Information Technology Industry Council, a US-based tech group with members including Google, Facebook, IBM, and Cisco, has asked the Indian government to revise its policy
Virtual Private Network (VPN) service providers that are unable to comply with the new criteria of the country would be forced to leave India, according to Rajeev Chandrasekhar, Minister of State for Electronics and Information Technology.
While releasing Frequently Asked Questions (FAQs) on the latest regulation on reporting cyber breach occurrences, the minister stated that any well-intentioned organization or entity recognizes that a safe and reliable internet is going to help it.
VPN companies need to keep logs
The minister said that there is no way for anyone to suggest that they will not obey India’s regulations and laws. He said that VPN companies need to keep logs if they don’t already have them.
If there is a VPN, the minister added, that wants to hide and be anonymous about individuals who use its VPN and doesn’t want to follow these guidelines, it has no choice but to leave the country.
Cloud service providers, VPN (Virtual Private Network) companies, data center companies, and virtual private server providers must preserve users’ data for at least five years, according to the Ministry of Electronics and Information Technology.
Government adamant to amend the rules
Mr Chandrasekhar also stated that the government will not amend the rules requiring businesses to report cyber breaches in their systems within six hours of detecting them.
According to him, the nature, type, shape, and form of cybercrime and cyber incidents are extremely complicated and have some really sinister components to them.
He maintains that many state actors take advantage of weakness and immediate reporting is critical to the investigation, forensic analysis, and situational awareness of the incident’s nature.
New policy will lead to cyber security flaws, VPN providers argue
Pertinently, some VPN providers have argued that the new policy will lead to cyber security flaws in the system, but the minister has dismissed this assertion.
Information Technology Industry Council (ITI), a US-based technology tech group with members including Google, Facebook, IBM, and Cisco, has asked the Indian government to change its directive on reporting cyber security breaches.
The requirements of the new mandate, according to the ITI, may have a negative impact on businesses and impair cyber security in the country.
The ITI is concerned about the requirement that companies connect to the servers of Indian government entities within six hours of becoming aware of a breach, the requirement to enable logs of all ICT systems and keep them within Indian jurisdiction for 180 days, the overbroad definition of reportable incidents, and the requirement that companies connect to the servers of Indian government entities.
Before the directive is finalized, the industry association has requested a larger stakeholder consultation.
It is in place to mention here that on April 28, the Indian Computer Emergency Response Team (CERT-In) issued an order requiring all government and private entities, including internet service providers, social media platforms, and data centers, to disclose cyber security breaches to it within six hours of becoming aware of them.
All service providers, intermediaries, data centers, corporations, and government organizations are required to enable logs of all their ICT (Information and Communication Technology) systems and maintain them securely for a rolling period of 180 days, according to a new circular issued by the CERT-In. The logs must be kept within the Indian jurisdiction.