MeitY refuses details on consultation process of CERT-In directions

The Ministry of Electronics and Information Technology (MeitY) refused details on consultations taken over the April 29 directions of the Indian Computer Emergency Response Team (CERT-In) citing ‘affect’ to national security.

The April 29 directions of CERT-In brings in additional compliance requirements for all body corporate whose users are in India. Many of the provisions, including mandatory 6-hour reporting of cybersecurity incidents, adhering to India-based time servers, logging requirements for service providers including VPNs and so on have raised concerns in various sectors of the industry.

These concerns have also raised questions on why a public consultation was not carried out before the directions were released. In fact, in a recent letter to CERT-In, lobby groups representing major companies across the world, while requesting the body to delay implementation of the directions, had also asked it to undertake a larger consultation for public reply. Earlier, Minister of State (MoS) in MeitY Rajeev Chandrasekhar reasoned not taking a public consultation as it “has no effect on citizens”

Responding to the Right to Information (RTI) petition filed by Moneycontrol, CERT-In on April 28 said, “Since the matter pertains to cyber security of the country and disclosure of information may prejudicially affect the security, strategic interests and economic interest, the information cannot be disclosed in terms of provisions of section 8(1)(a) of RTI Act.”

Moneycontrol had asked CERT-In to provide the names of those who were part of the consultation process, copies of submissions made by stakeholders who were part of this process, and minutes of meetings in relation to the April 29 directions.

Section 8(1)(a) of RTI Act states that a government body can be exempted from providing information if the disclosure of such information would “prejudicially affect the sovereignty and integrity of India, the security, strategic, scientific or economic interests of the State, relation with foreign State or lead to incitement of an offence”.

Apart from that, MeitY confirmed that a consultation process was taken up in regards to this directions, and that they were empowered to issue such directions as per provisions of sub-section (6) of section 70B of the IT Act, 2000.

Concerns regarding the directions
In the past one month, concerns have been raised regarding CERT-In’s direction that VPN service providers have to store customer details such as name, IP addresses and so on. VPN service providers such as NordVPN, Surfshark and others criticised logging requirements of the directions citing privacy concerns. Surfshark, even said that they may take up legal proceedings against the directions.

CERT-In also wanted companies to synchronise their servers’ clocks to the servers of the National Informatics Centre or the National Physical Laboratory. Time servers are a key aspect in a cyber security investigation. Experts have said that by choosing NIC or NPL time servers, issues regarding server time latency may prop up, and it has also been pointed out that there are other better options than NIC or NPL.

FAQs issued
Following the initial controversy regarding the directions, CERT-In released an FAQ document where it clarified that the VPN requirements will not apply to corporate and enterprise VPNs. It had clarified that the requirements will just apply for entities that provide “internet proxy like services through the use of VPN technologies, standard or proprietary, to general Internet subscribers”.

In the press conference organised to release the FAQ document, Union Minister Rajeev Chandrasekhar had warned virtual private network (VPN) service providers that if they do not follow the directions then they are free to terminate their businesses in the country.

However, the FAQs did not sit well with the industry. “We recognize that CERT-In recently released a set of FAQs related to the Directive aimed at addressing questions that stakeholders have raised with regard to implementation. However, given the FAQs do not carry the force of law, they do not offer enough assurance to businesses operating in India,” a letter to CERT- In written on April 26 by industry associations and lobbying groups including US Chamber of Commerce (USCC), US-India Business Council (USIBC), The Software Alliance (BSA) etc read.

Apart from USCC, USIBC, and BSA, the industry associations that were signatories of the letter are Asian Securities Industry and Financial Markets Association (ASIFMA), Bank Policy Institute (BPI), Coalition to Reduce Cyber Risk (CR2), US India Strategic Partnership Forum Cybersecurity Coalition, Digital Europe, techUK and Information Technology Industry Council (ITI). Moneycontrol