It is difficult to dispute that India needs robust cybersecurity regulation and incident tracking capabilities. India is one of the most vulnerable nations when it comes to cyberattacks, witnessing a 200 percent increase year on year. The choice of targets of such cyberattacks is also alarming – this includes critical infrastructure such as the nation’s power grid, oil producers, banks, and transport networks. An overhaul of the cybersecurity reporting framework in India is long overdue. In late May 2022, some amended rules were released in respect of the national nodal body for cybersecurity, CERT-In, and will come into force in end June 2022.
But there has been surprise and dismay at some parts of these new rules, which seem to be geared towards enhancing law enforcement and surveillance powers, more than cybersecurity. In this article, we discuss that there is a real risk of these cybersecurity rules being rendered ineffective in practice.
Changes in the New Cybersecurity Rules
The first significant change in the new rules is that entities of every description are now mandated to report cyber security incidents to the CERT-In within 6 hours of ‘noticing’ such incidents. Earlier, the law required you to report such incidents ‘within a reasonable timeframe’. The (expanded) list of cyber security incidents includes unauthorized access of IT systems/data; compromise of critical systems; data breach; identity theft and phishing; malicious malware affecting cloud computing systems, software(s) related to big data, block chain, virtual assets, drones, and cyber threats/attacks to social media accounts, payment systems, and IoT devices. (And there is a separate discussion to be had on the feasibility of a 6 hour reporting timeline).
The new rules start to push the boundaries of pure cybersecurity regulation when they require local storage of logs. All entities are mandated to enable the logs of their ICT Systems and maintain them securely for a rolling period of 180 days in India. The intent here seems to be to ensure that, when required, CERT-In is able to access logs expeditiously. A set of FAQ’s released in late-May 2022 clarify that logs may be stored outside India also as long as the obligation to provide logs to CERT-In is adhered to within a reasonable time.
The new rules also require certain categories of organizations to store records in India for 5 years. These are data centers, virtual private service providers (VPS), cloud service providers, and virtual private network service providers (VPN Service). These organizations are required to store information such as names of subscribers/customers, purpose of hiring service, IP addresses allotted to members, contact details and ownership pattern of the subscribers/customers, etc., for a period of 5 years.
It is not made clear in the draft rules or the FAQs as to why these specific entities have been singled out, and how collecting the information of their customers will help CERT-In respond better to cyber threats. Similar concerns arise when the new rules next require ‘virtual asset’ service providers and exchange providers (such as NFT Platforms and Cryptocurrency Exchanges) to maintain a record of information obtained as a part of Know Your Customer (“KYC”), and transactions data (e.g., IP addresses, account details, etc.) and records of financial transactions for a period of five years. Finally, in an echo of last years’ intermediary rules, entities are to designate a ‘Point-of-Contact’ to act as a liaison between the Entity and the CERT-In.
The Risks of Mixing Regulations
Like the 2021 intermediary rules before them, a large part of the draft 2022 cybersecurity rules seem aimed at addressing gaps in the powers of Indian law enforcement – in particular, the lack of sectoral regulations (and regulators), the practice of storing data outside India, etc. There is a real risk that the enforcement and surveillance portions of these regulations overshadow the cybersecurity ones, thereby having only a ‘skin deep’ effect on the state of cybersecurity in India.
The attempt to ‘shadow regulate’ unregulated sectors is an emergent theme in the Indian regulatory ecosystem, that these rules may fit in. There are no specific sectoral laws that regulate data centres or NFT platforms, for instance, but now the Government has a way to require them to turn over financial information. Where before the Government could not approach a MNC cloud services company and require a list of their customers, without being told to go through MLAT channels, it can now ask for such details through a cybersecurity regulation. Like the 2021 rules, there is a ‘point of contact’ who can be approached for information, and (potentially) made personally responsible for compliance.
The FAQs released after the draft rules push back against this argument to an extent, clarifying that these directions “do not envisage seeking of information by CERT-In from the service providers on continuation basis as a standing arrangement. CERT-In may seek information from service providers in case of cyber security incidents and cyber incidents, on case to case basis, for discharge of its statutory obligations to enhance cyber security in the country.” The proof, as ever, will be in practice. There is no arguing that these new regulations would make life a lot more ‘interesting’ for (in particular) foreign companies doing business through Indian entities, and at the very least add to compliance costs and burdens.
More worryingly, there is a ‘moral hazard’ risk that entities will simply not report cybersecurity breaches if they are fearful of attracting unwanted attention of a Government regulator who can (theoretically) ask them to turn over the ownership patterns of their customers. Seen another way, if an organization fails to submit a cyber incident report within 6 hours (as is eminently possible), it may forgo submitting such report at all on fear of penalty. More drastically, businesses may minimize or even wind up their activities in India if they are unwilling to comply with these rules (and this may not exactly be an ‘unintentional’ consequence).
Cybersecurity is the one sector where the Government and private enterprise need to work closely together to combat threats; there has to be a level of trust and free flow of information for this effort to be successful. If CERT-In does not receive cooperation from businesses from the first detection of cyber threats, and is then constrained to ‘squeeze’ information out of an unwilling provider, then the efficacy of any new cybersecurity measures would be minimal.