New Delhi: After concerns were raised over the new cyber-security directives by the Indian Computer Emergency Response Team (CERT-In), industry experts said on Sunday that if the new guidelines are strictly enforced, corporate and enterprise virtual private networks (VPNs) will have to compulsory report several serious offences that will over help end users.
The new cyber-security norms mandates reporting of cybersecurity incidents and misuse of VPNs.
After the uproar over the April 28 directives, the CERT-In that comes under the IT Ministry issued an updated document or FAQs, saying that the new directives will only apply to general internet users who use commercially available VPNs.
CERT-In also clarified that the mandate to report cybersecurity incidents within six hours cannot be bypassed because of contractual obligations of a company.
According to New Delhi-based cyberlaw expert Virag Gupta, current cyber security rules are 11-year old, which is a long time in the internet Era.
“Over this period, the shape and dimension of the Internet has changed significantly. The perpetrators of cyber crimes are both state and non-state actors with sinister designs,” Gupta told IANS.
As per the new policy, any service provider, intermediary, data centre, body corporate and government organisation will mandatorily report cyber incidents within six hours.
“If the terms of policy are properly enforced by the authorities and cases are registered as per mandate of the law, then how will police, digital labs and courts be able to handle huge numbers of cyber crimes?” he asked.
Amid the debate, Union Minister of State for IT and Skill Development and Entrepreneurship Rajeev Chandrasekhar has said that there would be no impact on business viability.
“The only restriction is that VPN is misused for criminal activities, VPN operators will have to cooperate and produce the data of the person committing the criminal activity,” the minister said on the sidelines of a Nasscom event in Ahmedabad on Saturday.
As per CERT-In, there are various types of other offences like data breach, data leak, spread of computer contaminant, identity theft, spoofing, phishing, Distributed Denial of Service (DDoS) attacks on applications such as e-Governance, e-commerce etc.
According to the FAQ, the rapid and mandatory reporting of incidents is a must and primary requirement for remedial action for ensuring stability and resilience of Cyber Space.
In a country which is targeting a $1 trillion digital economy and nearly 80 crore people are using the Internet, only 500,035 cases of cyber crime were recorded in 2020, according to data from the National Crime Record Bureau (NCRB).
As per NCRB data, only 4,047 cases of online banking fraud, 1,093 OTP frauds and 578 incidents on fake news on social media were reported in 2020.
“If these guidelines are strictly enforced, then all such offences will have to be compulsory reported,” said Gupta.