After concerns were raised over the new cybersecurity directives by the Indian Computer Emergency Response Team (CERT-In), industry experts feel that if the new guidelines are strictly enforced, corporate and enterprise virtual private networks (VPNs) will have to be compulsory report several serious offences that will over help end-users.
The new cybersecurity norms mandates reporting of cybersecurity incidents and misuse of VPNs.
After the uproar over the April 28 directives, the CERT-In that comes under the IT Ministry issued an updated document or FAQs, saying that the new directives will only apply to general internet users who use commercially available VPNs.
CERT-In also clarified that the mandate to report cybersecurity incidents within six hours cannot be bypassed because of the contractual obligations of a company.
According to New Delhi-based cyberlaw expert Virag Gupta, current cybersecurity rules are 11-year old, which is a long time in the Internet Era.
“Over this period, the shape and dimension of the Internet have changed significantly. The perpetrators of cybercrimes are both state and non-state actors with sinister designs,” Gupta told IANS.
As per the new policy, any service provider, intermediary, data centre, body corporate and government organisation will mandatorily report cyber incidents within six hours.
“If the terms of the policy are properly enforced by the authorities and cases are registered as per the mandate of the law, then how will police, digital labs and courts be able to handle huge numbers of cybercrimes?” he asked.
Amid the debate, Union Minister of State for IT and Skill Development and Entrepreneurship Rajeev Chandrasekhar has said that there would be no impact on business viability.
“The only restriction is that VPN is misused for criminal activities, VPN operators will have to cooperate and produce the data of the person committing the criminal activity,” the minister said on the sidelines of a Nasscom event in Ahmedabad on Saturday.
As per CERT-In, there are various types of other offences like a data breach, data leak, the spread of computer contaminant, identity theft, spoofing, phishing, and Distributed Denial of Service (DDoS) attacks on applications such as e-Governance, e-commerce etc.
Also Watch:
According to the FAQ, the rapid and mandatory reporting of incidents is a must and primary requirement for remedial action for ensuring stability and resilience of Cyber Space.
In a country which is targeting a $1 trillion digital economy and nearly 80 crore people are using the Internet, only 500,035 cases of cybercrime were recorded in 2020, according to data from the National Crime Record Bureau (NCRB).
As per NCRB data, only 4,047 cases of online banking fraud, 1,093 OTP frauds and 578 incidents of fake news on social media were reported in 2020.
“If these guidelines are strictly enforced, then all such offences will have to be compulsorily reported,” said Gupta.