On the gulf between desire and reality

by Anand Venkatanarayanan

CERT-IN's VPN logging announcement in context

The latest rules by CERT India asking VPN providers to collect user data or face jail terms is interesting because the organisation lacks both:

• the technical capability

• the enforcement powers
  

Their technical limitations were on display in November 2019 when Meta
reported the vulnerabilities in WhatsApp that were used by Pegasus.
CERT-IN famously responded that it was “a communication in pure
technical jargon." https://twitter.com/ANI/status/1190313180947369984

The VPN notification also contains gems, such as:

1. Strict requirement to use specific Indian controlled NTP servers,
   3 out of 4 of which are down.
   https://twitter.com/kingslyj/status/1520701996118216704

2. Report incidents via a form (whatever happened to STIX or TAXI?)

   1. Including port scanning attempts (!!)

3. Mandatory logging of data with 180 days retention for every server

4. Every data centre, public company or corporation that provides hosting or cloud services must collect user data.

The Ukraine war has clearly demonstrated the dangers of relying on other countries' infrastructure. It is understandable to want to limit reliance on external infrastructure.

The key takeaway here, though, is that although countries want to be self-reliant, aspiration is no substitute for capacity, capability and budgets.