“Every provision is a walking disaster,” “not feasible at all,” “don’t understand the rationale behind it,” “there are so many unanswered questions,” “no one is going to comply with these directions,” “a complete joke,” were some of the comments made by cybersecurity experts to MediaNama when we asked them what they thought about CERT-In’s new cybersecurity directive.
The Indian Computer Emergency Response Team (CERT-In), which is the government-appointed nodal agency tasked with performing cybersecurity-related functions in the country, on April 28 issued new directions covering aspects related to the timeframe for reporting cybersecurity incidents, synchronisation of clocks, maintenance of logs for 180 days, and maintenance of KYC and transaction information for crypto exchanges and VPN providers. Cybersecurity experts spared no time in criticising these new directions for a long list of reasons.
Dear reader, we urgently need to build capacity to cover the fast-moving tech policy space. For that, our independent newsroom is counting on you. Subscribe to MediaNama today, and help us report on the policies that govern the internet.
CERT-In’s new time synchronisation direction
What does CERT-In want companies to do: It wants companies to connect to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL) or to servers traceable to these NTP servers for synchronisation of their systems clocks. Those entities with infrastructure spanning multiple geographies can use other accurate sources as long as their time source does not deviate from NPL and NIC.
Why is time synchronisation important: Computers depend on time for a whole lot of reasons, but when it comes to cybersecurity, having a synced time across systems helps with incident response. “One of the first things attackers do is try to cover their tracks once they enter your system. And one way they do that is by fiddling around with the clock time. So your logs go astray. And if you don’t have proper logs, then doing any sort of incident response or any sort of forensic investigation becomes very difficult,” Suman Kar, CEO of cybersecurity firm Banbreach, explained.
How do computers get the time? “We ask others because my laptop, for example, doesn’t really have access to a time source, something like a quartz crystal that oscillates a particular number of times in a given second and that is how we define what a second is,” Kar added. So, computers and other devices get the time from something called a time server.
The complexity behind time servers: “A time server obtains very accurate time from the GPS satellite system. This server is a highly technical and expensive piece of equipment,” cybersecurity researcher Anand Venkatanarayanan said. “The way in which time servers work is via synchronisation. So let’s say you have a server and then you have a time server. This server asks the time server what the time is. What if the time server is down and not responsive? Then you experience a drift, which can break down authentication and cause interconnected systems to misbehave. So the purpose of the NTP protocol is to minimise time drift by getting time from a reliable, authenticated source,” Venkatanarayanan explained. “Time is a very difficult problem because it’s a continuous process. Just because you are in sync with some server that’s sitting halfway across the world, doesn’t mean you are going to be in sync the next second. Because your system can have unpredictable delays in updating the next second,” Suman Kar explained.
Why CERT-In’s directions are absurd:
- Latency issue: “Let us say you are running a data centre. You have to connect all the servers to a time server. By the very nature of a data centre, imagine you have like 25,000 machines in one building. Which time server would you bank on? The one near you that you control or one someone else gives you. You will choose the one you have control on. And why is that? Latency,” Venkatanarayanan said. Latency is the time taken for a message to travel from one server to another and a higher latency is undesirable. When servers are further apart, the latency tends to be higher.
- We don’t know anything about NIC’s servers:“In a system where everything is dependent on time drift not being more than certain nanoseconds or milliseconds, the most important infrastructure piece is the time server. Now, if you are running a 25,000 data centre, why would you want to use NIC’s time server. Does it make any sense at all? And what is the configuration of NIC’s time server, you don’t know that. What’s the latency? You don’t know that. We rely on a technology called Anycast to reduce latency. Is NIC’s time server Anycast? The answer is no.” Venkatanarayanan remarked. MediaNama has filed an RTI with CERT enquiring more technical details about the NIC’s NTP servers referred to in the directive. We will post an update once we get a response.
- Why will companies choose NIC’s servers over much better options out there: “How do you sync servers that are geographically separate unless you have total control over those servers? So Google essentially built a server system called True Time, which keeps all the servers participating in a database operation, work within a particular time window, by building several time master machines per datacenter and a timeslave daemon per machine geographically synced in time, even though they are in different geographical locations. It’s truly an engineering marvel. Are companies going to choose NIC servers over this? […] After spending millions of dollars to build a time server that uses GPS clocks across multiple geographical locations all around the world, why should I have to bank on CERT-In’s single option,” Venkatanarayanan asked.
