One of the interesting and at the same time informative criticisms about the new CERT-IN guidelines came from medianama.com.
In multiple articles under the by lane of Mr Sarvesh Methi, the website has argued
- India’s Cyber Security Directive goes against security, Tech companies argue
- Why India should not (yet) mandate companies to adopt a specific time source
- VPN Providers call India’s new rules worse than China, Russia
- Why India’s New Cyber Security Directive is a bad joke
Yesterday’s Economic Times has followed through with its own in the article titled “Tech companies have a few queries on CERT-In s cyber security rules”.
It is also reported that the Information Technology Industry Council (ITI) has sent a letter to the Direcor General of IN-CERT, Dr Sajay Bahl asking for a pushback.
Further, today’s ET report “UnCERT-IN times for VPN Services Providers in India” has openly expressed that some service providers are refusing to follow the CERT-IN guidelines and face the bulldozer if need be.
The same report also states that the VPN user base is surging over the past two years and the number users in India increased from a mere 3.28% in 2020 to 20% of the population according to an adoption tracker maintained by AtlasVPN. The total user base is estimated at 270 million according to another estimae.
Some service providers like Surfshark and NordVPN have stated that they are unlikely to be able to adhere to the directive. Some of these service providers indicate that they do not even have the means to collect the user information and keep it for 5 years as required under the guidelines. Some of them say that they are only working on the RAM based service and pride themselves on “No Log Retention” as their USP.
More than the other measures indicated in the new guidelines such as “Synchronization of Clocks”,” Data breach Report within 6 hours”, the VPN log requirement seems to have shaken up the industry more since it directly affects the illegal activities such as the Crypto transactions, anti national activities, Phishing activities, ransomware attacks, Crime as a Service operators and virtually all Dark web activities.
Over the last few years, the Internet based attacks on the country through social media fake accounts and the operations of the Crypto Currencies to fund terrorism in the country has adversely affected the law enforcement in India. Operators like “Proton Mail” have made it virtually impossible to trace phishing e-mails and website hosts and email providers hide under “Privacy” and refuse to part with the identity of criminals who use their services.
We have pointed out many times that the fundamental personal right of “Privacy” has no role in hiding criminal activities and any service provider who resorts to such excuse will be an “Abettor” of crime and must be punished as a facilitator of crime.
Naavi.org has at the same time advocated that “Regulated Anonymity” is the recommended system where the users can claim anonymity subject to the rights of the law enforcement to claim the information under a due process from the service provider who provides the anonymization service. This is an alternative to blocking the service which supports crime against people of India.
The entire campaign against the guidelines therefore is having the motive to keep Cyber Crimes remain undetected and hence has to be opposed.
Technical Excuses
Since some journalists still hold a fig leaf to cover their nefarious intentions of supporting Cyber crimes, several technical excuses are presented to confuse the public.
It is accepted that the new regulations require some tweaking of the systems and involve cost. But the law enforcement cannot dilute the security to make “Crime as a service” more profitable. Hence the arguments on the basis of cost deserve to be brushed aside with the contempt it deserves.
The argument of “Latency” and need to connect to the nearby time source instead of the NIC/NPL “Nearness to the time source” apply to the data centers which are not in India. Guideline also permits use of accurate and standard time source other than NPL and NIC in case of entities having ICT infrasructure spanning multiple geographies.
India however prefers a copy of all sensitive data to be kept within India and hence servers need to be in India. Whether the present capacity in India is adequate or not is a matter that needs to be sorted out for which six month time has been provided even now.
(PS: Naavi has pointed out that this law has been in existence since at least 27th October 2009 and Naavi.org has pointed out several times the need to enforce the same which the CERT IN and Government of India has failed to do so far).
Media Nama article points out that one researcher indicates that
“There could be privacy concerns. Depending upon whether you want the government of India to know that you have a server with so and so IP”.
In case the service provider is so apprehensive and distrustful of the Indian Government that if their time server connects to an Indian server, the Government may know the IP address of the server, they need to stop doing business in India and exit. CERT IN has a mandate for Cyber Security and if any company is operating a server in India or transacting with the Indian population, it is the duty of the security agency to know the server. These objection itself can be called a bigger joke and not the regulations.
As regards the 6 hour reporting time, these crime supporters are misleading the public. We all know that companies take on an average 270 days to detect a data breach. But what the guidelines is asking is that after the company comes to know of the breach report within 6 hours with whatever information is available and supplement it later.
Critics should note that most of the laws in US and elsewhere may state that the data breach should be reported “As soon as possible” and ASAP could mean even earlier than 6 hours.
