SUMMARY
MeitY met industry stakeholders including VPN service providers, tech companies, policy groups and experts on Friday
The ministry will not relax the deadline for large companies but will relax the deadline for small companies on a case-to-case basis
The meeting happened against the backdrop of two VPN companies, Surfshark and ExpressVPN, shutting shops in India amid uncertainty around VPNs
The ongoing debate on the recent Indian Computer Emergency Response Team (CERT-In) guidelines on cybersecurity has taken another turn as the Ministry of Electronics and Information Technology (MeitY) looks set to enforce the norm which mandates companies to report cybersecurity incidents within six hours of them being noticed.
However, MeitY will be relaxing the June 28 deadline for smaller companies, on a case-to-case basis.
This comes after the Friday (June 10) meeting between MeitY and industry stakeholders. The meeting was chaired by the Minister of State for Information Technology Rajeev Chandrasekhar.
The meeting lasted for three hours and saw about 25 representatives from virtual private network (VPN) companies, technology companies, policy groups and experts discuss the CERT-In guidelines, first introduced on April 28.
According to an industry executive present at the meeting cited by ET, the government will not relax that six-hour reporting rule. Further, bigger companies will not be given any relaxation in the June 28 deadline, which means that big companies have around a fortnight to implement the reporting regime.
MeitY will also provide a centralised system in the form of an app of sorts, where companies can report the cybersecurity breaches within their networks. Companies won’t be required to mail the details of the same to CERT-In, according to sources cited by ET.
A senior government official was quoted as saying that most companies have agreed to follow the guidelines, with only some chinks needing ironing out. For now, MeitY is working on a set of frequently asked questions (FAQs) to simplify the guidelines.
The government will be meeting the industry again within 90 days to review the progress on the directives.
The directives, issued by CERT-In on April 28, include norms related to information security practices, procedures, prevention, response and reporting of cyber incidents under the provisions of sub-section (6) of section 70B of the Information Technology Act, 2000.
One of the most talked-about points within these directives is the treatment of VPNs. VPN companies are now required to maintain user activity logs and store sensitive personal information such as IP addresses and phone numbers for a duration of five years.
The government has excluded corporate VPNs from the CERT-In directives. However, individual users are still left vulnerable to surveillance from the government, as the directives do not make it clear under what circumstances can the government ask for a user’s activity log and personal information.
Rajeev Chandrasekhar has told the VPN companies that they are free to leave the country if they don’t want to maintain logs and adhere to the guidelines.
“If you don’t have the logs, start maintaining the logs. If you’re a VPN that wants to hide and be anonymous about those who use VPNs and you don’t want to go by these rules, then if you want to pull out (from the country), frankly, that is the only opportunity you will have. You will have to pull out,” he said.
Following this, Surfshark and ExpressVPN have shut down operations in India, with more to follow suit.
