Cybersecurity directions from the country’s computer emergency response body in effect since late September have been decried by the industry for overreach and compliance burdens. Is the outcry being heard? Indrajit Basu reports

I

ndia’s efforts to rein in big tech have for long roused great international interest, both for the size and potential of the country’s market as well as the controversy and confusion that the government’s implementation of new rules can create.

Take the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, which drew fierce criticism for violating digital rights when they were introduced in March last year. Amendments by New Delhi in June this year failed to assuage many industry players, who maintain they are overly protectionist.

And by including internet­-based communications such as WhatsApp calls, Facetime and Google Meet under telecom services, the draft Indian Telecommunication Bill, 2022, released at the end of September gives the government yet more unprecedented powers to regulate big tech, legal experts say.

But it is a set of directives on cybersecurity implemented in late September that have prompted the strongest pushback. The cybersecurity framework from the Indian Computer Emergency Response Team (CERT-In) was laid out by the Ministry of Electronics and Information Technology (MEITy) on 28 April. Now those rules have been enforced, sparking widespread resistance from the industry and demands for a review, or outright retraction. Several businesses have even quit the country.

Termed a “direction”, the framework relates to information security practices, procedures, responses and reporting for a “safe and trusted” internet. Although legislation to establish a data protection authority is still pending, the industry says these guidelines grant CERT-In extensive authority that’s beyond the mandate of its governing Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013.

CERT-In also released a set of frequently asked questions (FAQs) in May, and the new norms were enforced from 25 September. India’s internet industry is crying foul, alleging that the sweeping directions have cast a pall over its very existence.

“Given that the FAQs are not recognised by the law or the CERT-In as a document that can be legally recognised as a basis for compliance, industry risks non-compliance even if it adheres to [them],” New Delhi-based IT lobby NASSCOM warned in a recent letter to the ministry.

Even if the industry chose to depend on the FAQs, global clients will be obliged to query their legal standing and doubt the trustworthiness of the compliance status, says the body, which represents more than 3,000 companies. The FAQs have “created scope for undue frictions to arise in commercial relationships”, it adds.

One of the reasons the directions are facing resistance from companies is that “the directions are ultra vires the IT Act and the rules,” says Gowree Gokhale, partner and head of the TMT practice at Nishith Desai Associates in Mumbai.

Gokhale says CERT-In gets its authority from section 70-B(6) of the Information Technology Act, 2000 – the IT Act – and rule 15 of the rules. According to powers conferred by these two, CERT-In’s authority for issuing directions is clearly specific to a service provider, intermediary, data centre or body corporate. CERT-In cannot, then, issue general directions.

Additionally, the IT Act mandates that any rule must be laid before parliament. “Hence, CERT-In has bypassed the powers of the parliament as well as the central government for amending the IT Act and the rules. This is a dangerous precedent, since the amendment of the IT Act would have required a democratic process, and an amendment of the rules would need to be approved by the parliament,” says Gokhale.

Which now raises the question: What are the specific directives that have rattled the industry and cybersecurity experts?

Under the new regulations, companies must disclose cybersecurity problems within six hours, synchronise their clocks with those of the government, and keep system records for 180 days. The guidelines also oblige cryptocurrency firms, virtual private network (VPNs) and cloud providers to gather and keep customer data for up to five years, including names, addresses, phone numbers, email addresses and IP addresses, as well as usage trends. Failure to comply might result in penalties such as a fine or up to a year in jail. However, it is unclear who would be affected.

The original deadline for complying with the “cyber security directions” was 28 June. But due to the outrage from businesses and privacy groups, which said that the rules would be impossible to implement, the MEITy extended the deadline to September. It did not, however, make any concessions on the rules themselves, as had been requested by the industry.

The ministry also said that the rules were needed to stop the rise of cybercrime and data theft. According to government estimates, there were more than 1.4 million cybersecurity incidents in the country in 2021, while major companies including pizza chain Domino’s and Air India have reported major data breaches.

Yet the information needed to co-ordinate actions and emergency measures was often unavailable from service providers, data centres or corporate organisations, the ministry stated, making it difficult to analyse and investigate in line with the law.

The new rules were needed to augment cybersecurity “in the interest of the sovereignty or integrity of India, defence of India, security of the state, friendly relations with foreign states or public order,” says the MEITy.

Some new rules in the directions are no doubt timely, such as the mandatory reporting of data breaches and the overall aim to ensure cybersecurity.

