India’s future lies in digital technology. Cybersecurity rules are thwarting the process
India’s rapid development is driven by the Internet, but shoddy cybersecurity regulations are limiting the potential of the world’s fastest-growing digital consumer market.
One of the major success stories of the information age is the phenomenal rise of India’s economy in the twenty-first century. With well over half a billion Internet users, the country boasts one of the largest digital subscriber bases and the fastest expanding market globally. This quick digitalization has been sped up by the government’s push for online public service delivery, which has been assisted by the private sector’s efforts to provide access to mobile devices and affordable data services.
According to analysis, increased digitization could enable India’s core Internet sectors to contribute up to 10% of the nation’s GDP by 2025, assist farmers in reducing crop-growing expenses by 15% to 20%, generate significant value in crucial economic sectors like education, financial services, healthcare, and logistics, facilitate the delivery of public services, and even help streamline India’s disjointed labour market.
What enabled all of this? It was the Internet, a vital resource that has given us practically endless chances to invent and cooperate for the benefit of society in the course of only a few decades. This did not occur by chance. Anyone may connect to the Internet and make use of its opportunities, which gives the Internet its power, resiliency, and success. The Internet is also open, decentralized, and permissionless.
But for now, this development is in jeopardy.
The Indian Computer Emergency Response Team, or CERT-In, has proposed new cybersecurity guidelines for India that include new requirements that require VPN, cloud, and other IT service providers to gather customer personal information and log user activity and turn that information over to Indian authorities upon request.
According to the instructions, organizations must enable logs for all of their ICT systems and keep them for 180 days inside of Indian territory. In the event of a cybersecurity issue, CERT-In reserves the right to obtain and have access to these data. Such logging requirements will produce a vast honeypot of sensitive data from all sectors that utilize or interact with the Internet or digital computer systems, which goes against the intention of the instructions. Malicious actors, organized crime, or renegade foreign governments can readily penetrate them.
This rule will dramatically raise entry barriers, increase the cost of doing business in the nation and add to the burden of compliance, preventing new players, such as startups, from quickly joining the market. Furthermore, there are no assurances in these vague criteria as to how this information would be utilized or what precautions will be implemented.
The numerous compliance requirements also include synchronizing all ICT systems’ clocks with legally required clocks, and servers. This violates industry best practices for synchronizing to various sources of time and increases the danger of a single point of failure and vulnerability.
This “one-size-fits-all” strategy has to be rethought by CERT-In in light of the distributed nature of network administration. As CERT-In directs entities to connect to government-mandated servers, this will result in significant chokepoints, the failure of which will affect all Indian entities.
The cybersecurity initiatives attempt to combat cybercrime, but there aren’t many tangible advantages for boosting the safety of the government, organizations, and individual users as well as the digital ecosystem. If CERT-In is simultaneously serving in law enforcement or regulatory capacity, network operators and service providers will be reluctant to recognise and provide information about events.
Additionally, these regulations will raise the cost of compliance, particularly for newcomers and smaller organizations wanting to enter India’s booming IT sector. India’s leadership in the ICT industry and the expansion of its digital economy would be threatened by the extraterritorial effects of the directives on service providers and intermediaries.
The open, globally linked, secure, and reliable Internet is undermined by the cybersecurity guidelines’ ill-defined, unclear reach. And by implementing these new regulations, India’s whole Internet security would be compromised.
The execution of these directives must be suspended until CERT-In starts an open public consultation procedure. India’s cybersecurity legislation needs to be strengthened and informed by opinions from the international IT community, experts, civil society, enterprises, and consumers.
India must give up its haphazard approach to cybersecurity if it is to realize its ambition of a Digital India and take up a leadership position in the global Internet economy.
edited and proofread by nikita sharma