VPNs such as Express VPN, Surf Shark and now Nord VPN have left India as one of the outcomes from CERT-In Directions. The VPNs operate by providing privacy and security tools that encrypts users web traffic and many a time they do mask the users IP addresses. Here’s an overview of the CERT-In Directions.
The Computer Emergency Response Team (“CERT-In”) has notified new directions dated 28 April 2022, under sub-section (6) of section 70B of the Information Technology Act, 2000 relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet (“Directions”). Further CERT-In has published ‘Frequently Asked Questions on Cyber Security Directions of 28.04.2022’ (“FAQs”). CERT-In is a functional organisation of Ministry of Electronics and Information Technology (“MeitY”), Government of India, with the objective of securing Indian cyber space. CERT-In provides Incident Prevention and Response services as well as Security Quality Management Services. The mission of CERT-In is to enhance India’s communication and information infrastructure through proactive action and effective collaboration.
The task of CERT-In is to collect, analyze and disseminate information of cyber incidents, forecast and alert cyber security incidents, take emergency measures for handling cyber security incidents and issue guidelines, advisories etc. relating to information security practices etc. With the advent of digitalization and increase in cyber security incidents, CERT-In has been facing challenges in accessing data to analyze and investigate such incidents. Keeping this in mind, the Directions have been issued to take action against such incidents, mitigate them and take information to make it easier to track and monitor.
The directions have been issued on 28 April 2022 and will be effective after 60 days from the date of issue. The directions have mandated compliance in relation to cyber security incidents by mandating fixed timelines for reporting of incidents, storage of system logs in Indian jurisdiction, power to seek information, norms pertaining to data retention etc.
Key Highlights of the Directions for reporting Cyber incidents
Reporting of incidents within 6 hours- The directions require any service provider, intermediary, data center, body corporate and government organisation to mandatorily report cyber incidents to CERT-In within 6 Hours of noticing such incidents or being brought to notice about such incidents. The types of cyber security incidents which are mandatorily to be reported by service providers, intermediaries, body corporate and Government organizations include targeted scanning, probing of critical networks, identity theft, phishing, data breach, data leaks, unauthorized access of IT systems, defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to external websites. etc. The list of cyber incidents are mentioned in an annexure to the Directions. Please read here
While there already exists an obligation to report Cyber Security Incidents as provided under the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013, there was no time limit prescribed under the said rules and was only to be reported in a reasonable period. However, the Directions have provided clarity in this regard by fixing a timeline of 6 hours. The incidents can be reported to CERT-In via email (email@example.com), Phone (1800-11-4949) and Fax (1800-11-6969).
Crypto exchanges and wallets to maintain KYC Details and records – The virtual asset service providers, virtual asset exchange providers and custodian wallet providers will have to mandatorily maintain KYC and records of financial transactions for a period of five years so as to ensure cyber security in the area of payments and financial markets for citizens while protecting their data, fundamental rights and economic freedom in view of the growth of virtual assets.
Further, the Directions mandate that the transaction records shall be maintained in such a way that an individual transaction can be reconstructed along with the relevant elements comprising of information relating to the identification of relevant parties including IP addresses along with timestamps and time zones, transaction ID, the public keys (or equivalent identifiers), addresses or accounts involved (or equivalent identifiers), the nature and date of the transaction, and the amount transferred.
Service Providers to maintain information- Data Centers, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers have been required to register information pertaining to name of subscribers, period of hire, IPs allotted to/being used by members etc. for a period of 5 years or more as mandated by the law after any cancellation or withdrawal of the registration. This will include validated names, addresses and ownership patterns.
Designation of Point of Contact- The service provider, intermediary, data center, body corporate and government organizations are mandated to designate a Point of Contact to interface with CERT-In. All communications from CERT-In seeking information and providing directions for compliance shall be sent to the said Point of Contact
Order/Directions issued by CERT-In- For the purpose of cyber incident response, protective and preventive action related to cyber incident, CERT-In can issue orders to entities to take action and demand information that may be of assistance to CERT-In. The order may contain the format of information and a specified time-frame. Non-adherence to such compliance would be treated as non-compliance of this Direction.
