The country’s cybersecurity agency is expected to soon come out with a fresh set of clarification on its recent cybersecurity directive, people in the know said. During a meeting with a select group of stakeholders Friday, the Indian Computer Emergency Response Team (CERT-In) is learnt to have assured clarifications on the six-hour timeline to report cybersecurity incidents, know-your-customer norms, and storage of customer logs, among others.
The rules will kick in from June 27. The meeting took place after CERT-In’s cybersecurity norms were met with widespread pushback by a range of industry stakeholders. It was attended by Minister of State for Electronics and IT Rajeev Chandrashekhar, CERT-In chief Sanjay Bahl, and representatives from industry bodies like Internet and Mobile Association of India, Confederation of Indian Industry, US-India Business Council, US-India Strategic Partnership Forum, American Chamber of Commerce, FICCI, BSA|The Software Alliance , ITI Council, and Cellular Operators Association of India. Digital rights groups like Access Now also participated.
One of the most contentious issues between the government and stakeholders was the requirement to report cybersecurity incidents within six hours, which the industry believes is too short and stringent. During Friday’s meeting, stakeholders, it is learnt, were told that MeitY or CERT-In will not offer any relaxations in terms of the required reporting timelines. Instead, the agency may come up with a prescribed format for reporting cybersecurity incidents. “CERT-In may also come up with a specific portal for reporting such incidents so that entities have clarity on how much information they have to share with the agency,” a source said.
In a clarification on the six-hour reporting timeline to make it seem less burdensome, Bahl told stakeholders that they are only required to intimate the agency within six hours after discovering such an incident. “CERT-In only expects you to drop in an email within six hours alerting us about a cybersecurity incident,” he is learnt to have said. A formal clarification is expected soon on this, sources said.
While a large part of the meeting was centred around reporting timelines, which also led to CERT-In’s assurance to issue clarifications, the topic of some virtual private network (VPN) pulling out of India did not draw such assurances, sources said. The rules require VPNs to save an extensive amount of user information for five years. “We want VPNs to store data for five years because sometimes it takes a very long time for cyber incidents to be investigated,” Bahl is learnt to have clarified at the meeting. VPN providers like Surfshark and ExpressVPN have shut down their India servers in response to the norms. Queries sent to the IT Ministry remained unanswered until the time of going to press.
CERT-In, it is learnt, may also soon issue a clarification on how entities can come up with an effective KYC process. The rules require that crypto exchanges and wallets must maintain KYC details and records of financial transactions for five years. Industry stakeholders at the meeting pointed out that it was difficult to validate identity of users under current processes, sources said. “A discussion on Aadhaar as a KYC document came up during the meeting and the ministry will mull on some KYC models that can be effective,” a person said.
During the meeting, which lasted over an hour, the agency also tried to assuage privacy concerns and told stakeholders that it will not ask for user logs that contain personal identifiable information of individuals, instead it will only need incident-specific logs. Small companies and startups could be given a leeway as they may need more time than bigger corporations to adjust to the rules, it is learnt.