Internet Fragmentation > Indian CERT Cybersecurity Directions

What Happens If You Can’t Trust a Clock?

^{Region: Asia-Pacific
Threat type: Digital Sovereignty
Last updated: 1 December 2023}

A policy in India threatens the resilience and accuracy of the time servers the Internet relies on.

Every Internet service relies on the correct time to maintain secure, compliant systems, especially where systems and users are spread across broad geographies.

Therefore, everything on the Internet connects to a Network Time Protocol (NTP) server. This is how devices and applications determine and coordinate time across distances, devices, and connections. This is how your phone automatically resets the time when you enter a new time zone. There are around 3,000 publicly available NTP servers around the world. Connecting to multiple NTP servers means more resilience and accuracy. This is considered an industry best practice.

The Indian government mandates that all entities covered under the Indian Computer Emergency Response Team’s (CERT-In) Cybersecurity Directions must connect to two government-controlled NTP servers. These are the National Informatics Centre and the National Physical Laboratory.

Even if there’s no malicious intent, it’s important for time servers to be aligned. For example, if you have time servers that aren’t coordinated, and the discrepancy is large enough, you wouldn’t know the correct time, so you might not show up for a meeting, or know that you’re about to miss your flight. Being able to see the correct time on the user side is important, but it can make things even more complicated on the back end.

Even tiny misalignments can be catastrophic for financial transactions, which rely on time that’s accurate to the millisecond, or cybersecurity. Correct time logs are important for spotting and responding to attacks, which means that if a time log is off somewhere, a legitimate interaction or transaction could be treated as malicious. This type of disruption could be difficult to track, and could lead to widespread problems for Internet users and providers.

Even a lag in one of the NTP servers can reverberate across the Internet, and undermine its resilience globally.

Status

This policy is already in effect, and has been since 2022. This government has a long history of shutdowns and policies that harm the Internet as we know it, and critics argue that these NTP servers aren’t transparent. Even if there’s no malicious intent, it’s impossible to know if they’re reliable, or whether they will continue to be.

Our Position

Internet Society carried out an impact brief, and wrote to CERT-In and the IT ministry. We believe CERT-In should reconsider its one-size-fits-all approach and respect the decentralized nature of the network, and the long-established practice of depending on multiple NTP servers for the time.

Talking Points

The Indian government requires that all entities covered under these directions must connect to two government-mandated NTP servers at the National Informatics Centre and the National Physical Laboratory.
There are around 3,000 publicly available NTP servers around the world. Connecting to multiple NTP servers means more resilience and accuracy. This is considered an industry best practice.
CERT-In should reconsider its one-size-fits-all approach and respect the decentralized nature of the network, and the long-established practice of depending on multiple NTP servers for the time.

Take Action

Join our community as an individual or organization
Donate
Use the Internet Impact Assessment Toolkit to understand what the Internet needs to exist and thrive
Become an Internet advocate

Learn More

Internet Impact Brief: India CERT-In Cybersecurity Directions 2022
Why India’s new cybersecurity directive is a bad joke (Medianama)
CERT-In’s directions on cybersecurity: an explainer (Internet Freedom Foundation)
India’s future is digital. But new cybersecurity rules are getting in the way (Times of India)