Minister of State for Electronics and Information Technology Rajeev Chandrasekhar warned virtual private network (VPN) service providers that if they do not follow the recently released directions of the Indian Computer Emergency Response Team (CERT-In), then they are free to terminate their businesses in the country.
Chandrasekhar, who was addressing a press conference on the clarifications issued by CERT-In on the April 28 directions said, "There is no opportunity for somebody to say we will not follow the laws and rules of India. If you don't have the logs, start maintaining the logs. If you're a VPN that wants to hide and be anonymous about those who use VPNs and you don't want to go by these rules, then if you want to pull out (from the country), frankly, that is the only opportunity you will have. You will have to pull out."
Earlier, in response to the CERT-In directions which mandate that VPN providers have to maintain logs including names of customers, their IP addresses etc., for a period of 5 years, NordVPN had said that they may pull its servers out of India if they find no way out. Similarly, VPN provider Surfshark’s legal department head Gytis Malinauskas had told Moneycontrol that the company has a strict no-logs policy, which implies that it does not collect or share customer browsing data or any usage information; and that it would ‘aim’ to continue doing so.
Chandrasekhar said that a VPN provider, cloud provider, data center operator have an obligation to know who is using their infrastructure. "Why? Because, if there is a detected cyber incident or cyber breach -- from one of the people using your VPN or your cloud or your data center, it is your obligation to produce the data. Now at that point, you cant say 'No it's our rules that we do not maintain logs'. If you don't maintain logs then this is not a good place to do business," Chandrasekhar said.
The Minister of State in MeitY also said that the additional requirements will have to be met to comply with the directions. "There is a requirement of all intermediaries, including clouds and data centers to know who's using their infrastructure and using using the capacity. Do they need to then create a database with adequate data protection features? Of course they do," he added.
The Indian Computer Emergency Response Team (CERT-In) in its set of clarifications on the April 28 directions, stated that the rules of maintaining customer logs will not apply to enterprise and corporate virtual private networks. The term “VPN service providers” will just apply to entities that provide “internet proxy like services through the use of VPN technologies, standard or proprietary, to general Internet subscribers”.
6-hour reporting time
Chandrasekhar also addressed other concerns that were raised, for instance, the 6-hour reporting time for cybersecurity incidents. "I think we have been extremely generous in giving six hours. I don't see any merit in people saying that this is too less or expedited." CERT-In officials pointed out that in other countries, for example France, cybersecurity incidents have to be reported within four hours, in Indonesia within 1 hour and so on.
While underlying the importance of reporting such incidents quickly, Chandrasekhar said, "Why this logic of very rapid reporting is almost essential to the internet is because those who commit these breaches can move on very quickly. Immediate reporting, very quick reporting is fundamental to investigating forensic analysis and situational awareness of the nature of the incident and or conspiracy behind it."
Closed consultation
When asked regarding why a public consultation for the CERT-In directions were not taken up, Chandrasekhar reasoned that the directions has no effect on citizens.
"The cybersecurity directions has to do with the data centers, cloud providers etc. So the consultation (was done) with those people who are actually impacted by this. I mean, there's, there's no need for us to go do a consultation on cybersecurity directions with let us say Aam Aadmi (sic), because he's not, he's not coming under this," he said.
60-day compliance
Chandrasekhar pointed out the directions give body corporates 60 days to comply to directions. In terms of providing additional time for compliance, Chandrasekhar said, "Today, the compliance is only that you have to report a breach. So are you saying for the next 60 days, you will not report breaches and the 61st day, you will start? So there is no logic for asking for additional days to report a breach."
He added, " We have given them 60 days to help them prepare the systems to do the reporting. But there's no real infrastructure requirement to start reporting breaches, but we've still given them 60 days."
