Cybersecurity: Why India Needs Strong Cybersecurity Standards to Combat VPN Misuse
New cybersecurity standards make it mandatory to report cybersecurity incidents and misuse of VPNs.
After the outcry over the April 28 guidelines, CERT-In under the Department of Computing released an updated document or FAQ, stating that the new guidelines will only apply to general internet users who use commercially available VPNs.
CERT-In also clarified that the mandate to report cybersecurity incidents within six hours cannot be circumvented due to a company’s contractual obligations.
According to Virag Gupta, a New Delhi-based cyberlaw expert, the current cybersecurity rules are 11 years old, which is a long time in the age of the internet.
“During this period, the shape and dimension of the Internet has changed dramatically. Cybercrime perpetrators are both state and non-state actors with sinister designs,” Gupta told IANS.
Under the new policy, any service provider, intermediary, data center, legal person and government organization will be required to report cyber incidents within six hours.
“If the terms of the policy are properly enforced by the authorities and cases are recorded in accordance with the mandate of the law, then how will the police, digital labs and courts be able to handle a large number of cybercrimes?” He asked.
Amid the debate, Union Minister of State for IT, Skills Development and Entrepreneurship Rajeev Chandrasekhar said there would be no impact on the viability of the business.
“The only restriction is if VPN is misused for criminal activities, VPN operators will have to cooperate and produce the data of the person committing the criminal activity,” the minister said on the sidelines of a Nasscom event in Ahmedabad Saturday.
According to CERT-In, there are different types of other offenses such as data breach, data leak, spread of computer contaminants, identity theft, impersonation, phishing, distributed denial of service (DDoS) on applications such as e-governance, e-commerce etc…
According to the FAQ, the prompt and mandatory reporting of incidents is a necessity and a primary requirement for corrective measures to ensure the stability and resilience of cyberspace.
In a country that aims for a $1 trillion digital economy and nearly 80 million people use the internet, only 500,035 cybercrime cases were recorded in 2020, according to data from the National Crime Record Bureau (NCRB).
According to data from the NCRB, only 4,047 cases of online banking fraud, 1,093 OTP frauds and 578 incidents of fake news on social media were reported in 2020.
“If these guidelines are strictly enforced, all such violations will be mandatory to report,” Gupta said.