wordpress blog stats
Connect with us

Hi, what are you looking for?

Why India should not (yet) mandate companies to adopt a specific time source

‘What CERT-In is asking companies to do has no meaning’

clocks showing time

The Indian government’s recent diktat to companies to sync their system clocks with the time servers traceable to the National Informatics Centre (NIC) or the National Physical Laboratory (NPL) has received strong pushback from cybersecurity experts for lacking clarity and being impractical, but these concerns are just the tip of the iceberg when it comes to time synchronisation, a former researcher at the Council of Scientific And Industrial Research (CSIR), which runs the National Physical Laboratory, told MediaNama.

The researcher explained to us that the root problems lie elsewhere as India neither has a legal time yet, nor the required infrastructure to disseminate time to large group of entities. The researcher has worked to address these concerns for over a decade, but these efforts have still not yielded the desired results, the researcher said.

How do most companies currently get their time?

“Today most companies including telecom service providers use GPS-based systems to get their time. GPS is a group of satellites maintained by the US, and the source of GPS time is the US Naval Observatory (USNO),” the researcher said. “Everybody says they are using Indian Standard Time (IST) but they don’t follow Indian Standard Time because time through GPS-based systems is UTC time,” the researcher explained.

However, some organisations in India have started relying on NPL for their time. “After a lot of efforts, ISRO started taking time from NPL. Before that even ISRO was using GPS time. In 2018, they got a two-way satellite communication established with NPL. Now Indian satellites use NPL time,” the researcher remarked. The Indian Air Force, airports, and several banks also use the time generated by NPL.

What are the issues with how companies currently get their time?

While GPS-based time might serve companies in all their practical purposes, some issues, including national security, are under threat when there is no single source of truth. The researcher gave three examples of situations in which a single source of truth for time is necessary:

Advertisement. Scroll to continue reading.
  1. Evidence in a court of law: “If you need to win in the court of law with the evidence you provide, it should have event correlation. For example, let’s take a bank transfer from A to B via a bank. Suppose I have connected to the bank using Reliance, the bank has its communication through Airtel, and the receiver has the link with Vodafone. Your transaction has travelled through three service providers. Imagine there has been some hacking or some mischief in any of these three points. When the police collect your digital evidence, they need to establish communication links. But if you take the logs of the three providers, you can never correlate them because they are not using a single source of truth for the time. You cannot prove the guilt. A common man is not able to win his case because his evidence could not be verified.”
  2. Countering terrorism: “Suppose a police organization identifies a terrorist. And the terrorist uses a mobile phone that hops between different service providers. Like he has a call from A to B but then the call travels between different telecom service providers. For this call to be traced, you will not be able to find the sync between the telecom providers if they are not using the same time source. So it is one of the issues which is threatening your national security. A terrorist could not be identified because his call could not be traced.”
  3. Wars: “A bigger national security threat is in the case of a war. All missiles are launched with specified time accuracy. So if you are syncing the time to GPS and the source of that is the US, there are chances for manipulation there resulting in your missiles failing. It has happened in the Iran and Iraq war.”

What should the Indian government do to address these concerns?

  1. Make IST the legal time of the country: “Every country has a legal time, but India doesn’t,” the researcher said. “You need to have a mandatory law to say Indian Standard Time is the legal time of India. If you compare this with other countries, in 1966, there was a US law introduced called the Uniform Time Act stating what the legal time for the US is and what the source for that is.” We need to have a similar law in India, the researcher said. As far back as 2018, Hindustan Times reported that India is seeking to legalise IST, but there hasn’t been any update on the progress of this since then.
  2. Set up a time dissemination authority under the Ministry of Consumer Affairs: Once a law is established, the government needs to set up an authority that will disseminate this official time across the country. This authority must be under the Ministry of Consumer Affairs and will be the single source of truth for the time. The NPL can continue to be the primary source of time for the authority, the researcher said.
  3. Set up necessary time dissemination infrastructure across the country: The time dissemination authority should then set up the necessary infrastructure to provide NPL time to companies across the country. “NPL was given the project to set up five regional centres in the laboratories of consumer affairs in 2017, but that project is still going on,” the researcher said. Furthermore, ISRO should come out with Indian-satellite receivers systems that Indian companies can rely on rather than GPS systems synced to US clocks, the researcher said.
  4. Companies will then be better equipped to adopt time from NPL: Once the law is passed and the necessary infrastructure is built, companies will be better equipped to get their time from NPL, the researcher said, at which point government can issue directions mandating them to adopt NPL as their source.

