Government Employees Prohibited to Use Third-Party VPN Services
Government employees are not permitted to use third-party virtual private networks (VPNs) or anonymization services provided by firms such as Nord VPN, ExpressVPN, or Tor.
The directive comes just days after ExpressVPN, Surfshark, and NordVPN announced that they will no longer provide services in India in response to an Indian Computer Emergency Response Team (Cert-In) directive on how VPN businesses should operate in the nation.
“In order to sensitize the government employees and contractual/outsourced resources and build awareness amongst them on what to do and what not to do from a cyber security perspective, these guidelines have been compiled”, according to NIC (National Informatics Centre).
Employees are also advised not to save "any internal, restricted, or confidential government data files on any non-government cloud service such as Google Drive or Dropbox," according to the NIC.
The NIC, which is part of the Ministry of Electronics and Information Technology, claimed the rules were issued to improve the government's "security posture."
“All government employees, including temporary, contractual/outsourced resources are required to strictly adhere to the guidelines mentioned in this document. Any non-compliance may be acted upon by the respective CISOs/Department heads,” according to the internal document
“By following uniform cyber security guidelines in government offices across the country, the security posture of the government can be improved,” the directive states.
On April 28, Cert-In, India's central cybersecurity body, demanded that VPN businesses operating in India keep a track of their customers' information, including names, addresses, and the reason for using the VPN service.
Despite opposition to the Cert-In mandate from stakeholder corporations, cybersecurity experts, and business advisory groups, the government stood firm, with Minister of State for Electronics and IT Rajeev Chandrasekhar making a statement.
At a recent meeting of the UN Ad Hoc Committee, which debated a comprehensive international agreement on preventing the use of information and communications technologies for criminal purposes, India took a similar stance against VPN businesses.
“All government employees, including temporary, contractual/outsourced resources are required to strictly adhere to the guidelines mentioned in this document. Any non-compliance may be acted upon by the respective CISOs/Department heads,” according to the internal document.