India

Cyber Security Directions: New trap for surveillance?

Cyber Security Directions 2022 were released on April 28 by the Ministry of Electronics and Information Technology.

Credit : Prathmesh Patil

The Union Government of India changed the policy for the various IT institutions to operate under different circumstances, roles and responsibilities in India. As the General Data Protection Regulation (GDPR) in the UK and its subsequent replication in the developing world has been followed, the Union government has come up with a new set of regulations and rules.

The Ministry of Electronics and Information Technology (MeitY) has been the concerned body to regulate the IT affairs of the Union. The controversial sets of documents released by the ministry include many controversial rules in the recent past. The Information Technology Intermediary Guidelines and Digital Media Ethics Code Rules released in February last year had given a flavour of how the new regulations are threatening the privacy and free speech of the citizens. 

Now MeitY has come up with new tactics to get things done without directly interfering with the end-users in the process. It has been designing the modus operandi to obtain maximum data control by pushing the guidelines on the service providers to ensure that its appetite for privacy-breach is catered to. Thus, the new pattern poses more dangerous and immediate concerns for the civil rights of the public.

The ministry has recently introduced the regulations in wake of rising online threats and cyber-attacks on government institutions and private assets within the Indian territory. Thus it issued Cyber Security Directions No. 20(3)/2022-CERT-In on April 28 this year “to ensure that Indian Internet users experience a Safe and Trusted Internet.”

 

 

Many of these regulations are part of the compliance of tech corporations and multinational companies. The regulations are an indicator of the Indian State’s aggressive and deterministic plan of action to protect cyberspace within the union. Though in the attempt of protection, the state has gone a step further to regulate and control not only the institutions operating under its territory but also the end-user i.e. its own citizens.

As part of the global network of the unified approach to combat cyber-criminal activities, Computer Emergency Response Teams have been formed in individual countries. These CERTs operate under the Central Governmental institutions in respective nations viz-a-viz attempt to secure individual networks. A similar entity established under MeitY is called Indian Computer Emergency Response Team (CERT-In) serves as the national agency for handling all cyber-crimes and security incidents.

CERT-In released a document titled ‘Cyber Security Directions of 28.04.2022’ on April 28th that was supposed to become effective after 60 days i.e. from June 28. This has created havoc in the industries that are operating in Indian cyberspace. Many industries have shown incapability to employ the new structure of the processes. Hence, the government has pushed this deadline further to September 25, 2022.

Since only industries are suffering, many user-right, experts in individual privacy matters and activist organisations have ignored these directions from a critical point of view. These regulations, though claimed to bound only telecom companies, service providers and corporate bodies under the data regulations of the government, inevitably promote a gateway for opening the serious trend of state surveillance over citizens. So how do these directions pose serious implications for Indian cyberspace as a whole?

 

What has happened?

With the new directions, the following changes have been made:

  • All service providers have to report cyber security incidents to CERT-In within six hours of noticing and designate a Point of Contact to interface with CERT-In.
  • All VPN/Service providers, data centres will maintain accurate information about their users, even after the cancellation of their services for a period of five years or longer. This includes not only IPs, mail, period and purpose but also the pattern of usage by customers.
  • Indian Network Time Protocol becomes mandatory.
  • All service providers, companies and government organisations will maintain ICT logs for a rolling period of 180 days.
  • KYC becomes mandatory for all virtual assets.
  • All other necessary information should be maintained in such a way that individual transactions can be reconstructed.
  •  

    The following process flow shows the line of action expected from the service providers in reporting cyber incidents to the CERT-In.

     

     

    We might lose VPNs?

    As India tops the list of countries curbing internet freedom with frequent shut-downs, the VPN services provided by private networks that let you operate on ever-changing IPs were a great tool to surpass authoritarian control of nation-states. No wonder, finally MeitY is coming for it, bringing it within its ‘regulatory’ jaws. It is making all such providers mandatory to identify their users, their purpose and usage patterns. The anonymity imparted by these networks will be compromised and paid but unprotected state-monitored VPNs will be the only available options to access the internet.

