CERT-In’s new cybersecurity directives are raising questions left and right. With a slew of new changes, India’s prime cybersecurity body hopes to get its claws deep into pretty much all tech service providers in the country trying to access user data.
These directives attempt to address what CERT calls “gaps causing hindrance in incident analysis”. However, if and when put into force, they’ll give the authorities access to about everything they want on all individual or corporate entities operating in the country.
What are the new directives all about?
Here’s a quick recap of everything CERT-In wants to implement.
Organisations to use a standard time protocol
- All service providers, intermediaries, data centres, corporates and
Government organisations operating in the country are to synchronise their ICT systems clocks to the Network Time Protocol (NTP) server of the National Informatics Centre (NIC) or National Physical Laboratory (NPL).
- Alternatively, entities can connect to NTP servers tracing back to NTP servers run by NIC or NPL.
- Entities with ICT infrastructures in multiple locations may use a common time source other than NPL and NIC, but their time sources shouldn’t deviate from the two Indian entities.
Reporting cybersecurity incidents
- All organisations operating in India must report any cybersecurity incidents to CERT-In within the first six hours mandatorily.
- These incidents include scanning or probing critical networks, data breaches, ransomware or spyware attacks, attacks on databases, mail or DNS networks, identity theft, DDoS attacks, fake mobile apps, and unauthorised access to social media accounts and any data leaks among other things.
- Incidents can be reported by either email, phone or fax. If all the information required by CERT-In isn’t available in the first six hours, all available information should be provided.
Assisting CERT-In in incident response
- When required by CERT-In, organisations have to take action or provide information to be used for cybersecurity incident response, security mitigations or enhanced cybersecurity situational awareness.
- The order can include information up and including real-time and has to be provided in a specified time frame. Failing to do so would be considered non-compliance.
- Organisations are to appoint a point of contact for CERT-In, and all communication between the organisation and CERT-In is to go through the said point of contact.
Maintaining active logs for ICT infrastructure
- All organisations must maintain logs of all their ICT systems for a rolling period of 180 days.
- The same is also to be maintained within Indian jurisdiction.
- These logs are to be provided to CERT-In when reporting a cybersecurity incident or as and when required by the authorities.
VPN/VPS providers to keep track of their users
- Data centres, VPN, VPS and cloud service providers are required to register information about their users for five years or longer (if needed) after they stop using them.
- This information includes validated names, period of subscription, IPs used, email and IP address used at the time of billing, the reason for subscribing, address and contact numbers, as well as the ownership pattern of the subscriber.
- CERT-In can ask for this data as and when required, and it must be provided within a given time frame. Failure to do so would be considered non-compliance.
Financial service to maintain user KYC information
- All virtual asset, virtual asset exchange and custodian wallet providers are required to maintain all the information processed as part of the Know Your Customer (KYC) process for up to five years.
- The information needs to be stored in a way that allows individual transactions to be recreated in addition to other parameters like other parties involved, IP addresses, time stamps and time zones, addresses or accounts involved, nature and date of the transfer, as well as the amount transferred.
Are the new rules protecting users or breaching privacy?
These new and somewhat invasive rules are being pushed under the guise of protecting the 120 crore Indians that CERT-In assumes will have access to the internet over the next few years. According to them, it’s their goal to ensure that Indian internet users “experience a safe and trusted internet”.
However, when VPN service providers are asked to track their customers and organisations have to jump through hoops to get the time right on their ICT infrastructures, the new rules become more of an invasive hindrance rather than a means to protect citizens and have been based by industry experts and cybersecurity critics alike.
All six of the new directives do more harm than good. For starters, CERT-In’s new time synchronisation order puts a lot of companies into a dilemma as they know nothing about the NTP servers CERT-In is forcing them to use. Latency, time drift, and technologies to reduce latency are all different between different NTP servers and switching to them in a 60-day window are quite difficult.
Besides, there are much better options available for companies as compared to NIC’s or NPL’s servers, say, for example, Google’s True Time. If not, the only option CERT-In has given will be overwhelmed when many organisations start pinging their servers to sync their ICT infrastructure.
