Companies can use own time source but there’s a caveat

The Indian government clarified that not all companies have to sync their system clocks to the time provided by the National Informatics Centre (NIC) or the National Physical Laboratory (NPL) and companies with infrastructure spanning multiple geographies such as cloud service providers can use their own time source as long as it does not deviate from NPL and NIC time.

As per the cybersecurity directive issued by the Indian Computer Emergency Response Team (CERT-In) on April 28, companies are required to connect to the Network Time Protocol (NTP) Server of the NIC or NPL or to servers traceable to these NTP servers for synchronisation of their systems clocks. But this requirement has received strong pushback from cybersecurity experts for lacking clarity and being impractical. While cybersecurity experts pointed out that companies already have their own high-quality sources for time, a former researcher at the Council of Scientific And Industrial Research (CSIR), which runs the National Physical Laboratory, told MediaNama that NPL does not have the required infrastructure to disseminate time to a large group of entities.

The clarification that all companies do not have to connect with NIC/NPL servers comes as a relief, but even still, the requirement that it “shall not deviate” from these servers raises questions.

Dear reader, we urgently need to build capacity to cover the fast-moving tech policy space. For that, our independent newsroom is counting on you. Subscribe to MediaNama today, and help us report on the policies that govern the internet.

What aspects of time sync did the government clarify?

In a FAQs document on the CERT-In directive, the Ministry of Electronics and Information Technology (MeitY) addressed the following questions pertaining to time synchronisation:

1. Why is it required to synchronise systems clocks with NTP servers of NIC or NPL? A typical cyber incident involves multiple computer systems within as well as across entities. Without an accurate time stamp, it is extremely challenging to re-create an accurate sequence of events thus causing serious hindrance while handling cyber incidents. Moreover, security technologies also rely heavily on specific patterns and correlation rules that are often based on time parameters, therefore, unsynchronised clocks across systems could result in the failure of security systems as well as the entity’s ability to act on proactive alerting/advisory of CERT-In as well as other agencies.
2. Organisations having ICT infrastructures spanning multiple geographies, such as Cloud Service Providers, use internally-setup global NTP servers which are typically synchronized with external time sources. Synchronizing the clocks differently in the ICT portion located in India could pose technical issues. Can they continue with their original method of time synchronisation for ICT Infrastructure in India? The requirement of synchronising time is stipulated to ensure that only standard time facilities are used across all entities. Organisations having ICT infrastructures spanning multiple geographies may use accurate and standard time sources other than National Physical Laboratory (NPL) and National Informatics Centre (NIC), however, it is to be ensured that their time source shall not deviate from NPL and NIC.
3. ICT infrastructure that runs on Cloud uses time sources inherent within the Cloud. Is it now required to discontinue the current practice and sync only with the NIC and NPL? Cloud ICT infrastructures that span multiple geographies typically set up their own NTP servers to ensure conformity of time across the entire ICT infrastructure as well as to enable them to handle complexities arising out of situations like leap smearing in a uniform way. As per the directive, a common standard time source is required and it also permits the use of accurate and standard time sources other than NPL and NIC for large ICT infrastructure, however, it is to be ensured that their time source shall not deviate from NPL and NIC. Customers in cloud environments, on the other hand, have an option to use the native time services offered by the Cloud to synchronize their clock or they can also set up their own NTP server within their cloud environment. The entities relying on the native time services offered as part of the Cloud may continue to use the same, however, if any entity operates their own NTP service (using an NTP server or any other device), which synchronises with time sources other than native cloud time services, the same shall be synchronised with the NTP Servers of NIC or NPL.
4. Is it required to synchronise clocks in Indian Standard Time (IST)? No. NTP Server provides a timestamp in UTC, and the conversion of UTC to local time is done at the host which receives the NTP sync from the NTP Server. NPL or NIC also provides UTC time as per global norms. The current directive requires uniform time synchronisation across all ICT systems irrespective of time zone. The time zone information shall also be recorded along-with time to facilitate accurate conversion at the time of need.
5. How to synchronize systems clocks with the NTP Server of the National Informatics Centre or National Physical Laboratory? System clocks can be synchronised by configuring NTP Servers of the NIC or NPL as a time source in the enterprise NTP Server. The details of the NTP Servers of NIC and NPL are currently as follows:
   • National Informatics Centre (NIC) : samay1.nic.in, samay2.nic.in
   • National Physical Laboratory: time.nplindia.org

Why is there still some confusion even after the clarification?

