Days after some virtual private network (VPN) service providers threatened to quit India operations instead of complying with the new CERT-In directives (cyber security norms), the Centre on Wednesday (May 18) said the rules are mandatory.
Minister of state for electronics and IT, Rajeev Chandrasekhar told media: “There is no opportunity for somebody to say we will not follow the laws and rules of India.”
The minister added: “If you don’t have the logs, start maintaining the logs. If you’re a VPN that wants to hide and be anonymous about those who use VPNs and you don’t want to go by these rules, then if you want to pull out from the country, frankly, that is the only opportunity you will have.”
The CERT-In norms released last month are meant for the VPN service providers, who give their customers a secure and private network that connects one or more locations, local networks or intranets together. Besides, the norms apply to data centres and cloud service providers.
The service providers that do not have a physical presence in India will have to designate a point of contact to liaise with CERT-In. These rules will come into effect in the next 60 days.
CERT-In norms require these entities to store names, email IDs, contact numbers and IP addresses of their customers for at least five years. Besides, these entities should inform CERT-In about cybersecurity breach within six hours. Non-compliance may attract penalties under the Information Technology (IT) Act.
The data centres and VPN service providers can store the logs of information outside India as well on condition that they may be produced before CERT-In in time.
However, the directives do not apply to enterprise/corporate VPNs. “No. For the purpose of this direction, VPN service provider refers to an entity that provides ‘Internet proxy like services’ through the use of VPN technologies, standard or proprietary, to general internet subscribers/users,” stated the frequently asked questions (FAQs) released by minister Reddy on Wednesday.
The government also tried to allay fears of breach in citizens’ privacy. “The right to informational privacy of individuals is not affected….These directions do not envisage seeking of information by CERT-In from the service providers on continuous basis as a standing arrangement. CERT-In may seek information from service providers in case of cyber security incidents and cyber incidents, on case-to-case basis, for discharge of its statutory obligations to enhance cyber security in the country. The service providers are bound to protect the users’ information by following reasonable security practices and procedures,” the FAQs explained.