Introduction & Applicability
The Indian Computer Emergency Response Team (“CERT-In”) which is the nodal agency to deal with cyber security threats, formed under the aegis of Ministry of Electronics and Information Technology (MeitY), Government of India, issued certain directions on 28 April 2022 (“Directions”). These Directions are applicable to service providers, intermediaries, data centres, body corporate, Virtual Private Server (VPS) providers, Cloud service providers, Virtual Private Network (VPN) Service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and Government organisations. The Directions are issued under sub-section (6) of section 70B of the Information Technology Act, 2000 relating to information security practices, procedure, prevention, response and reporting of cyber incidents for safe and trusted internet.
The Directions came into effect on 28 June 2022 that is 60 days from the date of issue of the Directions (that is 28 April 2022). However, the Government, on 27 June 2022, issued a circular for extension of timelines for enforcement of the Directions, for:
- Micro, Small and Medium Enterprises (“MSMEs”); and
- implementation of mechanism for validation of subscribers/customers details by Data Centres, VPS providers, Cloud Service providers and VPN Service providers.
The criteria for classification of MSMEs as per the relevant Government notification is as follows—
- a micro enterprise, where the investment in Plant and Machinery or Equipment does not exceed INR 10 Million and turnover does not exceed INR 50 Million;
- a small enterprise, where the investment in Plant and Machinery or Equipment does not exceed INR 100 Million and turnover does not exceed INR 500 Million;
- a medium enterprise, where the investment in Plant and Machinery or Equipment does not exceed INR 500 Million and turnover does not exceed INR 2,500 Million.
The extension of timelines for implementation of these Directions have been urged in respect of MSMEs for providing reasonable time for generating capacity building required for implementation of these Directions.
Accordingly, the Directions will become effective on 25 September 2022 for the aforesaid entities.
Subsequent to the issuance of the Directions, in May 2022, CERT-In issued Frequently Asked Questions (“FAQs”) to the Directions to better understand and apply the Directions to the applicable entities.
The FAQs clarified that individual citizens are not covered by these Directions and these directions do not envisage seeking of information by CERT-In from the service providers on continuation basis as a standing arrangement. CERT-In may seek information from service providers in case of cyber security incidents and cyber incidents, on case to case basis, for discharge of its statutory obligations to enhance cyber security in the country. The service providers are bound to protect the users’ information by following reasonable security practises and procedures.
Further, the FAQs provide some clarity in relation to the ambiguity on the obligation to register and maintain information about subscribers / customers. The FAQs indicate that such obligation does not apply to enterprise / corporate VPNs. For the purpose of the Directions, VPN service provider refers to an entity that provide “Internet proxy like services” through the use of VPN technologies, to general Internet subscribers/users. With reference to the requirements of registering information by such entities, ‘ownership pattern of the subscribers / customers hiring services' has been clarified to mean basic information about customers/subscribers who use their services viz. individual, partnership, association, company etc. of whatsoever nature, with brief particulars of key management.
Directives under the Directions
In terms of the Directions, the following directives are issued to augment and strengthen the cyber security in the country:
- All service providers, intermediaries, data centres, body corporate and Government organisations shall connect to the Network Time Protocol (NTP) Server of National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with NTP servers traceable to these NTP servers, for synchronisation of all their ICT systems clocks. Entities having ICT infrastructure spanning multiple geographies may also use accurate and standard time source other than NPL and NIC, however it is to be ensured that their time source shall not deviate from NPL and NIC.
- Any service provider, intermediary, data centre, body corporate and Government organisation shall mandatorily report cyber incidents (as mentioned in the Directions) to CERT-In within 6 hours of noticing such incidents or being brought to notice about such incidents. The incidents can be reported to CERT-In via email, phone and fax. The details regarding methods and formats of reporting cyber security incidents is also published on the website of CERT-In and will be updated from time to time.
- The service providers, intermediaries, data centres, body corporate and Government organisations are required to designate a “Point of Contact” to interface with CERT-In. The information relating to a Point of Contact shall be sent to CERT-In in the format specified at Annexure II of the Directions and shall be updated from time to time. All communications from CERT-In seeking information and providing directions for compliance shall be sent to the said Point of Contact.
- All service providers, intermediaries, data centres, body corporate and Government organisations are mandatorily required to maintain logs of all their Information and Communication Technology (ICT) systems securely for a rolling period of 180 days within the Indian jurisdiction. These are required to be maintained in-house and provided to CERT-In along with reporting of any incident or when ordered / directed by CERT-In.
- Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers, are also required to register the following accurate information which must be maintained by them for a period of 5 years or longer duration as mandated by the law after any cancellation or withdrawal of the registration as the case may be:
- Validated names of subscribers/customers hiring the services,
- Period of hire including dates,
- IPs allotted to / being used by the members,
- Email address and IP address and time stamp used at the time of registration / on-boarding,
- Purpose for hiring services,
- Validated address and contact numbers,
- Ownership pattern of the subscribers / customers hiring services.
