CERT-In’s new cybersecurity norms
Source: By Soumyarendra Barik: The Indian Express
The cybersecurity norms announced by the Indian Computer Emergency Response Team (CERT-In) in April 2022 requiring virtual private networks (VPNs) to preserve a wide range of data on their customers for five years may not apply to enterprise and corporate VPN providers.
CERT-In is learnt to be working on releasing more details of the cybersecurity directive issued in April, which has been opposed by industry stakeholders. According to sources, the agency could clarify that the norms apply only to VPN providers who offer “Internet proxy like services” to “general Internet subscribers”, and not to corporate VPN service providers.
What are these norms that CERT-In is clarifying?
The norms, released, asked VPN service providers along with data centres and cloud service providers, to store information such as names, email IDs, contact numbers, and IP addresses (among other things) of their customers for a period of five years. Entities are also required to report cybersecurity incidents to CERT-In within six hours of becoming or being made aware of them.
The norms have triggered concerns over privacy, and CERT-In is expected to clarify that private information of individuals will not be affected by the directions.
“These directions do not envisage seeking of information by CERT-In from service providers on a continual basis as a standing arrangement. CERT-In may seek information from service providers in case of cyber security incidents and cyber incidents, on a case-to-case basis, for discharge of its statutory obligations to enhance cyber security in the country,” according to a person aware of the clarifications that CERT-In is in the process of finalising.
The agency is also likely to include in its clarifications that the 28 April directive to store such information and share it with CERT-In will “override” any contractual obligation VPN providers may have with their customers of not disclosing such information.
Queries sent to the IT Ministry and CERT-In Director General Sanjay Bahl were not immediately answered.
But why has CERT-In felt the need to issue a clarification?
Prominent VPN providers, a large part of whose value proposition is ensuring anonymity of their users on the Internet, have questioned the directives, and some providers like NordVPN are even considering pulling their servers from India should the directive be enforced on them.
How has the government responded to these concerns?
Earlier this month, IT Minister Ashwini Vaishnaw had said there was “nothing to worry about” CERT-In’s norms. “There is no privacy concern. Suppose somebody takes a mask and shoots, wouldn’t you ask them to remove that mask? It is like that,” Vaishnaw had said during an interview.
Explaining the need for the rules, he had said, “Cybersecurity is something which is continuously evolving. So we have issued very comprehensive guidelines from CERT-In. Ultimately, if there is a threat to you, the police and you would both have to work together.”
“The basic concept (of the guidelines) is that the people who are actually running the infrastructure should take all possible steps to make sure that things are in place and if there is any breach, immediately inform us so that we can take action,” Vaishnaw said.