We know that the company would like to hide the incident “as long as possible” for preventing reputation damage but hiding it longer may only expose more individuals to the adverse consequences of the breach.
It is however open to the companies to discuss with CERT IN on how do they classify “Cyber Incidents” and “Cyber Data Breaches” and what needs to be reported within 6 hours and what is to be logged for future reference.
According to the CERT In rules of 2014
“Cyber Security Incident” means any real or suspected adverse event in relation to cyber security that violates as explicitly or implicitly applicable security policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorization”
“Cyber Security breaches” means unauthorized acquisition or unauthorised use by a peon as well as an entity of data or information that compromises the confidentiality, integrity or availability of information maintained in a computer resource”.
These definitions provide an opportunity to distinguish actual security compromises which needs to be reported within 6 hours and the targeted scanning information detected and blocked by the security systems. Hence the objections raised in this regard are imaginary.
As regards the volume of log records, Medianama article quotes that a company may generate 1TB of data every day and how can they share the log records in PDF format etc. If a company has the business to generate 1TB of data per day, it would definitely have the resources to store the 1TB data for 180 days if they can invest in storage facilities. These need not be passed on to CERT IN immediately and held in whatever form it is convenient for the organization under their custody. Only when any specific information is called for by CERT IN, they need to extract the records and provide it with a Section 65B certificate in a form which can be in a digitally signed soft copy format also. During investigations, it is expected that the investigators would not make a request such as “All Logs for last five years”. At best they may ask specific device log records for about 15 days to one month. If this is required for security reasons, all of us including the tech companies need to cooperate with a sense of social responsibility rather than complaining.
Media name article also gives an excuse that there could be GDPR violation. It is not worth commenting on this since every data protection law has an exception for law enforcement purpose and GDPR cannot lord over Indian sovereignty. Further, if an organization is collecting data from India and storing it in India, it is subject to Indian DPA 2021 and not GDPR. GDPR applies to data collected from EU and companies are welcome to store it abroad.
In fact if the companies prefer to store their GDPR data in India, DPA 2021 provides an exception under Section 37 (DPA 2021/PDPB2019) to seek exemption of DPA 2021 by a notification. This could prevent any unintended GDPR violation. However if GDPR data is being used for committing crimes which are under investigation in India, no protection should be claimed.
One expert has quoted as stating that the exercising of powers by CERT IN could be considered as a “Warrantless Search”. It is a point to be noted but CERT IN is one of the entities which has been statutorily empowered under Section 70B of ITA 2000/8 and as long as the due process is followed and the information gathered is further protected appropriately, there should be no concern. If there are any Indian Courts will consider.
Afterall we know that the Supreme Court is always responsive to senior advocates and would even meet in the mid night if the situation warrants. Indian Supreme Court may perhaps be considered far more independent than Courts at least in USA and is always ready to accept any challenge of a law or even a departmental circular or even a tender notification as long as some key words such as “Privacy”, “Freedom of Speech”, “Constitutional Rights” are used in the petition.
The Supreme Court will not even insist on the case travelling through the lower courts and will accept a writ petition directly so that any company receiving a notice from CERT IN can approach the Supreme Court immediately within the Six hour dead line. Some would say 24 hours would be a better time interval for negotiating with the advocates but considering the possibility of “Midnight hearings ” and “Telephone Stays” that are possible in India, influential companies can perhaps manage the six hour deadline and obtain stays on CERT IN orders.
While we hold our view that “Security” is paramount and “Right to be secured” is as much a fundamental right as other rights, we hope that the Government will be able to hold its fort against the objections from the tech companies and the media. We will not be surprised if CERT IN and MeitY develops a cold feet and this guideline will be shelved like many similar guidelines.
Naavi
(Comments welcome)
Reference Articles:
Global tech industry body seeks revision in India’s directive on cyber security breaches
Tech companies have a few queries on CERT-In’s cybersecurity rules
India Limits Internet Freedom Again; Mandates User Data Collection For VPNs-INC42
5 issues with the recent Cert-In directions and what they mea… Mnoney Control
Why India’s New Cybersecurity Directive Is A Bad Joke… Medianama.com
Reference Circulars
CERT In Rules dated 16th January 2014
Notification of 4th January 2017
Notification of April 28, 2022
Earlier Articles at Naavi.org
CERT-In Re-issues its order of 4th January 2017
Shadow DPAI required for CERT-IN
Raising objections to Government Actions has become a habit for Tech Companies