India’s Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.
The Directions require verbose logging of users’ activities on VPNs and clouds, reporting of infosec incidents within six hours of detection – even for trivial things like unusual port scanning – exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol’ fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.
The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers’ activities was futile, since clouds don’t log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India’s government is therefore less able to influence such outfits.
Malaysia-linked DragonForce hacktivists attack Indian targets
India’s government and relevant ministers acknowledged complaints with an FAQ explaining the Directions, but that document only added fuel to the fire with vague language that confused matters rather than offering useful clarifications. The government did not budge on another extraordinary aspect of the Directions: a sixty-day deadline to become compliant.
But yesterday the government blinked, issuing a document [PDF] extending the deadline for compliance to September 25 – a further 90 days.
That still leaves Indian organizations with just 150 days to implement very significant work, and retains the six-hour reporting requirement that India’s government defends as reasonable, despite pretty much every other jurisdiction preferring 72-hour response windows.
The extension comes as protest about the Directions continues. An open letter [PDF] dated June 27 and signed by infosec experts including members of the Internet Society, the Global Encryption Coalition and the Internet Freedom Foundation, called for deferral of compliance with the Directions.
India’s Internet Freedom Foundation has called for the Directions to be withdrawn.
Yesterday another VPN operator, PureVPN, quit India citing the impossibility of compliance.
The Register has attempted to ascertain whether big clouds have already complied with the Directions or have made representations to Delhi about the requirements outlined in the document. Microsoft, Google, Alibaba and Oracle have not responded to our requests at the time of writing. AWS told us it “complies with all applicable laws in the countries in which we operate.”
As it happens, the new deadline for compliance with the Directions was not the only extension handed out in India in recent days. The nation’s Reserve Bank in 2020 gave payment services providers a requirement to tokenise records of credit card transactions so merchants would not be required to store credit card data. The deadline for compliance was last week, deferred until September – the third delay allowed after industry feedback that compliance within the original timeframe was not achievable.
That approach contrasts with that taken by MeitY and CERT-In, which have conducted a solitary consultation with industry and have not detailed representations made at that event.
India’s IT minister Rajeev Chandrasekhar, who took to social media to promote the consultation session, has been silent on the extension of compliance with the Directions. Instead he’s been highlighting activities encouraging tech startups – all of which will have to comply with the Directions and therefore start their lives with a higher regulatory burden than their rivals around the world. ®