wordpress blog stats
Connect with us

Hi, what are you looking for?

MeitY offers several concessions on CERT-IN guidelines during meeting with industry bodies

The MeitY held a meeting with industry stakeholders on their concerns about the government’s cybersecurity directives, offering some concessions

An extension on compliance timelines for small and medium-sized enterprises (SMEs), a portal for reporting cybersecurity incidents, a review of the directions 90 days after they go into force were among the things that were discussed in a June 10 meeting between industry stakeholders and government officials on the cybersecurity directions issued by CERT-IN. Rajeev Chandrasekhar, Minister of State for MeitY; Dr. Sanjay Bahl Director General at CERT-IN; Rajendra Kumar, Additional Secretary at MeitY were present at the meeting.

Apart from the aforementioned agenda, the need for issuing subsequent clarifications on the directions, and the burden of the directions on small and medium enterprises were also raised at the meeting. No discussions took place regarding VPNs at the meeting, it is learnt.

The cybersecurity directions notified on April 28, place significant compliance burdens on companies working in India such as requiring cybersecurity incidents to be reported within 6 hours, maintenance of systems logs for 180 days, crypto and VPN companies to store logs of all transactions, etc. They have already been criticized by multiple industry bodiestech companies, and cybersecurity experts, and have resulted in two VPN providers shutting down their servers in the country.

It will be interesting to see if and how much the ministry further clarifies these directions given that it has already issued a set of FAQs on it earlier this month, even as it has otherwise staunchly defended them.


Never miss out on important developments in tech policy, whether in India or across the world. Sign up for our morning newsletter, with a “Free Read of the Day”, to experience MediaNama in a whole new way.


Concessions granted by MeitY during the meeting

Format and portal for reporting of cybersecurity incidents: At the meeting, MeitY accused industry stakeholders of not wanting to report cybersecurity incidents and said that the directions had been implemented to create a ‘practice of incident reporting.’

Advertisement. Scroll to continue reading.

“Aapke ghar mein chori hoti hai (Your house is robbed), there is an accident, do you wait for 36 hours-72 hours for it to be reported to the police, or do you tell the police immediately when you come to know about it?” MeitY told industry representatives in response to concerns raised about the 6-hour reporting timeline for cybersecurity incidents, according to a source present at the meeting.

Industry bodies have asked for a 72-hour timeline to report cybersecurity incidents however, according to sources at the meeting, MeitY refused to provide any relaxations there and instead a format for companies to report cybersecurity incidents would be provided and they would explore the possibility of a portal for reporting the same as well.

Clarifications underway on requirement for validated data: Clarifications will be issued by the ministry on the directive’s requirement for data centres, cloud service providers (CSPs), virtual server providers, etc to maintain validated information of their customers, it is learnt.

Industry stakeholders reiterated their earlier concern that CSPs and data centres do not have the capability to provide ‘validated’ information on their customers i.e authenticated information that could be backed by Aadhaar, for example. During the meeting, MeitY said that it would look for a solution for this.

Review on directions 3 months after implementation: At the meeting, officials also said that they would conduct review meetings 90 days after the directions are implemented to address any challenges that the industry might be facing. For context, the directions are said to go into effect towards the end of June.

Relaxation on the timeline for SMEs: For SMEs, MeitY asked representatives to get back to them with the time it could take them to build capacity to comply with the 6-hour timeline, after which the Ministry may extend the deadline for them to abide by the new directions.

Advertisement. Scroll to continue reading.

Concerns for SMEs raised during the meeting

Legal recognition of the FAQs: Sources said that the government was requested to provide legal recognition to the FAQs so they can be referenced for ensuring compliance, as the directions themselves were broad and vague.

On May 18th, MeitY released a set of FAQs to the directions which clarified some of its requirements, such as allowing companies to store logs outside of India so long as they were made available to the Indian government when needed, exempting corporate VPNs, and so on. FAQs on a policy provide clarity on the government’s stance, approach on a policy, and answer questions raised by stakeholders on it. However, they are not a legal document, i.e., not enforceable in court.

