Security News

Virtual Private Network provider ExpressVPN on Thursday announced that it's removing Indian-based VPN servers in response to a new cybersecurity directive issued by the Indian Computer Emergency Response Team. "Rest assured, our users will still be able to connect to VPN servers that will give them Indian IP addresses and allow them to access the internet as if they were located in India," the company said.

Virtual private network operator ExpressVPN will pull its servers from India, citing the impossibility of complying with the nation's incoming requirement to record users' identities and activities. ExpressVPN offers software that routes traffic through servers that load their operating systems entirely into RAM and therefore leave no trace of users' activities on persistent media.

Eleven significant tech-aligned industry associations from around the world have reportedly written to India's Computer Emergency Response Team to call for revision of the nation's new infosec reporting and data retention rules, which they criticise as inconsistent, onerous, unlikely to improve security within India, and possibly harmful to the nations economy. The rules were introduced in late April and are extraordinarily broad. For example, operators of datacenters, clouds, and VPNs, are required to register customers' names, dates on which services were used, and even customer IP addresses, and store that data for five years.

India has slightly softened its controversial new reporting requirements for information security incidents and made it plain they apply to multinational companies. The rules were announced with little advance warning in late April and quickly attracted criticism from industry on grounds including the requirement to report 22 different types of incident within six hours, a requirement to register personal details of individual VPN users, and retention of many log files for 180 days.

Opposition is building to India's recently introduced rules on reporting computer security breaches, which have come under fire for being impractical, ineffective, and impinging on privacy. Concern about the rules has been voiced within and outside India, the latter typified by global tech lobby group the Information Technology Industry Council sending CERT-In a letter [PDF] that suggests the six-hour reporting requirement is not feasible, and is also not aligned with global best practice of 72-hour reporting.

There's one nation where outrage about Pegasus has been constant for nearly a year and shows little sign of abating: India. A quick recap: Pegasus was created by Israeli outfit NSO Group, which marketed the product as "Preventing crime and terror acts" and promised it would only sell the software to governments it had vetted, and for approved purposes like taking down terrorists or targeting criminals who abuse children.

The Indian government has issued new directives requiring organizations to report cybersecurity incidents to CERT-IN within six hours, even if those incidents are port or vulnerability scans of computer systems. The most notable new requirement is that any internet service provider, intermediary, data center, or government organization, shall report these incidents to CERT-In within six hours of noticing them.

India's Computer Emergency Response Team has given many of the nation's IT shops a big job that needs to be done in a hurry: complying with a new set of rules that require organizations to report 20 different types of infosec incidents within six hours of detection, be they a ransomware attack or mere compromise of a social media account. The national infosec agency stated the short deadline is needed as it has identified "Certain gaps causing hindrance in incident analysis."

India's government and the European Union have signed up to create a "Trade and Technology Council" - an entity the EU has previously only created to enhance its relationship with the United States. Details of the Council's scope of operations have not been revealed, but the EU/US version of the entity works on standards for emerging technologies, tech supply chains, information security, data governance, preventing misuse of technology when it threatens security and human rights, and SME access to and use of digital technologies.

UADAI arranges for collection of the biometrics needed to create an Aadhaar - ten fingerprints, two iris scans, and a facial photograph - through enrollment agencies and registrars and provides authentication-as-a-service using Aadhaar numbers. More than a billion Aadhaar IDs have been issued and over 99 per cent of India adults have enrolled in the scheme.