CERT-In guidelines assume that all VPN users have malicious intent: ISOC

“VPN (Virtual Private Networks) is not software; it is not a service. It is a concept where you have a network that says: I allow people to connect with me in a reliable way using this protocol. I don’t understand how the VPN requirement relates to (data) gaps. They seem to be painting VPNs with a wide malicious brush, ”said Dr. Joseph Lorenzo Hall, Senior Vice President for Strong Internet, Internet Society, in his closing keynote address at event organized by MediaNama. He argued that most people use VPNs to protect themselves when they are in opposite network environments.

The event addressed the new cybersecurity guidelines from India, published by its agency CERT-In, and the impact they will have on the landscape of the internet in India.

Hall explained that VPNs usually keep minimal protocols because they have an incredible amount of data at any point and they are a security product. He added that most security products will be on the lookout for the data they collect, store and disclose when they share it with the government. Hall said he would like the government to explain their concerns about VPNs because they may not need to come up with a new framework. He said that principles from the VPN transparency initiative which are followed by the leading VPN service providers in the world.

“I’m not sure they’ll tell us exactly what they think the problem is,” Hall said.

Why does it matter: The guidelines will introduce significant changes in how digital companies operate in India, and are likely to impose significant executive burdens on these companies. The event highlights the problems inherent in the guidelines and what can be done to address them.


Dear reader, we urgently need to build capacity to cover the fast-moving technical political space. So that our independent editorial staff counts on you. Subscribe to MediaNama today, and help us report on the policies that govern the internet.

Advertisement. Scroll to continue reading.


What were the topics discussed in Hall’s keynote address?

Hall issued several concerns in the course of his 30-minute discussion with Nikhil Pahwa, Founder and Editor, MediaNama. Here is a summary:

Use targeted solutions to alleviate police concerns: Pahwa asked about frauds that are committed through a VPN connection as police agencies seek to provide identity information, Hall beat for targeted solutions. “There are principles of either proper process or restriction in many police contexts. You are only allowed to gain access to certain information for certain types of crimes. Fraud can be one of them, but you don’t need to have a general law that treats everyone as criminals. “It’s a recipe for disaster and it’s undemocratic in my opinion,” Hall said.

Keeping a log for 180 days is too long: Hall censored the guidelines for having an “inaccurate focus” on the kind of events that need to be recorded. “Port scanning is listed in the directions and I don’t know why it’s there. Computers, online now, receive port scanning many times a second. It’s just the way it is. This is how the internet works. (These) are not things that CERT-in will find instructive and it will be a lot of data, ”Hall said in response.

Many events do not need 180 days: “Many of the minor incidents do not require 180 days of log data. DNS providers log 24 to 48 hours of data to debug normally. I don’t know what incidents will be resolved with 180 days (data) that would not have been resolved 14 days ago (Dating) It should be up to CERT to say that the most important events require 180 days of minutes, “Hall told Pahwa. He added that CERT-In should also explain why the guidelines are rigorous in identifying major cybersecurity incidents.

Explore step-by-step access: Hall advised that CERT-in can investigate a graded approach where if a company thinks an incident is less severe then they provide a certain amount of information with a certain amount of time. He said the period should depend on the average number of days needed to detect a breach. “It’s like 280 days in India now; it is long but it is long almost everywhere. They may reduce demand in the future if the average time to discovery becomes shorter. I would love to see a technical analysis of CERT-in that talks about the distribution of events and how they actually chose the number rather than taking it off the air or taking it from prior regulation, ”he noted.

Advertisement. Scroll to continue reading.

Technical feasibility of the six-hour report window: “Cybersecurity is not war and I try not to use too many war-related analogies but when you are in the depths of an incidental response, it can feel like the fog of war. Things are constantly changing. You get new information constantly. The attackers may notice “You’ve discovered them and are beginning to do terrible things to your system, because now they know they’ve been discovered. He also said it is difficult to report an incident due to uncertainty when the company has an incident.

Large companies can perform effectively: “In general, companies or organizations with very large operations will be able to respond much better because they will have dedicated staff. People who run their own servers online, people who have just written an app in their garage, all these people will be involved from the (six-hour report window), “Hall commented. He advocated for effective limits on the amount of money and Hall also added that he could not figure out the purpose of this requirement, as it would require companies to have people on the road at all times. provided to the Indian government will be broken then there may be legal consequences elsewhere in the world, according to Hall.

Data placement is complicated: Hall commented that the guidelines oblige companies to register access from only Indian Indian users or Indian computers. He said it was not easy because it requires companies to have a good idea of ​​who its users are; moreover, IP addresses, he said, are inaccurate. He added that the process could produce many errors as companies will have to copy lines of the protocol to another computer which stores data for the Indian government and CERT-In. There is also no clarity on fines for avoiding these mistakes, Hall said.

Incomplete data set will not be helpful: “It’s unclear (what is their intention) because if they want all the logs to understand how an attack works but you only have logs with Indian pieces; you take away the rest of the world. An attacker will come from all sorts of places and you will have an incomplete set of data. It’s a little weird, ”Hall said. He said it would make sense for an attacker to launch an attack from outside India.

VPNs are not effective for attacks: “VPNs are a weird way to attack. It makes sense to cheat, but VPNs aren’t nearly as anonymous or protect privacy in an attack sense as you might think,” Hall said when asked if the guidelines would prevent attacks. to be established in India with the help of VPNs.

Reasonable lead time: “It’s hard to say because of the uncertainty, but I’d think you’d like a six-month period. Some companies may say that we will stop after three months of planning and implementation because we are spending so much for this now. It’s the kind of time frame over which you can be sure that a large diverse set of companies can smooth out any wrinkle. It shouldn’t be like: that’s what we think you should do. These things are especially difficult but we don’t see any dialogue or conversation, “Hall said.

What will be the impact on the global nature of the internet?

Intensifies the proliferation of Splinter Net: “One of the biggest worries we’ve had is what we call the Splinter Network. These rules will create separate notions of what the internet is and how it means to operate on the internet. Searching for a specific set of time servers is directly against the spirit and the best technical practices we have to do good time operations online, ”Hall stated unequivocally.

Advertisement. Scroll to continue reading.

Tough regulation threatens the existence of the Internet: “Governments around the world know that the problems of society are exacerbated by some kind of online activity and everyone is trying to deal with them but these difficult regulatory moves are threatening this global resource. India is setting a really important example for like-minded people. We have seen Bangladesh and Cambodia to take pieces of the IT Rules, 2021, but translated them into their own context so that they become even more dangerous in those countries, ”Hall warned. He warned that such regulations create an experience where one cannot talk to anyone around the world and share ideas on how best to organize cyberspace in our society. “India is setting an important example that many other countries around the world are looking to follow on what is reasonable,” Hall revealed.

Engage in a collaborative dialogue: Hall urged the Indian government and nodal agencies to engage in “expert dialogue” with stakeholders as this would lead to the invention of rules and regulations and best practices that eliminate some of the bad things on the internet. “I don’t think any of these (unintended) consequences are at the heart of what CERT-in or the Indian government wants to do. We are all here to deal with these problems and unilateral edicts like these will only cause a lot of problems, ”Hall said in conclusion.

You can read MediaNama’s summary of the Internet Society’s report on CERT Guidelines here.

This post is published under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and link. Adaptation and rewriting, although permitted, should be true to the original.

Read also:

Advertisement. Scroll to continue reading.

Leave a Reply

Your email address will not be published.