     

    Businesses are concerned

    The government has made the process of reporting the cyber-attacks to the concerned entity -  CERT-In here – mandatory for all service providers. After the Direction of 28.04.2022, corporate and civil entities raised tons of questions and queries to the ministry. One of the major concerns was that the guidelines were released without any consultation and meeting-feedback mechanisms with representatives of those for whom the laws were made. This has become a Standard Operating Procedure in governance in the global south where the majoritarian governments are drifting the suitable laws with no consideration and participation of the communities that it claims to benefit.

     

    Confusion of the confusion-resolving FAQ document

    Pertaining to this, Rajeev Chandrasekhar, Minister of State for MeitY released a 'Frequently Asked Questions' (FAQ) Document about the cyber-security Directions of 28.04.2022 on May 18, 2022. The document was made available on the CERT-In website. However, the users who downloaded the document found two versions of the document, different in size and structure as well. One document is a 24-paged, 981 KB file whereas the new document is a 28-paged, 9,290 KB file with many changes in the content, chronology and intent of such exercise.

     

     

    Both these documents are in circulation and many of its interpreters are unaware of this fact. The FAQ Document 1 did not have any comment on the transparency, user-end implications. Though the process has remained same, the two documents differ in their nature regarding the commentary and clarification regarding the blind spots mentioned in the original guidelines. We have used both of the available documents for the analysis here.

     

    Why two documents were released?

    This is not the first instance when MeitY has withdrawn their released document and replaced it immediately with a new one. On the morning of June 2, 2022, MeitY suggested changes to IT Rules, 2021 and requested feedback. Surprisingly, the ministry abruptly retracted the suggestion later that day without providing any explanation. 

    Just a couple of days before this, on May 30, 2022, UIDAI had issued a warning on MeitY letterhead urging people not to distribute copies of their Aadhaar cards. MeitY revoked the advice on the same day, ostensibly because it might be misunderstood. The ministry even has a history of secretly changing the content of the policy document without any consultation, as had happened with the Draft India Data Accessibility and Use Policy, 2022 in February this year. Compared to this, if MeitY releases two documents that might remain in circulation, one should not get surprised.

    The revised document of FAQ, though produced and recreated within a very short duration, signifies changes that underline the role of cyber security from a geopolitical perspective. Section 1 of the New FAQ enlists the points that are rearranged systematically. These efforts have been made to make it more transparent, accountable, responsible and a little less condescending than the previous version. These new guidelines emphasise on collaborative measures and display intentions against working in silos, mentions of why such measures are necessary, highlighting collaboration among Private and Government entities ensuring transparency (at least on paper). 

     

    Why should common citizens bother?

    Insights of the process improvement and mention of stakeholder consultation are very unclear in the documents. If the government believes that it should have all the data of the end-users, the expectation of a similar exercise from the government to be fulfilled using service providers is a terrible blunder and more harmful to the privacy of its own citizens.

    Since the implementation is delayed, the ministry has cited the reason as to ‘enable MSMEs to build the capacity required for the implementation' as well as ‘service providers are also given additional time for implementation of mechanisms relating to validation aspects of subscribers/customers details’. Once implemented, there will be no authority to check to whom these extended details are being shared or sold.

    A clause in the New FAQ document released by the ministry clearly states ‘Individual Persons are not covered under guidelines’. It is an attempt by the government to keep the citizens and net neutrality activists away from the serious scrutiny of the directions and concerns. It says that only corporate institutions are under the purview of the new clauses and hence no other citizen has to worry about these directions.

     

    But does this claim holds the truth?

    It becomes mandatory for the service providers to fetch information on users' contact, addresses, purpose of the connection, KYC and other exclusive personal details in case of an incident. Though the document claims that it ‘does not affect the right to informational privacy’, the above mentioned details will be stacked at the service provider, including the usage pattern in accordance with Rule v and vi of Cyber Security Directions of 28.04.2022. If CERT-In ever asks for them, the service owner will have data of its customers according to its own interpretation.

