India’s Ministry of Electronics and Information Technology (MeitY) and Local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with cybersecurity guidelines introduced on 28 April, which were to come into force yesterday.
The guidelines call for detailed logging of user activities on VPNs and clouds, reporting of infosec incidents within six hours of detection – even for trivial things like unusual port scanning – exclusive use of Indian network time protocol servers and many other binding requirements. The instructions were meant to improve the security of local organizations and give CERT-In information it could use to assess threats against India. Yet the instructions allowed incident reports to be sent by fax – good old fax – to CERT-In, which has provided no evidence that it operates or would build any infrastructure capable of ingesting or analyzing the millions of incident reports sent to it by compliant organizations.
The guidelines were roundly criticized by tech lobby groups who pointed out that requirements such as mandatory clouds to store customer activity logs were futile, as clouds do not record what is happening. passes inside the resources rented by their customers. VPN providers have left India and moved their servers overseas, citing the inability to store user logs when their entire business model is based on not logging user activity. VPN operators going overseas means that the Indian government is therefore less able to influence such equipment.
Malaysian-Linked DragonForce Hacktivists Attack Indian Targets
The Indian government and relevant ministers acknowledged the complaints with an FAQ explaining the instructions, but this document only added fuel to the fire with vague language that confused matters rather than offering clarification. useful. The government has not moved on another extraordinary aspect of the Instructions: a period of sixty days to comply.
But yesterday the government blinked an eye when it issued a document [PDF] extending the compliance deadline to September 25, an additional 90 days.
This still leaves Indian organizations only 150 days to implement very important work and retains the six-hour reporting requirement that the Indian government defends as reasonable, although virtually all other jurisdictions prefer response windows of 72 hours.
The extension comes as the protest against the Directions continues. A open letter [PDF] dated June 27 and signed by computer security experts, including members of the Internet Society, the Global Encryption Coalition and the Internet Freedom Foundation, called for the postponement of compliance with the instructions.
India’s Internet Freedom Foundation has called for the instructions to be removed.
Another VPN operator, PureVPN, left India yesterday citing inability to comply.
The register attempted to ascertain whether Big Clouds have already complied with the instructions or made representations to Delhi regarding the requirements outlined in the document. Microsoft, Google, Alibaba and Oracle have not responded to our requests at the time of writing. AWS told us that it “complies with all applicable laws in the countries in which we operate.”
In this case, the new deadline for compliance with the Instructions was not the only extension granted in India in recent days. In 2020, the country’s Reserve Bank imposed a requirement on payment service providers to tokenize credit card transaction records so that merchants are not required to store credit card data. The compliance deadline was last week, pushed back to September – the third deadline allowed after industry comments that compliance within the original deadline was not achievable.
This approach contrasts with that taken by MeitY and CERT-In, which conducted solitary consultation with industry and did not make detailed representations at this event.
Indian IT Minister Rajeev Chandrasekhar, who took to social media to promote the consultation session, remained silent on the extension of compliance with the instructions. Instead, he highlighted activities encouraging tech startups – all of which will have to comply with the instructions and therefore start life with a higher regulatory burden than their rivals around the world. ®