A new government order restricts employees from using third-party, non-government cloud platforms, including Google Drive and Dropbox, and virtual private network (VPN) services, including NordVPN and ExpressVPN. The order passed by the National Informatics Centre (NIC) has been circulated to all ministries and departments; all government employees must comply with the directive, Gadgets 360 has learned. The new move by the government comes just weeks after directing VPN service providers and data center companies to store their user data for up to five years.
Citing increased cyberattacks and threat perception to the government, the 10-page document seen by Gadgets 360 ordered employees to “not upload or save any internal, restricted, confidential government data or files on any non-government cloud service (ex: Google Drive, Dropbox, etc.).” The document is titled “Cyber Security Guidelines for Government Employees.”
In addition to restricting employees from using the popular cloud services, the government instructed employees through its directive not to use any third-party anonymization services and VPNs, including NordVPN, ExpressVPN, Tor, and proxies. Additionally, it directed the workforce to refrain from using “unauthorized remote administration tools” such as TeamViewer, AnyDesk, and Ammyy Admin, among others.
Government employees are also directed to not use any “external email services for official communication” and conduct “sensitive internal meetings and discussions” using “unauthorized third-party video conferencing or collaboration tools.”
The government also ordered employees not to “use external websites or cloud-based services for converting/ compressing a government document”. It also directed the workforce to not use “any external mobile app-based scanner services,” including CamScanner, for “scanning internal government documents.
Notably, the government banned CamScanner in 2020 as a part of its initial move to restrict China-based apps in the country. However, some government officials were still being seen using the app to scan physical copies of their official documents.
Alongside restricting the usage of certain apps, the government’s order also directed employees not to ‘jailbreak’ or ‘root’ their mobile phones.
The directive also ordered employees to take measures, including using complex passwords, updating passwords once in 45 days, and updating the operating system and BIOS firmware with the latest updates and security patches.
“All government employees, including temporary, contractual/ outsourced resources, are required to adhere to the guidelines mentioned in this document strictly,” the order said. “The respective CISOs/ department heads may act upon any non-compliance.”
The order was released on June 10 after a couple of revisions in the original draft made by the NIC. It included inputs from India’s Computer Emergency Response Team (CERT-In) and was approved by the Ministry of Electronics and Information Technology (MeitY) secretary.
Gadgets 360 has contacted Google, Dropbox, and other entities to get their comments on the government’s directive. This article will be updated when the companies in question respond.
In late April, the CERT-In issued a directive to make it mandatory for VPN service providers, data centers, virtual private server (VPS) providers, and cloud service providers to keep user data for five years or even longer. The order will come into force on June 28.
As a result of that order, VPN service providers, including NordVPN, ExpressVPN, and Surfshark, have decided to remove their physical servers in the country as they follow no-log policies and are not technically capable of storing logs. The major VPN entities, and some digital rights groups, have also raised privacy concerns for users in keeping their data.
Tech companies, including Facebook and Google, also warned that the rules made by CERT-In could create a frightening environment.