Why is NPL the primary source of time

“There is an act called the Legal Metrology Act, 2009, which deals with SI units like time, length, volume, etc. So the Ministry of Consumer Affairs, which implements this Act, in its capacity, tasked the National Physical Laboratory to be the custodian of time as well as other SI units. That means the primary source of time for the country is the National Physical Laboratory’s time system. NPL is in constant sync with the atomic clocks across the globe, the researcher explained.

However, after a separate time disseminating authority is established, NPL’s role should be narrowed, the researcher said. “National Physical Laboratory, though it is the primary source of time for our Indian Standard Time, it is a scientific organisation and they are research scientists and their work should be limited to producing time and time accuracy and not disseminating it,” the researcher opined. “The Consumer Affairs Ministry is responsible for all the consumers of this country. And if somebody wants to consume time, they have to provide the infrastructure and the support.”

CERT-In’s new rules are futile until the above is done

According to the directions issued by the Indian Computer Emergency Response Team (CERT-In) on April 28:

All companies including service providers, intermediaries, data centres, corporate bodies, and government organisations must connect to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL) or to servers traceable to these NTP servers for synchronisation of all their information and communications technology (ICT) systems clocks. Those entities with ICT infrastructure spanning multiple geographies can also use accurate and standard time sources other than NPL and NIC, as long as their time source does not deviate from NPL and NIC.

Commenting on this order, the researcher said:

  • Does NIC have the capability? “We have to explore if NIC has the capability to support such a large base of customers across the whole nation and whether they have given thought to the volume of services they will be required to provide,” the researcher said. “NIC is yet to establish two-way satellite communication with NPL. At least ISRO has established two-way communication between them and the NPL laboratory,” the researcher remarked.
  • It’s a stop-gap arrangement: “What CERT is asking companies to do has no meaning until the Consumer Affairs makes IST the legal time of India and the primary source of IST is NPL. Anything else is a stop-gap arrangement, nothing concrete or meaningful,” the researcher said.
  • CERT’s vision is narrow: “You need to understand the root cause and resolve the root cause. CERT has only kept its agenda in mind when issuing directions, instead of looking at the larger problem,” the researcher said.

What are some other issues with CERT’s directions?

Speaking to MediaNama, a number of cybersecurity experts criticised CERT’s directions for various reasons. As far as the time synchronisation provision goes, here are the complaints they had:

  • Latency issue: “Let us say you are running a data centre. You have to connect all the servers to a time server. By the very nature of a data centre, imagine you have like 25,000 machines in one building. Which time server would you bank on? The one near you that you control or one someone else gives you. You will choose the one you have control over. And why is that? Latency,” cybersecurity researcher Anand Venkatanarayanan said. Latency is the time taken for a message to travel from one server to another and a higher latency is undesirable. When servers are further apart, the latency tends to be higher.
  • We don’t know anything about NIC’s servers: “In a system where everything is dependent on time drift not being more than certain nanoseconds or milliseconds, the most important infrastructure piece is the time server. Now, if you are running a 25,000 data centre, why would you want to use NIC’s time server. Does it make any sense at all? And what is the configuration of NIC’s time server, you don’t know that. What’s the latency? You don’t know that. We rely on a technology called Anycast to reduce latency. Is NIC’s time server Anycast? The answer is no.” Venkatanarayanan remarked. MediaNama has filed an RTI with CERT enquiring for more technical details about the NIC’s NTP servers referred to in the directive. We will post an update once we get a response.
  • Cannot be in lock-step: “If you say that we should be in lockstep, then you have to have this continuous dialogue with another system where you go every second and update. And that’s not a feasible way to keep your time synced, which is why we do this update every now and then,” Suman Kar, CEO of cybersecurity firm Banbreach, explained, “So it’s a fairly complex problem and we are basically guessing what the peers’ time will be and what my time should be and making adjustments. Any diktat that says ‘shall not deviate’ from NTP servers is essentially pointless at this point.”
  • Cannot find NIC servers list: “When they say that we should use NIC’s NTP servers, I don’t know what they’re talking about because I’ve not been able to find any such list,” Kar remarked.
  • NIC, NPL servers will be overwhelmed: “Even if you were to have this set of servers, you are going to be a bit overwhelmed if everyone starts hitting the same set of servers. So until and unless CERT has figured out a budget and human resources required to run dedicated NTP services that a country like India will probably need, the practical viability of this particular direction looks difficult, if not impossible to me,” Kar said.

Note: The researcher’s name has been withheld on request for anonymity.

Also Read:

Have something to add? Post your comment and gift someone a MediaNama subscription.

Advertisement. Scroll to continue reading.
Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.


This article addresses the legal and practical ambiguities in understanding the complex crypto ecosystem in India.


It is widely argued that the PDP Bill report seeks to discard the intermediary status of social media platforms but that may not be...


Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