Cert-In, the Indian Cyber Security commission extended the date for the application of their new rules by three months. The new deadline is set as 25 September 2022, for VPN service providers.
Computer Emergency Response Team, India (Cert-In) made new rules for cyber security in April for Indian service providers. These service providers included Micro, Small, and Medium Enterprises (MSME), data centers, Virtual Private Networks (VPN), and cloud service providers. The earlier deadline was set on June 28 but due to infrastructural challenges, the deadline was extended by three months to 25 September. The Indian Cyber Security agency has made it compulsory to apply these regulations. If it is not used, service providers are free to leave the country.
According to the new guidelines service providers are expected to maintain a 5-year data or longer which includes:
- Names of their customers
- Period for which they hired the service
- IP addresses allotted to these usersÂ
- Email addressÂ
- Time stamps that are used at the time of registration
The VPN service providers are also expected to record the customer’s validated contact numbers, the purpose for which the service was used, and the ownership pattern of the consumers. To adhere to these new guidelines the service providers must invest their time and effort. The extension was given to build their systems according to the regulations. After several requests from service providers, especially MSMEs the extension was considered. This is a breather for MSMEs as earlier they have stated that they lacked the bandwidth to apply these changes. The security department expects a smooth transition without affecting the current service provisions.Â
Many service providers denied complying with the new guidelines. The reason stated was the privacy of their users. They wished to keep their user’s identities anonymous. The cyber security team did not consider their requests and instructed that if the rules are not applied the service provider can leave the country. Hence, many service providers like Surfshark. ExpressVPN and NordVPN have withdrawn their service from June 28 in India.Â
Role of Cert-In
The Computer Emergency Response Team was formed by the Government of India in 2004. The formation of this team was done to reduce increasing cyber crimes. Their functions are performed under the parent department Ministry of Electronics and Information Technology (MeitY). The board is responsible for taking action against cyber crimes and maintaining data. Since its formation, India has gained some control over the crimes in the country. They aim to reduce these crimes completely and create secure cyberspace. According to their data in 2021, India faced 11.5 million cyberattacks. These were recorded through corporate cyber attacks, attacks on critical infrastructure, and government agencies.Â
The new guidelines, it has also stated the compulsion of the six-hour reporting rule. Whereas companies have to report cyber security incidents within six hours of happening. This rule is to be strictly followed by big companies, some relaxations would be given to MSMEs and other small service providers. This will help the agency to track crime faster and better with the help of new guidelines.Â
Cyber Security is one of the rising concerns globally. With the increasing dependence on the internet and technology, it has become a necessity to secure your data and servers. Hacking servers, leaking confidential data, email spoofing, etc are a few examples that take place daily. In India, cyber crimes have started increasing in numbers since 2018. With the new guidelines and other measures taken by Cert-In teams, these crimes are expected to reduce. Even if they are not reduced they are at least tracked and that data has helped to reduce the upcoming crimes. With the strict application of these guidelines from September 25, tracking will become easier. Though the users have to be careful as their data will be available to the service providers.Â