CERT-In’s six-hour incident reporting timeline is unrealistic as well. For starters, it’s way off the global standards, and there doesn’t seem to be any logic behind the six-hour figure. The reporting timeline isn’t based on the severity, complexity or even the type of attack. It also doesn’t take into account attacks that happen on holidays.
CERT-In’s current incident report procedure requires printing an online PDF form, filling it out and then submitting it to relevant authorities. Not only is this a rather time-consuming process, but it’s also way outdated.
Additionally, big organisations get probed by hundreds if not thousands of IP addresses daily. Since CERT-In requires even port probing to be reported, how many reports a day should one submit? This also raises the concern of CERT-In getting flooded by low-priority reports and raises a question on CERT-In’s capability of going over all these reports quickly enough to find and mitigate the risk should there be one.
Logs are another point of concern for organisations. Big organisations can generate hundreds of gigabytes of logs in a single day, which is a problem considering CERT-In requires them to save for 180 days. Additionally, logs often contain personally identifiable information (PII), and the authorities have given no information on how they will handle this data.
VPN providers seem to be the most aggrieved because of these rules as they go against VPNs’ very selling point — privacy. The second a VPN service starts logging its customers, it essentially becomes pointless.
“The new Indian VPN regulations are an assault on privacy and threaten to put citizens under a microscope of surveillance.“ProtonVPN Twitter
“We remain committed to our no-logs policy and protecting user privacy. We haven’t made any changes to our availability in India,” a Protonmail spokesperson told Candid.Technology.
A lot of VPN providers have come out publicly against these new directives, Surfshark, ExpressVPN, and NordVPN have already shut down their servers in the country and moved them elsewhere to continue providing their services in the country without having to comply with the new logging rules.
“Surfshark’s physical servers in India will be shut down before the new law comes into power. Up until then, users will be able to connect to servers in India as usual,” Surfshark announced earlier this month.
Some questions about the new cybersecurity rules
Here are some questions about the new directives you might ask.
What kind of incidents are organisations required to report?
Here are some of the incidents that CERT-In requires organisations to report.
- Targetting scanning of critical network systems
- Compromise of network infrastructure
- Unauthorised system access
- Website defacement
- Spyware, trojan, ransomware, crypto-mining infections or DDoS attacks.
- Any attacks on servers, including databases, email, DNS or other network devices
- Identity theft, spoofing or phishing attacks
- Any data breaches or leaks
- Attacks on IoT devices
- Attacks affecting digital payments systems
- Attacks from malicious mobile apps or fake apps
- Unauthorised access to social media accounts
- Attacks affecting cloud computing services
- Attacks affecting big data, blockchain, virtual assets, 3D or 4D printing or drones
- Attacks affecting AI or ML systems.
For a complete list of attacks, refer to Annexure 1 of the CERT-In directives.
What organisations do these directions cover?
These directions cover service providers, intermediaries, data centres, body corporate, Virtual Private Server providers, cloud service providers, VPN service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and Government organisations. The new directives don’t cover individual citizens.
What type of data needs to be reported during a cyberattack?
Organisations are to provide all data asked for in the CERT-In incident reporting form available here.
What if the required information isn’t available within six hours of a cyberattack?
In case all required information isn’t available, organisations are to provide as much information as possible that’s collected by them about the incident.
Are ICT system logs required to be stored in India?
Logs can be stored outside of India as long as they can be delivered to CERT-In in a reasonable time.
Do these rules only apply to Indian companies?
The new directives apply to any organisation offering services to Indian customers.
Do corporate or enterprise VPNs also have to log user data?
The new rules only apply to organisations that offer internet proxy services using VPNs to general internet users. So no, corporate or enterprise VPNs are exempt.
What can service providers without a physical presence in India do?
Service providers not having a physical presence in the country are required to appoint a point of contact for CERT-In to communicate.
What authorities can ask for the data?
Data or log access orders may be given by a CERT-In officer, not below the rank of Deputy Secretary to the Government of India.