- The virtual asset service providers, virtual asset exchange providers and custodian wallet providers (as defined by Ministry of Finance from time to time) shall mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions for a period of 5 years so as to ensure cyber security in the area of payments and financial markets for citizens while protecting their data, fundamental rights and economic freedom in view of the growth of virtual assets. For the purpose of KYC, the Reserve Bank of India (RBI) Directions 2016 / Securities and Exchange Board of India (SEBI) circular dated 24 April 2020 / Department of Telecom (DoT) notice 21 September 2021 mandated procedures as amended from time to time.
With respect to transaction records, accurate information shall be maintained in such a way that individual transaction can be reconstructed along with the relevant elements comprising of, but not limited to, information relating to the identification of the relevant parties including IP addresses along with timestamps and time zones, transaction ID, the public keys (or equivalent identifiers), addresses or accounts involved (or equivalent identifiers), the nature and date of the transaction, and the amount transferred.
Further, in terms of the FAQs to the Directions, the logs that should be maintained depending on the sector that the organisation is in, such as Firewall logs, Intrusion Prevention Systems logs, SIEM logs, web / database/ mail / FTP / Proxy server logs, Event logs of critical systems, Application logs, ATM switch logs, SSH logs, VPN logs etc. It may be noted that this list of logs is not exhaustive but has been mentioned to provide a flavour of logs to be maintained by the relevant teams.
Storage of logs within Indian jurisdiction
In terms of the FAQs to the Directions, the logs may be stored outside India also as long as the obligation to produce logs to CERT-In is adhered to by the entities in a reasonable time, for the applicable entities. Taking a conservative view, it appears that the logs should be maintained in India only. Having said that, the FAQs clarify that, all logs and records of financial transactions needs to be maintained in the Indian jurisdiction.
Impact of the Directions on companies
The Directions affect the decentralized manner of network operation and management by requiring all entities and servers (on which these Directions are applicable) to connect to the NTP servers at the NIC or NPL. In case of companies with infrastructure spanning several geographies such as cloud service providers, the Directions mandate that such companies are required to use their own time source as long as it does not deviate from NPL and NIC time. By requiring all entities and service providers to comply with the Directions, it could potentially create large chokepoints, putting each of the companies at risk of impact by failure.
Further, the requirement that all entities and servers should connect to the Indian Government’s NTP servers of the NIC or NPL, or to servers traceable to these NTP servers for synchronisation of all their ICT systems clocks, creates a significant risk of a single point of failure and vulnerability. There are also concerns about the capacity of the Indian Government’s servers, and whether the NIC and NPL servers can serve potentially millions of entities and billions of devices hitting the same set of servers from the perspectives of technical capacity, budget, and human resources.
Moreover, the Directions take a ‘one size fits all’ approach as regards the requirement of maintaining ICT logs. Mandating all entities to retain all of their ICT logs for a period of 180 days is an extremely broad approach, creating a repository of log information. This could prove to be a significant hurdle for small and medium enterprises (SMEs) who might not have the resources or the capacity to maintain such vast archives of their logs.
In addition, the requirement for entities to report cyber incidents within 6 hours of noticing such an incident is not aligned with global best practices. The EU’s General Data Protection Regulation (GDPR) allows a 72 hours window to report breaches. There are multiple other concerns resulting from this requirement, such as entities, especially SMEs, unable to hire staff around the clock to comply with this requirement.
Keeping in mind all these concerns, some companies have decided to withdraw their operations from India as they follow a strict “no-logs” policy due to privacy concerns primarily. ExpressVPN is one such entity, another popular VPN service provider - Surfshark followed suit, just one day before the Directions came into effect. Surfshark reported that the new virtual servers for India will be located in Singapore and London. Surfshark said that Indian users will not notice any difference in their services after the removal of Indian servers, adding, the Indian customers will still be able to connect to whichever server outside the country they please.
The Directions introduce substantial compliance costs and burdens, especially for small and medium enterprises in the country, and for new entrants/start-ups looking to enter the ever-growing technology industry, thus making the Internet less open for those who want to use it.
Further, its overarching mandate for all entities to connect to government-mandated NTP servers and log all ICT systems logs, as well as its strict model of addressing cyber incidents, are also likely to hamper the principle of global connectivity.
Additionally, CERT-In should also clearly provide for the usage of information demanded from entities in case of cyber incidents. This is important for the privacy of users’ and business data, given that the country does not have a robust data protection law at present.
While there is a requirement for such directions (as have been issued by CERT-In) in order to address cyber security incidents and threats in India, it is also important to have a piece of legislation that does not impede growth and complicates storage of data aspects for companies. Time will tell the manner in which these Directions are complied with and what are the far-reaching consequences of the Directions in this all-encompassing Internet world/era.