- Cannot be in lock-step: “If you say that we should be in lockstep, then you have to have this continuous dialogue with another system where you go every second and update. And that’s not a feasible way to keep your time synced, which is why we do this update every now and then,” Kar explained, “So it’s a fairly complex problem and we are basically guessing what the peers’ time will be and what my time should be and making adjustments. Any diktat that says ‘shall not deviate’ from NTP servers is essentially pointless at this point.”
- Cannot find NIC servers list: “When they say that we should use NIC’s NTP servers, I don’t know what they’re talking about because I’ve not been able to find any such list,” Kar remarked.
- NIC, NPL servers will be overwhelmed: “Even if you were to have this set of servers, you are going to be a bit overwhelmed if everyone starts hitting the same set of servers. So until and unless CERT has figured out a budget and human resources required to run dedicated NTP services that a country like India will probably need, the practical viability of this particular direction looks difficult, if not impossible to me,” Kar said.
Are there privacy concerns with using NIC’s time servers? “There could be privacy concerns. Depending upon whether you want the government of India to know that you have a server with so and so IP,” researcher Srinivas Kodali told MediaNama. But Suman Kar argued otherwise. “With NTP, what I’m really doing is I’m asking a few people what the current time is. You really can’t create a profile of me, depending on how frequently and who I ask about time,” Suman Kar said.
The new 6-hour reporting timeline
What does CERT-In want companies to do: All companies must mandatorily report cyber incidents to CERT-In within 6 hours of noticing such incidents or being brought to notice about such incidents.
Why CERT-In’s timeline is unreasonable:
- You don’t have staff working 24/7: “The thing is most people do not have staff 24/7, so what do you do if you get an alert at say, three in the morning or a late Friday night? Because that’s exactly what happened to Bangladesh Bank,” Suman Kar said.
- Does CERT have the capacity? “Is CERT really expecting people to report incidents at midnight? Does CERT have the capacity to actually accept this?” Srinivas Kodali asked. “When people actually do report incidents, it never responds to any emergency incidents. Have you seen CERT-In ever responding to an actual emergency? Even after it happens they never address it. They’re not equipped to do it.”
- No rationale behind the number: “Why? I don’t get the rationale behind 6 hours,” Suman Kar asked. “I think for HIPAA breach notification [in the US], if the breach involves more than 500 records, you have up to 60 days following a breach,” Kar gave as an example. “It is one thing to say we think there is some suspicious activity that we are looking into. But coming out with a definitive statement, even for the largest of and the best-equipped companies also is not very easy.”
- Not in line with global standards: “The CERT-In directions aim to solve legitimate problems. But the means to achieve the ends differ from global best practices and can create operational challenges. […] For instance, the 6-hour timeline to report cyber incidents is steep, and is not something that is seen in other jurisdictions. Singapore’s personal data protection law provides a 3-day window, similar to the GDPR’s breach reporting requirements,” Vijayant Singh, Ikigai Law, told MediaNama. “Also worth considering is that other regulators (in the health and finance sector, as well as the upcoming data regulator) may set up different reporting timelines, which can create confusion and add to the reporting burden,” Singh added.
- Should at least be 24 hours: “Unless it is a nation-state attack and you need CERT-In’s “expert” assistance, you need at least 24 hours to report something. That is the bare minimum. It doesn’t make sense for any company to report the incident in under six hours. They won’t even know it for months,” Kodali remarked.
- At least base it on severity: “The 6-hour timeline for reporting incident is short. If 6 hours is critical then we have to segregate based on the incident severity. The top vulnerabilities to be reported within 6 hours. The second level and third level criticalities can be provided some time,” Muthian Chockalingam, technology consultant for the Government of Tamil Nadu told MediaNama.
- Principle of proportionality needs to be applied: “The principle of proportionality needs to be applied to the reporting requirements for cyber incidents to email@example.com else they would be drowned in low-value incident reports,” Tarun Dua, co-founder of E2E Networks said.
