy public NTP servers (like Google) over time sync servers of NIC and NPL. How will CERT-In create dedicated server time? We are yet to get clarification
- The cost, time, and resources to implement the change
Making changes in organizational security in just 60 days is challenging. The number of resources required to sustain the new changes is questionable on either side. Would CERT-In be able to handle the load?
Organizations must maintain logs of ICT systems for a rolling period of 180 days and retain personal data such as names, addresses, phone numbers, emails, and IP addresses of subscribers for a minimum of five years. This could be a potential violation of GDPR norms.
Companies would also need to maintain log servers or invest in services of Security Information and Event Management (SIEM). While SIEM is a valued option, the cost of implementing these changes would be hefty for small to medium organizations. The failure to comply with CERT-in directives would attract a fine of up to Rs.1,00,000 or imprisonment for up to a year under Section 70-B(7) of the IT Act.
The bottom line?
We are eagerly anticipating clarity in certain places, especially whether additional infrastructure has to be created to store the data. Or whether they are allowed to outsource the storage of data to third-party data storage, retention, and localization service providers. While India’s move to strengthen the digital ecosystem is a welcome initiate, in the long run a pragmatic approach would gain better coverage, keeping a fine balance between national security, public surveillance, business priorities, and netizen’s privacy.