Written by Anviti Rai
Opinions are divided on the recent guidelines of the Indian Computer Emergency Response Team (CERT-In) new cyber security rules that map different domains, but mostly aimed at combating cybercrime.
While some experts believe that these regulations are a step towards strengthening the country in the fight against cybercrime, others disagree.
According to technology consultant and venture capitalist Siddhartha Pai, these rules will help strengthen the legal framework for cyber security, as catching cybercriminals is “a three-legged stool.” In addition to personal awareness, “a strong legal framework within the country (which has now been strengthened by the new rules) and the ability to identify and track cybercriminals so that they can be brought to justice” is essential for the fight against cybercrime.
According to Pankit Desai, co-founder and CEO of SecureTech, a Gurugram-based global cyber security company, cyber criminals are caught combining known IP address mapping as well as known IP address tracing. Thus, to that end, a log of IP addresses can be effective in reducing cyber crime, and the need to maintain user information logs that include a list of all IPs for five years is valid.
However, many experts believe that these rules are not transparent or sensitive. Tejasi Panjia of the Internet Freedom Foundation noted that India was struggling with cybersecurity with low capacity and weak infrastructure, which also reduced the ability to investigate. In addition, if personal security is really a concern, he claims that there is no law that compels data trusted individuals to notify users of data breaches.
According to him, although control is important, guidelines should be realistic and not excessive. Moreover, the new rules are not transparent because they were not publicly consulted by CERT-In on technology and cyber security before they were drafted or announced.
Desai questions the lack of a specific outcome after reporting a crime to CERT-In, as one of the guidelines requires a cybercrime to report to CERT-In “six hours of noticing or noticing such incidents.” In. “
He asks, “What will happen after you report? Is it a monitoring agency asking you questions or is there a system that will help you? He added that if an attack is reported within six hours, there is already overwhelming pressure to make important decisions. In such a situation, such a short time frame is almost not enough, especially when compared to the global standard of 72 hours.
Panjia added that these regulations have not generated a positive response from the industry, as several providers either do not want to comply or are looking to exit the market.
Several VPN providers have issued similar statements. Since the rules will be enacted in June 2022, it is unlikely that CERT-In will consider an amendment. Ashwini Vaishnav, Union Minister for Electronics and IT, told The Indian Express: “There is no privacy concern. Suppose someone shoots someone with a mask, wouldn’t you ask them to remove that mask? That’s the way it is. “