NEW DELHI: Virtual Private Network (VPN) service providers that are unable to comply with the new criteria will be forced to leave India, warned Rajeev Chandrasekhar, minister of state for electronics and information technology.
While releasing FAQs (Frequently Asked Questions) on the latest regulation on reporting cyber breach occurrences, the minister stated that every well-meaning organisation or entity recognises that a safe and reliable internet will benefit them.
“There is no opportunity for somebody to say we will not follow the rules and laws of India. If you don’t have the logs, start maintaining the logs. If you are a VPN that wants to hide and be anonymous about those who use its VPN and you don’t want to go by these rules, if you want to pull out, then frankly you have no other opportunity but to pull out,” he said.
The Ministry of Electronics and Information Technology has mandated that cloud service providers, VPN (Virtual Private Network) providers, data centre providers, and virtual private server providers keep users’ data for at least five years.
Some VPN businesses have complained that the new legislation will lead to cyber security flaws in the system, which the minister has dismissed.
Chandrasekhar also stated that the government will not amend the rules requiring entities to report cyber breaches in their systems within six hours of becoming aware of them.
“The criminality and the cyber incidence, nature, type, shape, form of it are very complex. They have very sinister elements behind it. There are many state actors that are using vulnerability. Those who commit these breaches can move on very quickly. Immediate reporting is fundamental to investigating, forensic analysis, situational awareness of the nature of the incident,” he said.
The ITI, a US-based technology industry association with members including Google, Facebook, IBM, and Cisco, has asked the Indian government to revise its guideline on reporting cyber security breaches.
According to ITI, the new mandate’s requirements may have a negative influence on organisations and damage cyber security in the country.
Before finalising the directive, the industry association has requested a wider stakeholder consultation.
On April 28, the Indian Computer Emergency Response Team (CERT-In) issued an order requiring all government and private institutions, including internet service providers, social media platforms, and data centres, to disclose cyber security breaches to it within six hours of becoming aware of them.
The new circular issued by CERT-In requires all service providers, intermediaries, data centres, corporations, and government organisations to enable logs of all their ICT (Information and Communication Technology) systems and keep them secure for a rolling period of 180 days, and to keep them within Indian jurisdiction.
According to the CERT-In, Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers, shall be required to register the following accurate information which must be maintained by them for a period of 5 years or longer duration as mandated by the law after any cancellation or withdrawal of the registration as the case may be:
a. Validated names of subscribers/customers hiring the services
b. Period of hire including dates
c. IPs allotted to / being used by the members
d. Email address and IP address and time stamp used at the time of registration / on-boarding
e. Purpose for hiring services
f. Validated address and contact numbers
g. Ownership pattern of the subscribers / customers hiring services
The ITI has expressed concerns about the mandatory reporting of breach incidents within six hours of discovery, the requirement to enable logs of all ICT systems and keep them within Indian jurisdiction for 180 days, the overbroad definition of reportable incidents, and the requirement that companies connect to Indian government servers.
Follow The420.in on