By Anvitii Rai

The opinion is divided on the Indian Computer Emergency Response Team’s (CERT-In) recent guidelines on the new cybersecurity rules that map several domains, but were mostly targeted at fighting cybercrime.



While some experts believe that these regulations are a step towards strengthening the country in the fight against cybercrime, others disagree.



According to Siddharth Pai, a technology consultant and venture capitalist, these rules will help strengthen the legal framework for cybersecurity, as nabbing cybercriminals “is a three-legged stool.” Apart from individual awareness, “strong legal frameworks within the country (which are now strengthened by the new norms) and the ability to identify and track down cyber-criminals so they can be brought to justice” are essential in fighting cybercrime.



As per Pankit Desai, co-founder and CEO of Sequretek, a Gurugram-based global cybersecurity company, cybercriminals are caught with a combination of mapping known IP addresses as well as tracing known IP addresses. Thus, to that end, a log of IP addresses might be useful in curtailing cybercrime, and the requirement to maintain user information logs which do incude a list of all IP for five years is valid.



However, many experts are of the view that these regulations are neither transparent nor sensible. Tejasi Panjiar of the Internet Freedom Foundation specifies that India struggles with a low capacity and weak infrastructure as far as cybersecurity is concerned, which also lessens the investigative capacity. Additionally, if individual security is really the concern, she asserts that there are no laws in place which mandate data fiduciaries to notify users of data breaches.

According to her, while regulation is important, guidelines should be realistic and cannot be excessive. Moreover, the new rules are not transparent as no public consultation with technology and cybersecurity was held by CERT-In before drafting or declaring these.



Desai questions the lack of a specified outcome after reporting a crime to CERT-In, as one of the guidelines requires any incidence of cybercrime to be reported to CERT-In “within six hours of noticing such incidents or being brought to notice about such incidents.”.



He asks, “What happens after you report? Is it one monitoring agency asking you questions or is there a mechanism that will aid you? He adds that if an attack is to be reported within six hours, there is already insurmountable pressure with crucial decisions to be made. In such a situation, such a short time frame is nearly not enough, especially when compared to the global standard of 72 hours.



Panjiar also states that these regulations have not drawn positive reactions from the industry, as several providers either do not intend to comply, or look to exiting the market.



Several VPN providers have issued statements to the same tune. As the rules are to be enacted in June 2022, it is unlikely that CERT-In will consider a revision. Ashwini Vaishnaw, Union minister for electronics and IT told the Indian Express, “There is no privacy concern. Suppose, somebody takes a mask and shoots, wouldn’t you ask them to remove that mask? It is like that.”