On April 28, the Indian Computer Emergency Response Team (CERT-In) issued “directions” under Section 70-B(6) of the Information Technology Act 2000 (IT Act) relating to information security practices, procedure, prevention, response and reporting of cyber incidents. These directions have brought about a wide-ranging expansion in the scope of obligations of the above requirements compared to the Information Technology (The Indian Computer Emergency Response Team and Manner of performing functions and duties) Rules, 2013 (Rules). Among the activities in which compliance is sought by service providers, intermediaries, data centres and body corporates are the synchronisation of computer clocks to the network time protocol set at the National Physical Laboratory and National Informatics Centre (NIC), mandatory reporting of all cyber incidents within six hours of noticing or being brought to their notice in the prescribed format, designating point of contact and notifying CERT-In and undertaking to perform such actions for cyber security mitigation when notified by CERT-IN, maintaining all logs of all ICT systems up to 180 days within Indian jurisdiction and for data centres, virtual private network service providers, cloud service providers and virtual private server providers to maintain all records of their users and usage for a minimum of five years.

While the overall thrust towards a robust cyber incident reporting and security regime is prudent, some of the provisions in the absence of clarification from CERT-In have raised concerns amongst industry observers and cyber security experts. For some time now, CERT-IN has been struggling to get information and incident reporting from service providers, intermediaries as well as body corporates as per the rules and its mandate under section 70B(4) of the IT Act. This was impacting its responsibility as a collector, analyser and disseminator of information on cyber incidents as well as coordinating incident responses and emergency measures. So, it took recourse to the directions, which strangely do not differentiate between the scales and nature of the incident. Some cyber incidents are far more common and occur regularly. An organisation might receive hundreds of phishing emails and the effort to notify each would drastically increase their compliance cost. It would also be interesting to know what CERT-In’s strategy will be for dealing with commonplace cyber incidents and its own capacity enhancement in terms of handling the compliance sought.

A window of 60 days has been provided before implementation of these compliances begins. Given the scale of the revamp, this might be too short a window. The government must look at the concerns that arise from such directions and work out a realistic time scale. The ugly episode of the Twitter incident around compliance with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, last year is a stark reminder of the pitfalls of rushing in compliances without factoring in concerns. In this case, there will be multiple companies even from the MSME sector that will take time to set up systems for compliances.

All covered entities also have to mandatorily enable logs and maintain them for 180 days within the Indian jurisdiction. At present, most entities maintain logs for around 30 days, and in order to maintain logs for 180 days, the additional data storage device cost would be huge. Similarly, data centres, virtual private server providers, cloud service providers and virtual private network service providers will need to retain additional information for five years or more after the cancellation or withdrawal of registration. The virtual asset industry too will have to maintain all KYC records and details of all financial transactions for five years. The compliance cost in each case is going to rise substantially.

Many of the entities will have to shift their servers geographically as well as add excess storage capacity. Most importantly, the recruitment of additional manpower for compliance may take far longer. A realistic timeline would be six months, which would allow the entities to effectively migrate to the new regime. The penalty for non-compliance is stiff (including up to one year of imprisonment and monetary fines). But it is also unfair to create unrealistic deadlines for industry.

This is also going to significantly affect organisations that have maintained their servers offshore, although the move is in line with the government’s stated objective of localising data storage. But what cannot be denied are privacy concerns. With VPNs and virtual asset wallets being asked to store and share KYC and transaction data, these concerns become evident. VPNs have been successful for corporates as well as individuals because they address privacy concerns. There have been very few instances where these tunnels have been used for criminal activities and support from the providers was not obtained by law enforcement authorities. In the absence of legislative backing for data protection, which has been on the anvil for more than two years, the question is: How will the user have any say on which information can be held back or how his sensitive personal information is being protected?

While CERT-In has been proactive in recognising the changing frontiers of technology and trying to deal with hitherto unknown cyber threats, it is wanting in terms of a graded approach to ensuring compliance. 

https://indianexpress.com/article/opinion/columns/strengthen-cyber-security-right-way-7920843/