     

     

    Intentions of MeitY mentioned in Q. 32 of Old FAQ mandates ‘maintenance of individual, partnership, association, company and key management related data in safe & secure manner’; it gives an upper hand to the service providers to extract more information from users citing the new regulations. Thus, they can have omnipresent access to the user data if it has to comply with all guidelines. Addressing such indirect but serious implications of the guidelines on user privacy are clearly not on the radar of MeitY as it is okay to have this data with anyone as long as MeitY has access to it!

     

    How will the businesses, jobs, and hence employed citizens, suffer?

    Foreign companies investing in India's online gaming companies and applications pertaining to cash transactions is a rising market for new startups and offshoring of the Product Lifecycle Management (PLM) activities for a long time. Outsourcing to new Chinese, Vietnamese and other East Asian countries is expected to grow at a rapid scale in upcoming years, due to liberal internet laws compared to the Chinese market. This Post-Ford business model has brought many overseas Original Equipment Manufacturers (OEM) to operate in India, expediting the job growth in service industries. 

    Issuing imperative guidelines and provisions from the Q. 25 to Q. 27 in the old FAQ document highlights the responsibilities of such OEMs in order to operate in India. It is a matter of minutes for giant tech firms and big corporations, though a similar exercise is a heavy burden on nascent businesses and start-ups in the sector. It is subject to change the Code of Conduct for these entities and strain in the data migration negotiations. Rather than ensuring data security, this will end up in harassing such institutions with unnecessary clauses and legalities. 

    The sector has given layoff to many of its employees over the last two years and struggling to match the narrative of V-shape recovery. The employees, already without any protection under the new labour codes and clauses of firms operating within SEZ with no liabilities towards welfare, might face catastrophe if new businesses fail to adapt themselves to the new changes. 

     

    Not only harmful but also inefficient

    One should expect that this blow on civil rights would help businesses or the government to have more power over us. Guess what – it misses the basic roles to construct a robust process. A detailed analysis of the roles and responsibilities can show how many blind spots are wide open in the process. 

    The RASIC tool stands for ‘Responsible, Accountable, Supporting, Informed, Consulting’. It highlights the key responsibilities and distribution of roles by individual stakeholders in the process against the activity mentioned in the first column. In the last column, it suggests which roles are ambiguous and not defined by any other stakeholders (or lack clarity). Roles of multiple activities are not vividly defined for all the process operations. Undue burden is shared on the partners who do not necessarily operate in Indian cyber-space hence remain outside the purview of relying upon for data security.

     

    The blind spots in the reporting process

     

    Q.8 of Old FAQ permits the intermediaries to define terms that are not mentioned as types of security attacks. In long run, other types of attacks have to be defined based on the experience and updates. Though it is concerned about the Indian state of affairs regarding cyber security, it’s totally silent about the social engineering attacks, that are most prone considering the demography.

    It also lacks guidelines and transparency about sharing the data obtained through Multi-Factor Authentication including Biometric data and access to third-party authenticators (TPAs). Biometrics is sensitive information and most TPAs (the captcha that we use daily) are foreign-based service providers, operating at a high level, devoid of access privilege to the individual user. How and why will they ensure the safety of common Indian netizens, remains a question.

     

    What next?

    Ultimately, in order to make corporate bodies and service providers follow these legislations and instructions, the guidelines should be amalgamated and made an inseparable part of the package offered by the Cyber Insurance Companies.

    As the document attempts to implement guidelines following the GDPR regulations, especially article 48, it would be worth enabling the other measures made by the Western European countries to prevent such attacks in the first place. A ‘Shift Left’ approach in such processes is the most effective measure to ensure safety and achieve the mission.

    The cyberspace of the internet in India has many avenues to cover – from cookies policy to data protection officers. The document attempts to lead the stakeholders in a positive direction and enables upgradation, it should also be taken into consideration that it should not hamper the business processes and their concerns are addressed timely.