Follow the rules or leave India, the government tells VPN service providers

Virtual private network service providers who are not ready to comply with the new guidelines have the only option to leave India, State Minister for Electronics and IT Rajiv Chandrasekhar said on Wednesday.

The Minister, while releasing the Frequently Asked Questions (Frequently Asked Questions) about the recent guidelines on reporting incidents of cyber violations, said that every good financial institution or organization understands that a secure and reliable internet is going to help it.

“No one has the opportunity to say that we do not follow the rules and regulations of India. If you do not have logs, start maintaining logs If you are a VPN that wants to hide and anonymize the people who use its VPN and if you do not want to follow these rules, if you want to get out, to be honest you have no choice but to withdraw. . He said.

The Ministry of Electronics and IT has required cloud service providers, VPNs (virtual private network) companies, data center companies and virtual private server providers to store user data for at least five years.

Some VPN companies have claimed that the new rule could lead to cyber security flaws in the system – an argument that was rejected by the minister.

Chandrasekhar said the government was not going to make any changes to the rules forcing companies to report cyber violations on their systems within six hours of learning about it.

“Crime and cyber incidents, nature, type, shape, form are very complex. They have a very evil element behind it. There are many state actors who are using vulnerabilities. Those who violate this can proceed very quickly. Immediate reporting is fundamental to investigations, forensic analysis, situational awareness of the nature of events, “he said.

The US-based technology industry body ITI, which has members from global technology companies such as Google, Facebook, IBM and Cisco, has sought an amendment to the Indian government’s directive on reporting cyber security breaches.

ITI said the provisions under the new order could adversely affect companies and harm cyber security in the country.

The industry body has asked for greater stakeholder consultation with the industry before finalizing the guidelines.

The Indian Computer Emergency Response Team (CERT-In) issued a directive on April 28, requiring all government and non-government organizations, including Internet service providers, social media platforms and data centers, to report cyber security breaches within six hours. Them

The new circular issued by CERT-In obliges all service providers, intermediaries, data centers, corporates and government agencies to activate logs of all their ICT (information and communication technology) systems and maintain them safely for 180 days rolling period, and the same Indian Will be maintained within the jurisdiction.

The ITI has expressed concern over the need to enable logs of all ICT systems and maintain them under Indian jurisdiction for 180 days, the additional definition of reportable incidents and the need to connect to the companies’ servers, mandatory reporting of incidents of breach within six hours. Government of India