A group representing Small and Medium-sized Enterprises (SMEs) has, on 20th June, made a submission to the Ministry of Electronics and Information Technology (MeitY) and Computer Emergency Response Team India (CERT-IIN). The submission, viewed by MediaNama, asks for an extension on the time given to comply with the latter’s Cybersecurity Directions to 300 days, clarity on how CERT-IN would secure data it has collected, its data logging requirement, and so on.
Rootconf – a forum under HasGeek, a platform that conducts discussions on technology and businesses, particularly looking at Development Operation, infrastructure, Site Reliability Engineering and data privacy- has made the submission.
The document has been sent to Rajeev Chandrasekhar, Minister of State (MoS) at MeitY and Dr Sanjay Bahl, Director General at CERT-IN. It has also been circulated internally among ministry officials, MediaNama has learnt.
At a stakeholder meeting on the guidelines, held on 10th June, representatives had highlighted several concerns of SMEs with the directions. These included a lack of capacity to report incidents, lack of time to build this capacity, etc. In response, the MoS had asked them to submit recommendations on the time required to build such capacity for complying with the guidelines, which it may then consider.
Now Rootconf has submitted its recommendations after conducting an internal consultation with SME’s on 14th June, the submission says.
Earlier, groups of larger technology companies had also made requests for extensions on compliance- which MeitY refused to provide. Shortly after their notification, the directions were criticised by international technology bodies and also resulted in at least 2 VPN providers pulling their servers from India. The Cybersecurity Directions were notified on April 28th and place significant compliance requirements on companies like requiring cybersecurity incidents to be reported within 6 hours, maintenance of systems logs for 180 days, crypto and VPN companies to store logs of all transactions, etc.
Why it matters? The submissions reveal the issues faced by smaller entities with the directions, who self-admittedly do not have the automated systems or funds to comply with it. It will be interesting to see if, and when, the ministry accepts the SME’s requests, as it has otherwise staunchly defended the cybersecurity directions in the face of multiple levels of industry stakeholders expressing discontent.
Never miss out on important developments in tech policy, whether in India or across the world. Sign up for our morning newsletter, with a “Free Read of the Day”, to experience MediaNama in a whole new way.
What smaller enterprises changed and clarified in the directions
1. Easing the incident reporting requirement
- “Require reporting when systems are impacted due to DDoS/DoS attacks and not for every targeted scan,” Rootconf has said. According to it, this will reduce costs of compliance as targeted scans happen frequently. Further, Rootconf suggests that DDOS attacks should be reported even when systems aren’t impacted.
DDoS stand for Distributed Denial-of-Service (DoS), which is a type of Denial-of-Service attack where attackers make attempts to disrupt access to web service by overwhelming it. Specifically for DDoS attacks, malicious attempts are made to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of internet traffic, according to Cloudflare. Meanwhile a ‘Targeted scanning/probing of critical networks/systems’, which needs to be reported under the directions, could mean a critical network being scanned for any vulnerabilities.
- “Maintenance of a portal by CERT-IN, with form-based submissions as a reporting mechanism to streamline the process,” Rootconf has said. During the 10th June meeting, MeitY had said that it will create a portal to ease reporting of cybersecurity incidents for smaller entities as well as to ensure they come in a particular format.
- “Create a ‘Good Samaritan’ framework for individuals in organizations who report incidents,” Rootconf said.
Here, Rootconf is referring to the ‘Good Samaritan’ scheme instituted by the Ministry of Road, Transport, and Highways, under which an individual shall not be subject to further scrutiny for reporting a road accident, or taking a victim of it to a hospital.
“A Good Samaritan framework here would mean if the company voluntarily reports a cybersecurity breach it should be equivalent to reporting something because the law required and it should not lead to the full force of the law coming after them, unless otherwise required. They should be protected and not prosecuted,” Rootconf told MediaNama.
“Complying with investigations should not be seen as a burden on the organization/ individual doing the reporting,” it said in its submission.
2. Providing clarity on data logging requirements
More clarity is needed around the exact data logging requirements asked of service providers, and the number of days that the data is to be stored, Rootconf said. This is because costs of storing logs increases almost exponentially with time and requires external validation, as per the guidelines, as well.
Under the directions, entities have to maintain logs of all their ICT systems and maintain them securely for a rolling period of 180 days.
3. Security of data CERT-IN will receive
“Provide clarity on methods used by CERT-In to ensure security of the data they receive,” Rootconf has mentioned in its submission.