For instance, in a June alert, CERT-In said that Google’s Chrome and Mozilla’s products had flaws that could make it easy for attackers to get user data. They could also provide a denial of service (DoS) across enterprise-wide systems, the agency added, clarifying that the vulnerabilities had already been fixed by Google and Mozilla, and all that users needed to do was to download their latest versions.

Cybersecurity experts say in the absence of an IT department in most organisations, and given the ignorance of internet users in general, had it not been for the CERT-In’s warning, few would have paid adequate attention to notifications from Google or Mozilla asking users to download the latest version of their browsers.

This is why, given that CERT-In is empowered to issue directions to a wide range of entities if they relate to the function of preventing, responding or reporting of cyber incidents, the agency’s directions could be considered valid as long as they can justify and demonstrate a particular rule is linked to those aspects, some experts say.

Besides, while certain aspects of the directions may be vague, businesses have developed their own interpretations and tailored compliance programmes accordingly.

Since the release of the FAQs, some organisations have developed an internal severity matrix, tied to the criteria mentioned in the clarifications, to characterise incidents as high-risk or high-impact, and ensure their notification within the six-hour timeline, says Vijayant Singh, a senior associate at Ikigai Law in New Delhi.

Still, others say the MEITy pushed through the changes without adequate debate, which has led to the inclusion of unwarranted or unclear provisions.

For instance, there are aspects in the directions that still raise questions, despite the CERT-In’s FAQs. “Since there is no legal definition of virtual asset service providers, virtual asset exchange providers, custodian wallet providers, etc., it is unclear who and what type of entity – whether cryptocurrency exchanges, wallets, NFT [non-fungible token] marketplaces – should be complying with it,” says Singh, referring to direction (vi) that mandates adherence to know-your-customer information norms on these service providers.

“In the absence of a legal definition, the CERT-In’s authority to demand compliance is questionable,” he adds.

Similarly, the linkage between collecting and validating additional subscriber data points and responding to cybersecurity incidents – direction (v) – is unclear. Singh argues that gathering more information is unlikely to deter cybercrime as malicious actors generally do not use their own accounts to commit criminal acts. On the contrary, storing more information than required could raise the risk of cyber incidents by increasing the surface area of attack.

Apart from that, the ambiguity in scope and phrasing of directions could also lead to confusion.

Direction (iv) instructs all entities to enable logs of all their ICT (information and communications technology) systems. “A vague definition of what is covered under ‘all their ICT systems’ leads to various concerns such as the government having access to or enterprises storing more data than necessary,” says Apar Gupta, an executive director at the Internet Freedom Foundation in New Delhi.

“Clarity over such a phrase is essential, while the criteria for directly synchronising system clocks with authorised servers are also ambiguous, even as researchers have raised concerns about the discoverability and dependability of these servers.”

Global players are protesting, too. In a letter to the Indian government in May, a consortium of 11 international corporations and IT organisations argued that the new regulations would make doing business in India more challenging. The letter, which was supported by tech firms including Facebook parent Meta, Google, Apple, Amazon and Microsoft, said the legislation would weaken security measures and have a “substantial unfavourable impact on corporations that operate in India”.

The six-hour reporting window was also criticised as too short: “CERT-In has not offered any justification as to why the six-hour deadline is essential, nor is it proportionate or in accordance with worldwide norms.”

Consequently, at least three international VPN providers – NordVPN, Surfshark and Expressvpn – pulled out of India in June, saying that New Delhi was pursuing a top-down approach to policymaking and the regulations conflicted with the basic nature of their services.

SnTHostings, a Pune-based VPN service provider, filed a lawsuit in September at Delhi High Court, asserting that the direction compelling it to collect user data and share it with CERT-In runs counter to the anonymity that is the entire basis of the company’s services.

“The directive announced by the CERT-In not only violates the right to privacy, but also is impossible to impose on any client due to the very nature of the service. Blanket monitoring is not a solution, at least not when it is up against the very basic right of the people,” SnTHostings said in its petition.

Delhi High Court on 28 September issued a notice to the government stating that the CERT-In directions were unconstitutional and violated citizens’ privacy. Small wonder then, that legal experts think that the directions need reworking.

“CERT-In should now conduct one round of consultation with the industry and resolve outstanding issues,” says Nishith Desai Associates’ Gokhale. “Further, it should also be considered whether the direction should be withdrawn, and relevant provisions should be included in the parent rules by way of appropriate amendments.”