Who’s listening?

Cybersecurity directions from the country’s computer emergency response body in effect since late September have been decried by the industry for overreach and compliance burdens. Is the outcry being heard? Indrajit Basu reports

I

ndia’s efforts to rein in big tech have for long roused great international interest, both for the size and potential of the country’s market as well as the controversy and confusion that the government’s implementation of new rules can create.

Take the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, which drew fierce criticism for violating digital rights when they were introduced in March last year. Amendments by New Delhi in June this year failed to assuage many industry players, who maintain they are overly protectionist.

And by including internet­-based communications such as WhatsApp calls, Facetime and Google Meet under telecom services, the draft Indian Telecommunication Bill, 2022, released at the end of September gives the government yet more unprecedented powers to regulate big tech, legal experts say.

But it is a set of directives on cybersecurity implemented in late September that have prompted the strongest pushback. The cybersecurity framework from the Indian Computer Emergency Response Team (CERT-In) was laid out by the Ministry of Electronics and Information Technology (MEITy) on 28 April. Now those rules have been enforced, sparking widespread resistance from the industry and demands for a review, or outright retraction. Several businesses have even quit the country.

Termed a “direction”, the framework relates to information security practices, procedures, responses and reporting for a “safe and trusted” internet. Although legislation to establish a data protection authority is still pending, the industry says these guidelines grant CERT-In extensive authority that’s beyond the mandate of its governing Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013.

CERT-In also released a set of frequently asked questions (FAQs) in May, and the new norms were enforced from 25 September. India’s internet industry is crying foul, alleging that the sweeping directions have cast a pall over its very existence.

“Given that the FAQs are not recognised by the law or the CERT-In as a document that can be legally recognised as a basis for compliance, industry risks non-compliance even if it adheres to [them],” New Delhi-based IT lobby NASSCOM warned in a recent letter to the ministry.

Even if the industry chose to depend on the FAQs, global clients will be obliged to query their legal standing and doubt the trustworthiness of the compliance status, says the body, which represents more than 3,000 companies. The FAQs have “created scope for undue frictions to arise in commercial relationships”, it adds.

One of the reasons the directions are facing resistance from companies is that “the directions are ultra vires the IT Act and the rules,” says Gowree Gokhale, partner and head of the TMT practice at Nishith Desai Associates in Mumbai.

Gokhale says CERT-In gets its authority from section 70-B(6) of the Information Technology Act, 2000 – the IT Act – and rule 15 of the rules. According to powers conferred by these two, CERT-In’s authority for issuing directions is clearly specific to a service provider, intermediary, data centre or body corporate. CERT-In cannot, then, issue general directions.

Additionally, the IT Act mandates that any rule must be laid before parliament. “Hence, CERT-In has bypassed the powers of the parliament as well as the central government for amending the IT Act and the rules. This is a dangerous precedent, since the amendment of the IT Act would have required a democratic process, and an amendment of the rules would need to be approved by the parliament,” says Gokhale.

Which now raises the question: What are the specific directives that have rattled the industry and cybersecurity experts?

Under the new regulations, companies must disclose cybersecurity problems within six hours, synchronise their clocks with those of the government, and keep system records for 180 days. The guidelines also oblige cryptocurrency firms, virtual private network (VPNs) and cloud providers to gather and keep customer data for up to five years, including names, addresses, phone numbers, email addresses and IP addresses, as well as usage trends. Failure to comply might result in penalties such as a fine or up to a year in jail. However, it is unclear who would be affected.

The original deadline for complying with the “cyber security directions” was 28 June. But due to the outrage from businesses and privacy groups, which said that the rules would be impossible to implement, the MEITy extended the deadline to September. It did not, however, make any concessions on the rules themselves, as had been requested by the industry.

The ministry also said that the rules were needed to stop the rise of cybercrime and data theft. According to government estimates, there were more than 1.4 million cybersecurity incidents in the country in 2021, while major companies including pizza chain Domino’s and Air India have reported major data breaches.

Yet the information needed to co-ordinate actions and emergency measures was often unavailable from service providers, data centres or corporate organisations, the ministry stated, making it difficult to analyse and investigate in line with the law.

The new rules were needed to augment cybersecurity “in the interest of the sovereignty or integrity of India, defence of India, security of the state, friendly relations with foreign states or public order,” says the MEITy.

Some new rules in the directions are no doubt timely, such as the mandatory reporting of data breaches and the overall aim to ensure cybersecurity.

For instance, in a June alert, CERT-In said that Google’s Chrome and Mozilla’s products had flaws that could make it easy for attackers to get user data. They could also provide a denial of service (DoS) across enterprise-wide systems, the agency added, clarifying that the vulnerabilities had already been fixed by Google and Mozilla, and all that users needed to do was to download their latest versions.

Cybersecurity experts say in the absence of an IT department in most organisations, and given the ignorance of internet users in general, had it not been for the CERT-In’s warning, few would have paid adequate attention to notifications from Google or Mozilla asking users to download the latest version of their browsers.

This is why, given that CERT-In is empowered to issue directions to a wide range of entities if they relate to the function of preventing, responding or reporting of cyber incidents, the agency’s directions could be considered valid as long as they can justify and demonstrate a particular rule is linked to those aspects, some experts say.

Besides, while certain aspects of the directions may be vague, businesses have developed their own interpretations and tailored compliance programmes accordingly.

Since the release of the FAQs, some organisations have developed an internal severity matrix, tied to the criteria mentioned in the clarifications, to characterise incidents as high-risk or high-impact, and ensure their notification within the six-hour timeline, says Vijayant Singh, a senior associate at Ikigai Law in New Delhi.

Still, others say the MEITy pushed through the changes without adequate debate, which has led to the inclusion of unwarranted or unclear provisions.