Maintenance of logs for 180 days
What does CERT want companies to do: Companies must mandatorily enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days and the same should be maintained within the Indian jurisdiction. These should be provided to CERT-In along with reporting of any incident or when ordered by CERT-In.
Why this is not feasible:
- A decent-sized organisation will generate 1TB of logs in a day: “Server logs are something that companies maintain in order to run their own analytics, detect threats, whatever. On average, what’s the number of logs that they generate? If you are a decent size organisation, 1 TB a day is very normal. Now, does CERT want companies to maintain such logs just for them even if the companies don’t find any use for it? And how does CERT want to get these logs if they need them, by PDF? And this is 1TB from one organisation. Does CERT have the capacity to receive this data from hundreds of companies?” Venkatanarayanan asked.
- No scope defined: “They have not defined which devices should be in scope and which devices should not be. Second, they have not specified which services are in scope and which services aren’t. Even if you are running, let’s say a simple website, your web server is not the only piece of software that you’re running. So you’ll be running hundreds of services. So what are the log files that those services need to save? For any moderately popular service, you are going to have a gazillion amount of logs for every second,” Suman Kar said.
- Financial stress as well as performance stress: “So you’re putting financial stress as well as performance stress on services,” Kar said. “How? Because not only do you now need to store logs which basically require extra storage you also have to store them within India, which means you have to probably go to some service provider with data centres in India. Now, if you look at the way pricing is done for these services, for any cloud service, you’ll see that the cost of computing and storage in India is usually higher than if you were using a compute or storage VM based somewhere like the western part of the US,” Kar said. “The other thing is the moment you turn on logging, your system goes slower. Because printing output is a slow process,” Kar added.
What are the privacy concerns with this requirement:
- Logs contain personally identifiable information: “Log data often contains PII. I know this because a number of my friends actually have been involved in recent times in efforts at major corporations in redesigning their logs to scrub all PII,” Kar said. “Let’s say if you’re running program X and there’s a crash. The program will probably generate a log. These logs contain your system file path. So it will have something like /Users/Sarvesh/Documents, something like that. So this log contains your name, your personally identifiable information. So that’s a potential leak,” Kar explained with an example.
- Don’t know how CERT is going to handle the data: “We don’t know how CERT is going to handle, process and store the log data,” Kar said. “Until and unless CERT produces a document that lists the chain of custody that they are going to follow, the kind of storage that they are going to use. For example, if they say, we are going to keep the logs encrypted at all times, whether it is at rest or in transit or in use, we want to keep it encrypted. Then, you know there’s a semblance of privacy preservation. Otherwise, it’s a matter of time before things start leaking. The other thing is CERT doesn’t tell us whether they are going to share this with anyone else or not.”
- Could be violating GDPR: “What’s the privacy angle over here? It’s a minefield. Essentially, the moment you are talking about logs, you are walking on eggshells because there would be a number of services operating not just in India but also in Europe, and you start sharing logs, you may be potentially violating alternate data privacy regimes like GDPR because you’re not supposed to,” Kar said.
- Lack of oversight: “Now CERT-In is saying that you will have to give it to them for any investigation that CERT might be doing somewhere else. So you don’t know if there is an actual investigation or CERT-In is probably demanding these logs to, say, understand who is visiting MediaNama. There is a lack of oversight,” Srinivas Kodali said. “One can say that CERT is only demanding this in case of a breach to investigate something. But we don’t know because there is no oversight. There is no transparency. We really don’t know how many breaches you have processed, what actions you have taken.”
- Warrantless search: “Asking private organisations to share this sort of data, no matter what the exigency is, can be construed as a form of a warrantless search,” Kar said.
Requirements for data centres, VPN and cloud service providers
What does CERT-In want companies to do: Data Centres, Virtual Private Server (VPS) providers, cloud service providers, and Virtual Private Network Service (VPN Service) providers, are required to register the following accurate information about customers and subscribers for a period of 5 years or longer duration after any cancellation or withdrawal of the registration:
- Validated names of subscribers or customers hiring the services
- Period of hire including dates
- IPs allotted to or being used by the members
- Email address and IP address and time stamp used at the time of registration
- The purpose of hiring services
- Validated address and contact numbers
- Ownership pattern of the subscribers or customers hiring services
Why this is problematic:
- Will anyone comply with these requirements? “I can run a VPN on my Amazon account by spinning a machine in less than a minute and use it when I travel. What will Amazon do about it? Are they going to keep logs? And how, since I own that machine for a small time? This is basically a policy which is non-enforceable and CERT doesn’t have the capacity to detect if it is not enforced,” Venkatanaryanan said.
