India orders VPN providers to collect data on users
India’s cybersecurity agency, the Computer Emergency Response Team (CERT-In), will require government organizations, corporations, service providers, data centers, and intermediaries to report cyber incidents within six hours.
“To effectively fight cybercrime, all companies and enterprises must mandatorily report cyber incidents to IndianCERT New CyberSecurity directions for a SafeAndTrusted Internet issued under Sec 70b of IT Act,” Rajeev Chandrasekhar, Union minister of state for electronics and IT said.
In recent years, cyberattacks in India have increased significantly. Ransomware attacks alone increased by 218% in 2021, according to Palo Alto Networks.
CERT-In will also require cloud and VPN providers to register their users. Custodial wallets, exchange, virtual asset providers, cloud providers and even VPN providers will have to keep records of their customers (KYC) and records of financial transactions for five years. Service providers will maintain logs of their systems for 180 days.
This would defeat the purpose of using a VPN and creates honeypots of data that could be misused for surveillance or stolen.
According to CERT-In, the new requirements will improve the “overall cybersecurity posture” and ensure a “safe and trusted internet” in India.
By Ken Macon