Prohibitive cost of storing logs for SMEs: Concerns were raised about the costs of maintaining logs as per the directions for SMEs. “It is very prohibitive for small and medium-sized enterprises as there is a cost involved, anywhere from $1000 to $2,000 for seven days for 1 terabyte of data and this can be very prohibitive,” a source told MediaNama. Under the directions, entities have to maintain logs of all their ICT systems and maintain them securely for a rolling period of 180 days.

Timeline: Friction between industry and government on cybersecurity directions

7th June: VPN Provider SurfShark announces that it is closing its servers in India.

2nd June: VPN provider ExpressVPN announces that it is removing its servers in India.

“With a recent data law introduced in India requiring all VPN providers to store user information for at least five years, ExpressVPN has made the very straightforward decision to remove our Indian-based VPN servers,” the company announced on June 2

1st June: submission from a coalition of civil organisations including Internet Freedom Foundation, Access Now, Software Freedom Law Centre, etc. ask for the directions to be withdrawn because of vagueness, lack of public consultation, and so on.

Advertisement. Scroll to continue reading.

26th May: A coalition of eleven global business and tech associations criticises the rules, saying it was undermining cybersecurity in India, in a letter to CERT-IN.

18th May: MeitY releases the FAQs document on the cybersecurity guidelines.

At the press conference, Chandrashekhar reportedly issues an ultimatum to VPN providers to comply with the directions or leave.

“There is no opportunity for somebody to say we will not follow the laws and rules of India. If you don’t have the logs, start maintaining the logs. If you’re a VPN that wants to hide and be anonymous about those who use VPNs and you don’t want to go by these rules, then if you want to pull out from the country, frankly, that is the only opportunity you will have. You will have to pull out,” minister of state for electronics and IT, Rajeev Chandrasekhar told reporters while releasing frequently asked questions (FAQs) regarding the rules.

9th May: Information Technology Industry council (ITI), an industry body representing the likes of Apple, Amazon, Meta, Google, and Microsoft, write to CERT-IN saying that the rules could have a negative impact on enterprises working in India.

6th May: Multiple VPN providers criticise the rules, calling them worse than those of ‘dictatorships’ like China or Russia, harmful to privacy, and more.

28th April: CERT-IN releases the cybersecurity directions.

Advertisement. Scroll to continue reading.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also read:

  • CERT-In issues new cybersecurity directions for crypto, VPN companies
  • Deep Dive: The legality of India’s new cybersecurity directive
  • Summary: What the FAQs on the cybersecurity directive say
Written By

I cover health technology for MediaNama but, really, love all things tech policy. Always willing to chat with a reader! Reach me at anushka@medianama.com

Free Reads

News

This should facilitate quicker settlement of funds for merchants and also boost user confidence in digital payments, RBI Governor said.

News

While Chandrasekhar said the advisory doesn't include startups, the advisory itself does not make any such classification based on platform sizes.

News

The case dates back to 2019 when Spotify filed a complaint against Apple's anti-steering rules which prevented apps like Spotify from informing their users...

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.

Views

News

NPCI CEO Dilip Asbe recently said that what is not written in regulations is a no-go for fintech entities. But following this advice could...

News

Notably, Indus Appstore will allow app developers to use third-party billing systems for in-app billing without having to pay any commission to Indus, a...

News

The existing commission-based model, which companies like Uber and Ola have used for a long time and still stick to, has received criticism from...

News

Factors like Indus not charging developers any commission for in-app payments and antitrust orders issued by India's competition regulator against Google could contribute to...

News

Is open-sourcing of AI, and the use cases that come with it, a good starting point to discuss the responsibility and liability of AI?...

You May Also Like

News

Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

Advert

135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...

News

By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

News

Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Name:*
Your email address:*
*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