Cybercrime is alarming, over-control is too much: CERT-in guidelines are impractical.

Written by Anviti Rai

The guidelines of the Indian Computer Emergency Response Team (CERT-In), apparently aimed at preventing cyber security breaches, have already caused a stir. Effective June, it is expected that virtual private network (VPN) service providers as well as virtual assets (such as cryptocurrencies) will be required to maintain users’ personal data for five years and hand it over to the government. Ask, or face disciplinary action. Virtual asset providers need to maintain Know Your Customer (KYC) details for the same period. It is not difficult to understand why these regulations are excessive and unrealistic. The government and some experts are of the opinion that these regulations will help strengthen the legal framework needed to fight cybercrime. Union Electronics and IT Minister Ashwini Vaishnav said the regulations would not raise privacy concerns. “Suppose someone shoots with a mask, wouldn’t you ask them to remove that mask?” That’s it, “he told The Indian Express. The minister claimed that there were several loopholes in the rules.

For example, according to CERT-In, in the first two months of 2022, 212,485 incidents of cybercrime were reported, an average of about 3,600 incidents per day. If all incidents were reported within six hours, CERT-In would require enormous infrastructural capacity to deal with such an overwhelming number of cases. The process of dealing with such incidents is long and tedious, requiring a form to be filled out, evaluated, triased and, if necessary, a team assigned. If the new system is implemented, the company, which is already struggling with poor infrastructure and investigative capacity, will be stuck, especially the global standard of 72 hours for the reporting period. Instead, one might look to the United States, which most recently signed into its Better Cybercrime Metrics Act, which designates local law enforcement agencies to collect and report cybercrime data. In the case of India, it is not clear whether the cases will be referred to the subordinate CERT. The classification of cyber crimes reported under US law is also required, something that Indian experts also consider necessary. There are different types of cybercrime; Thus, one-size-fits-all does not mean.

Another controversial part of the law is that virtual assets and service providers are required to maintain user information logs because it is a direct violation of the privacy of individual users. The rules require many details to include personal identifiers; Service providers need to save not only email IDs and IP addresses, but also their clients’ names, valid addresses and contact details, including time stamps. The very point of a VPN is, for example, anonymity and data encryption to facilitate secure transfer of information. The center itself is no stranger to this; This will make it mandatory for IT companies to use VPNs to transfer data by 2020 Thus, asking VPN providers, some of whom do not even have the technical means to comply with the instructions, oppose their sole purpose of maintaining an information log. As a result, several companies have expressed their intention to exit the market.

Regulation is a requirement, but over-regulation is certainly not the answer. It is noteworthy that CERT-In did not consult the public before drafting or publishing these regulations, which seeks to impose a difficult and unrealistic reporting burden on companies. A good move would be to make a fresh start and draft a comprehensive policy framework with cyber security and vulnerability experts as well as industry insiders that is light but effective.