Maintenance of Logs- The Directions have mandated that all service providers, intermediaries, data centers, body corporate and government organisation shall mandatorily enable logs of all their ICT systems and maintain them securely for a period of 180 days within Indian jurisdiction. Such logs will have to be provided to CERT-In along with reporting of any incident or when ordered/directed by CERT-In.
The ambit of this provision is broad and has the potential of bringing in such service intermediaries under its lens who do not have any physical presence in India and thus will be required to maintain system logs in India.
Penalty- Failure to comply with the directions will result in both, imprisonment of up to 1 year and a fine which may extend to 1 lakh rupees.
FAQs issued by CERT-In
Upon issuance of the Directions, several clarifications were required and CERT-In issued timely FAQs. The FAQs have, inter alia, have given affirmation that the Directions will be applicable to all service provides, intermediaries, data centers, body corporates and government organizations and have further clarified that the abovementioned regulated entities will include body corporates outside India. This has clarified that the Directions will be extra-territorial in nature.
With respect to nature of incidents to be reported, the FAQs have clarified that the reporting of vulnerability as a standalone or in isolation, unconnected with the cyber security incident is not mandatory.
It has also been clarified that the obligation of reporting is statutory in nature and will override any confidentiality clause in any contract by virtue of the provisions of section 81 of the IT Act, 2000. Also, the FAQs clarify that the obligation of reporting of cyber incident is nether transferable nor indemnified or dispensed with.
With respect to designation of a single point of contact, the FAQs have clarified that entities offering services to Indian users even without having actual physical presence in India will also be required to designate such a point of contact.
With respect to the requirements of registering information by Data Centres, VPS providers, Cloud Service providers and VPN Service providers, the FAQs have provided guidance with respect to the ambit of “Ownership pattern of the subscribers / customers hiring services”. As per the FAQs, The Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and VPN Service providers are required to maintain basic information about customers/subscribers who use their services viz. individual, partnership, association, company etc. of whatsoever nature, with brief particulars of key management.
The Direction require Virtual Private Network Service (VPN Service) providers to register and maintain certain specific information about the subscribers/customers. The FAQs have clarified that these directions will not be applicable to Enterprise/Corporate VPN i.e. entities that deploy VPN for their internal functioning or as part of their internal infrastructure.
Observations to CERT-In Directions
The list of mandatorily reportable incidents is broad and may require further clarity on their definitions of incidents such as Data Breach which has not been defined in existing laws.
While such guidance on reporting of cyber incidents was much needed, it is felt that the timeline of notifying such breach within a period of 6 hours of noticing such breach could pose some challenges. Further, under existing laws, organizations are already mandated to report such incidents but there were no penalties imposed for non-compliance and it is expected that with current guidelines will result in better compliance.
The cost of compliance would increase significantly since some cyber incidents such as phishing happen often and thus intimation of such breach on a 6-hour timeline means that the organizations will have to rework on their internal processes to meet the short timelines.
Storage of records of financial transactions and KYC information by virtual assets service providers, within Indian jurisdiction is a step in ensuring cyber security and will help in reconstructing any individual transaction along with the relevant parties entering into the same. Perhaps, CERT-In aims to pin the responsibility to an Indian entity. This appears that data localization, which is debated highly in India, is making its presence via these Directions.
Another facet of these directions is that cyber incident that needs to be reported is not just limited to incidents originating in India but can be extra-territorial in nature.
Further clarity is needed with respect to the nature of orders that CERT-In will issue pursuant to reporting of such incidents and to what extent it can demand information.
A number of VPN providers are unhappy with these directions as it is being felt by industry players that they attack the core benefit that a VPN service provides to its users which is anonymity and privacy and will be counterproductive for the purpose and benefit of VPN for legitimate purposes. In light of this, a number of VPN players are seeking to exit India.