- The direction will not affect criminals: “This is just going to make life difficult for the general, law-abiding citizen who’s just using VPN to get by. Someone who is a ransomware operator, that person is not going to be deterred by certain directives. They anyway have access to specialized service providers,” Suman Kar said.
- No one will buy an Indian VPN: “VPNs are about preserving your privacy but the government is suddenly saying now you have to do KYC for VPNs. Somebody will challenge it. Obviously, nobody will buy any Indian VPN,” Srinivas Kodali said.
- Can contain confidential company data: “My VM (Virtual Machine) usage pattern can leak sensitive or company confidential information. It might basically give my competitors an idea of how I optimize my services. So that is critical business information that I would never, ever want anyone else to have. So basically you want insight into my operational efficiency,” Kar explained.
- Will result in users shifting to shadier services: “In both, the crypto KYC as well as the cloud service-related directions, there’s a very high possibility that genuine consumers who were using service X will be driven away from this name brand service to some shadier service Y just because that shadier service says that we don’t really care about certain directions. The moment you bring in regulation, complying with regulation incurs a certain amount of cost, that cost has to be borne by the company and the company will in turn pass that cost onto the consumers or their customers, which means at the end of the day, your service costs will increase and then there will be these shady operators who say, okay, we’re not compliant, so we can keep our prices low,” Kar said. “This is exactly what happened when the government banned the number of apps. The moment there was this ban, a number of new apps cropped up on Google Play Store and researchers found a few months later that most of them were bogus and essentially either captured customers’ PII or were luring unsuspecting customers to scams and fraud.”
- Can make it difficult for Indian services to compete globally: “The new regulations as applied to Cloud Providers does make it difficult to make India as the data centre of the world or at least from Morocco to Japan where we have all the natural advantages of some of the best pricing for data centre services in all of Asia-Pacific region,” Taran Dua said.
- Cannot take away certain rights in the name of security: “Requirements to register VPN users, linking of identification to IP addresses raise serious privacy concerns and should be removed. CERT-IN cannot take away the right to use certain tools in the garb of cyber security,” Mishi Choudhary, technology lawyer and Founder at SFLC.in, told MediaNama.
MediaNama has reached out to Amazon Web Services, Google Cloud, Jio, and Cloudflare for their responses and will update this post once we get them.
CERT-In’s outdated incident reporting procedure
Currently, companies can report incidents to CERT-In over email, phone, fax, or by filling in a PDF form that is available on their site. This very process is outdated and inefficient when it comes to reporting cybersecurity incidents as Anand Venkatanaryanan and Suman Kar point out:
- This is not the 1990s: “It’s a PDF document that you have to print out, fill up and then submit. This is not the 1990s. And it’s not even a PDF form, cause this one is not even fillable,” Kar remarked.
- Should I send 100,000 PDFs: “If I run a dense organisation, on an average I get 100,000 IPs trying to scan or brute force my servers in 1 hour. Should I send a PDF form with 100,000 IPs,” Venkatanaryanan asked.
- Why are they not using machine-readable formats like STIX and TAXII? “Imagine there is malware that is hosted on XYZ IP address and in 25 other domains and it’s a different type of malware. How do I send it to them, in PDF or some machine-readable format like STIX? Threat intelligence is nowadays shared in machine readable formats and in YARA rules, but not in PDF forms. The notification shows CERT-In is not even aware that this format exists,” Venkatanarayanan remarked.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- CERT-In Wants Cybersecurity Incidents Reported Within 6 Hours
- Ransomware Incidents In India Doubled In 2021 At 132, Up From 54 In 2020: MeitY In Parliament
- Countries Are Obliged To Prevent Cyber Attacks On Their Soil Against Other Countries: India And The UK
Have something to add? Subscribe to MediaNama here and post your comment.