“Time is a very difficult problem because it’s a continuous process. Just because you are in sync with some server that’s sitting halfway across the world, doesn’t mean you are going to be in sync the next second. Because your system can have unpredictable delays in updating the next second,” Suman Kar, CEO of cybersecurity firm Banbreach, explained to MediaNama.

“If you say that we should be in lockstep, then you have to have this continuous dialogue with another system where you go every second and update. And that’s not a feasible way to keep your time synced, which is why we do this update every now and then,” Kar explained, “So it’s a fairly complex problem and we are basically guessing what the peers’ time will be and what my time should be and making adjustments. Any diktat that says ‘shall not deviate’ from NTP servers is essentially pointless at this point.”

Kingsly on Twitter further points out that the NIC and NPL servers themselves are not in sync with each other:

GoI with near infinite resources and total control over both NIC and NPL and their 5 NTP servers is unable to keep them all in sync with each other.

But they expect businesses across the country and MNCs around the world to be in sync with all of them!

— ؜ (@kingslyj) May 20, 2022

What are the other issues with CERT’s direction?

Speaking to MediaNama, a number of cybersecurity experts criticised CERT’s directions for various reasons. As far as the time synchronisation provision goes, here are the complaints they had:

• Latency issue: “Let us say you are running a data centre. You have to connect all the servers to a time server. By the very nature of a data centre, imagine you have like 25,000 machines in one building. Which time server would you bank on? The one near you that you control or one someone else gives you. You will choose the one you have control over. And why is that? Latency,” cybersecurity researcher Anand Venkatanarayanan said. Latency is the time taken for a message to travel from one server to another and a higher latency is undesirable. When servers are further apart, the latency tends to be higher.
• We don’t know anything about NIC’s servers: “In a system where everything is dependent on time drift not being more than certain nanoseconds or milliseconds, the most important infrastructure piece is the time server. Now, if you are running a 25,000 data centre, why would you want to use NIC’s time server. Does it make any sense at all? And what is the configuration of NIC’s time server, you don’t know that. What’s the latency? You don’t know that. We rely on a technology called Anycast to reduce latency. Is NIC’s time server Anycast? The answer is no.” Venkatanarayanan remarked. MediaNama has filed an RTI with CERT enquiring for more technical details about the NIC’s NTP servers referred to in the directive. We will post an update once we get a response.
• Why will companies choose NIC’s servers over much better options out there: “How do you sync servers that are geographically separate unless you have total control over those servers? So Google essentially built a server system called True Time, which keeps all the servers participating in a database operation, and work within a particular time window, by building several time master machines per data center and a time slave daemon per machine geographically synced in time, even though they are in different geographical locations. It’s truly an engineering marvel. Are companies going to choose NIC servers over this? […] After spending millions of dollars to build a time server that uses GPS clocks across multiple geographical locations all around the world, why should I have to bank on CERT-In’s single option,” Venkatanarayanan asked.
• NIC, NPL servers will be overwhelmed: “Even if you were to have this set of servers, you are going to be a bit overwhelmed if everyone starts hitting the same set of servers. So until and unless CERT has figured out a budget and human resources required to run dedicated NTP services that a country like India will probably need, the practical viability of this particular direction looks difficult, if not impossible to me,” Kar said.
• Connection to NTP servers can affect security: Requirements is “very concerning because it could negatively affect companies’ security operations as well as the functionality of their systems, networks, and applications, amongst other reasons,” the Information Technology Industry Council (ITI), which represents some of the largest tech companies in the world including Apple, Amazon, Meta, Google, and Microsoft, noted in its letter to the Indian government.

Update (20 May, 3:25 pm): Added tweet by Kingsly on NIC/NPL servers not being in sync with each other.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also Read:

• Why India Should Not (Yet) Mandate Companies To Adopt A Specific Time Source
• India’s Cybersecurity Directive Goes Against Security, Tech Companies Argue
• VPN Providers Call India’s New Rules Worse Than China, Russia

Have something to add? Subscribe to MediaNama here and post your comment.