Delaying the inevitable: Implementation of CERT-In’s Cybersecurity Directions gets a piecemeal extension

tl;dr

On June 27, 2022, the Indian Computer Emergency Response Team (“CERT-In”) issued a notification (No. 20(3)/2022-CERT-In) in relation to the extension of timelines for partial enforcement of Cyber Security Directions of April 28, 2022 (“Directions”) issued under sub-section (6) of section 70B of the Information Technology (“IT”) Act, 2000. The Directions were scheduled to go into effect 60 days from the date of their notification. While the timelines for enforcement of the entire Directions have been extended for Micro, Small and Medium Enterprises (“MSMEs”), for Data Centres, Virtual Private Server (“VPS”) providers, Cloud Service providers and Virtual Private Network (“VPN”) service providers only specific requirements relating to the validation of subscribers/customers details have received a timeline extension. The new date for enforcement of the Directions for such entities and specific requirements is September 25, 2022.

What has changed for MSMEs and what hasn’t?

CERT-In has extended the implementation timeline by approximately three months for MSMEs in order to provide them with “reasonable time for generating capacity building required for implementation of these Directions”. The CERT-In extension notification also provides clarity with respect to the classification of MSMEs.

“Now, therefore, it is herein provided that the CERT-In’s Cyber Security Direction No. 20(3)/2022-CERT-In of 28.04.2022 will become effective on 25th September, 2022 for Micro, Small & Medium Enterprises (MSMEs) which are covered as per the criteria for classification of micro, small and medium enterprises, notified by Ministry of Micro, Small & Medium Enterprises, Government of India vide notification no. 2020 S.O. 1702(E) dated 1st June 2020 in exercise of the powers conferred by sub-section (1) read with sub-section (9) of section 7 of the ‘Micro, Small and Medium Enterprises Development Act, 2006.”

The above-mentioned notification released by the Ministry Of MSMEs classifies micro, small and medium enterprises as follows:

  • Micro enterprise: where the investment in Plant and Machinery or Equipment does not exceed one crore rupees and turnover does not exceed five crore rupees;
  • Small enterprise: where the investment in Plant and Machinery or Equipment does not exceed ten crore rupees and turnover does not exceed fifty crore rupees;
  • Medium enterprise: where the investment in Plant and Machinery or Equipment does not exceed fifty crore rupees and turnover does not exceed two hundred and fifty crore rupees.

Although this extension does provide the MSMEs with more time to generate and build capacity to ensure effective implementation of the Directions, it doesn’t address the broad concerns which are systemic in nature such as the weak cybersecurity posture of the country.  The issue of low capacity of the MSMEs to retain and store large amounts of data and then subsequently protect that data from cyber attacks is unlikely to get resolved by a mere timeline extension.

What has changed for entities mentioned in Direction 5 and what hasn’t?

CERT-In has extended the timeline for Data Centres, VPS providers, Cloud Service providers and VPN service providers to implement the mechanism for registration and maintenance of “Validated names of subscribers/customers hiring the services” [Direction 5(a)] and “Validated address and contact numbers” [Direction 5(f)]. The new timeline for the implementation of these two particular sub-directions is September 25, 2022.

Although the extension of roughly three months may provide the above-mentioned entities some time to build capacity for the implementation of those particular requirements, it doesn’t resolve the concerns of excessive data retention. Direction 5 in the CERT-In Directions dated April 28, 2022 mandates “maintenance of data for 5 years or longer, as mandated by the law after any cancellation or withdrawal of registration” for certain categories of data. Such overbroad and excessive requirement may lead to collection and storage of data beyond purpose or need, violating internationally recognised principles of storage limitation, purpose limitation and data minimisation. Additionally, terms such as “Data Centres”, “VPS providers”, “Cloud Service providers” and “VPN Service providers” mentioned in Direction 5 aren’t defined and thus lead to ambiguity.

Better never than late

As a digital rights organisation, we support CERT-In’s intention to improve the cybersecurity posture of the country. Although, we do not agree with the means adopted to achieve this end. The Directions, which were issued without public consultation, became effective yesterday. CERT-In had released a Frequently Asked Questions (“FAQ”) document in May 2022. This document, however, is not a legal document and thus cannot change the underlying Directions themselves. Moreover, they are also not a substitute for an open, transparent public consultation process. Prior to the official document being released, a FAQ document was internally circulated among some sections of the industry and press, which we had publicly released in the interest of public awareness and transparency.

We have been vocal about the kinds of economic harms and threats to fundamental right to privacy posed by these Directions (see here for our explainer on the Directions; see here for our Members’ Briefing Call on the Directions). Other than broader concerns around ambiguity arising due to undefined terms and vague phrasing, specific concerns of mass surveillance are raised due to the data retention and localisation requirements, which are further exacerbated in the absence of sufficient oversight and a data protection framework to protect against misuse of these Directions. In light of the inaction taken by CERT-In despite the criticisms, we would like to reiterate our broad demand: Recall these Directions. We would once again like to state that an extension of the timeline for its enforcement does not resolve any concerns and only delays the harms if the Directions are enforced.

Important Documents

  1. CERT-In’s new cybersecurity directions dated April 28, 2022 (link)
  2. CERT-In’s notification for timeline extension dated June 27, 2022 (link)
  3. CERT-IN’s FAQs on the Directions (link)
  4. Representation dated 11.06.2021 along with recommendations by Mr. Suman Kar (link)
  5. Members’ Briefing call on Cybersecurity Directions (link)

This post was drafted by Tejasi Panjiar, Associate Policy Counsel at IFF and Policy Director Prateek Waghre.