The government has stressed the directive by the Indian Computer Emergency Response Team (CERT-In) to virtual private network (VPN) service providers, cloud service providers and virtual private service providers to store data of users for five years. It has been taken after industry-wide consultation. Further, the directive is necessary to stop financial fraud currently happening in the digital world.
According to sources, it becomes difficult to track the culprit involved in online financial fraud as most of them use VPNs. When the VPN providers start storing data of users, it can be used by law enforcement agencies to track a fraudster. “It’s only when the law enforcement people need the details that information will be sought from VPN providers. Otherwise, they have to store the data at their end only. We are not asking for data of all users,” said a source in the Ministry of Electronics and IT (Meity).
Apart from storing user data, CERT-In has asked all the government and private agencies, intermediaries, and data centres, to mandatorily report cyber security breach incidents to it within six hours of noticing them. “All service providers, intermediaries, data centres, body corporate and government organisations shall mandatorily enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days and the same shall be maintained within the Indian jurisdiction. These should be provided to CERT-In along with reporting of any incident or when directed,” CERT-In said in its April 28 directions. These directions will become effective after 60 days.
CERT-In serves as the national agency for performing various functions in the area of cybersecurity in the country as per provisions of section 70B of the Information Technology Act, 2000. To coordinate response activities as well as emergency measures concerning cybersecurity incidents, CERT-In calls for information from service providers, intermediaries, data centres and body corporate.
During handling cyber incidents, CERT-In has identified certain gaps causing hindrance in incident analysis. To address the identified gaps, CERT-In has issued these directions under the provisions of sub-section (6) of section 70B of the Information Technology Act, 2000.