Earlier certain industry stakeholders, not specifically SME’s, had expressed concerns about the security of the data they will provide to CERT-IN. Under the directions, companies are required to provide CERT-IN with informatiom, including logs of customer transactions, in response to an order or direction by the cybersecurity body.
Other Recommendations made by Rootconf
1. Providing alternatives for validating customer data
The directions mention that Cloud service providers, data centres, etc. will have to provide ‘validated’ information on their customers i.e., authenticated information, that could be backed by Aadhaar, for example. With regards to such Aadhaar-based validation Rootconf recommended use of services such as ‘digio.in and bureau.id which do not collect a copy of Aadhaar but use it for name and address verification or Aadhaar signatures through separate OTPs’.
It also asked the ministry to conduct vetting of third-party identity validation providers outside of India for validation of identities and addresses of foreign companies and nationals.
2. Training law enforcement officials on handling data
Trainings and capacity measures have been recommended for law enforcement officials, specifically for:
“1. Building knowledge around data access and sharing, stipulated in the current sharing regulations.
2. Managing incident reports around complex deployments,” the submission says.
According to Rootconf, often local law enforcement officials responding to cybersecurity incidents are not aware of what data they are entitled to access. This can pertain to information an entity cannot provide due to unavailability of the data itself or due to restrictions by regulations around the same.
5. Parity in compliance requests for both foreign and Indian companies.
“Parity in compliance requests for both foreign and Indian companies. Typically the ask for data from Indian companies is much higher than when dealing with foreign companies,” Rootconf has said.
6. Try to investigate issues online, instead of in-person
Lastly, CERT-IN should investigate the involvement of any entity in an issue by hearing from them over phone, email, or over video conferencing as opposed to summoning them in person, Rootconf has said.
Concerns previously raised by SMEs
At the earlier stakeholder meeting, SMEs had raised the following concerns specifically:
1. Legal recognition of the FAQs: A request to provide legal recognition to the FAQs so they can be referenced for ensuring compliance, was made. This was because the directions themselves were broad and vague, stakeholders had then told MeitY, MediaNama had learnt.
For context, on May 18th, MeitY released a set of FAQs to the directions which clarified some of its requirements, such as allowing companies to store logs outside of India so long as they were made available to the Indian government when needed, exempting corporate VPNs, and so on. FAQs on a policy provide clarity on the government’s stance, approach on a policy, and answer questions raised by stakeholders on it. However, they are not a legal document, i.e., not enforceable in court.
2. Prohibitive cost of storing logs for SMEs: The heavy costs of storing logs, as required under the directions, were also brought up during the meeting. “It is very prohibitive for small and medium-sized enterprises as there is a cost involved, anywhere from $1000 to $2,000 for seven days for 1 terabyte of data and this can be very prohibitive,” a source had then told MediaNama.
Timeline: Friction between industry and government on cybersecurity directions
7th June: VPN Provider SurfShark announces that it is closing its servers in India.
2nd June: VPN provider ExpressVPN announces that it is removing its servers in India.
“With a recent data law introduced in India requiring all VPN providers to store user information for at least five years, ExpressVPN has made the very straightforward decision to remove our Indian-based VPN servers,” the company announced on June 2
1st June: A submission from a coalition of civil organisations including Internet Freedom Foundation, Access Now, Software Freedom Law Centre, etc. ask for the directions to be withdrawn because of vagueness, lack of public consultation, and so on.
26th May: A coalition of eleven global business and tech associations criticises the rules, saying it was undermining cybersecurity in India, in a letter to CERT-IN.
18th May: MeitY releases the FAQs document on the cybersecurity guidelines.
At the press conference, Chandrasekhar reportedly issues an ultimatum to VPN providers to comply with the directions or leave.
“There is no opportunity for somebody to say we will not follow the laws and rules of India. If you don’t have the logs, start maintaining the logs. If you’re a VPN that wants to hide and be anonymous about those who use VPNs and you don’t want to go by these rules, then if you want to pull out from the country, frankly, that is the only opportunity you will have. You will have to pull out,” minister of state for electronics and IT, Rajeev Chandrasekhar told reporters while releasing frequently asked questions (FAQs) regarding the rules.
9th May: Information Technology Industry council (ITI), an industry body representing the likes of Apple, Amazon, Meta, Google, and Microsoft, write to CERT-IN saying that the rules could have a negative impact on enterprises working in India.
6th May: Multiple VPN providers criticise the rules, calling them worse than those of ‘dictatorships’ like China or Russia, harmful to privacy, and more.
28th April: CERT-IN releases the cybersecurity directions.
Update, 22nd June, 11:08 AM : The story was updated to reflect the correct description of Rootconf. The error is regretted.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.