The mandate comes just days after ExpressVPN, Surfshark and NordVPN said they would stop offering their services in the country following a directive by the Indian Computer Emergency Response Team (Cert-In) on how VPN companies should operate in India
The government has barred its employees from using third-party virtual private networks (VPN) and anonymization services offered by companies such as Nord VPN, ExpressVPN, and Tor.
The mandate comes just days after ExpressVPN, Surfshark, and NordVPN said they would stop offering their services in the country following a directive by the Indian Computer Emergency Response Team (Cert-In) on how VPN companies should operate in India
The directive also urges government employees not to save “any internal, restricted or confidential government data files on any non-government cloud service such as Google Drive or Dropbox.”
The National Informatics Centre (NIC), which is under the Ministry of Electronics and Information Technology, said it had put out the guidelines to improve the “security posture” of the government.
“In order to sensitize the government employees and contractual/outsourced resources and build awareness amongst them on what to do and what not to do from a cyber security perspective, these guidelines have been compiled,” NIC said in an internal document, titled Cyber Security Guidelines for Government Employees.
The NIC has also asked government employees to not ‘jailbreak’ or ‘root’ their mobile phones or use any external mobile app-based scanner services such as CamScanner to scan “internal government documents”. CamScanner was among several Chinese apps banned by the government in July 2020, citing national security concerns following border hostilities with the northern neighbor but continues to be operational through some versions.
“By following uniform cyber security guidelines in government offices across the country, the security posture of the government can be improved,” the directive added.
Cert-In, India’s nodal cyber security agency, had on April 28 mandated that VPN companies operating in India must maintain a log of their customers’ details, including names, addresses, and the purpose for which the VPN service was being used. Despite a push back from stakeholder companies, cybersecurity experts, and business advisory groups against the Cert-In directive, the government remained firm on its stance, with Minister of State for Electronics and IT Rajeev Chandrasekhar making clear companies that did not wish to follow the norms were “free to leave India”.
India has also taken a similar stance against VPN companies at a recently concluded meeting of the UN Ad Hoc Committee which debated a comprehensive international convention on countering the use of information and communications technologies for criminal purposes.
On Thursday the Indian delegation had asked UN Ad Hoc Committee members to counter the use of technologies including virtual private networks, end-to-end encrypted messaging services, and blockchain-based technologies such as cryptocurrency as this provided anonymity, scale, speed, and scope to terrorists thereby increasing the possibility of their remaining untraceable to law enforcement agencies. India’s suggestions to the UN Ad Hoc committee are in line with its regulatory approach at home.
Also read-: