Impact of India’s cybersecurity directions on the global internet

“CERT-In’s directions, specifically the overbroad mandate for all entities to synchronize their time with the government’s servers and for them to maintain all their ICT system logs for a period of 180 days, could have serious repercussions on the usefulness of the Internet for India and its people. The CERT-In directions endanger the very sectors that the regulation seeks to foster and protect. If enacted in its current form, the regulation could curtail the country’s digital transformation without imparting clear benefits for its economy and society,” the Internet Society (ISOC), along with the Internet Freedom Foundation (IFF), said in their internet impact report on the new cybersecurity directions issued by the Indian government.

The directions, issued by the Indian Computer Emergency Response Team (CERT-In) on April 28, have already been criticised by a long list of stakeholders, but the report by ISOC brings a new dimension to the criticism by focusing on the impact of the directions on internet development in India and the health of the global Internet.

Never miss out on important developments in tech policy, whether in India or across the world. Sign up for our morning newsletter to experience MediaNama in a whole new way.

What is the internet impact assessment based on?

The assessment is based on ISOC’s framework of:

1. Critical properties: These are properties needed for the internet to exist.
2. Enablers of an open, globally connected, secure and trustworthy internet:  While the critical properties are what is needed to have the internet, they are not sufficient for the internet to reach its full potential. Enablers are properties that are needed for the internet to thrive.

How do the cybersecurity directions impact the critical properties of the internet?

• What are the critical properties of the internet? According to ISOC’s framework, there are five critical properties of the internet:
  1. an accessible infrastructure with a common protocol
  2. a layered architecture of interoperable building blocks
  3. decentralised management and distributed routing
  4. a common global identifier system
  5. a technology-neutral, general-purpose network
• Which properties do the directions affect? Out of the five, the cybersecurity directions have a significant negative impact on the decentralised management and distributed routing property. This property emphasises the fact that the internet is a network of networks where “each network makes decisions regarding its own operations and security, based on its needs and local requirements. There is no central direction, or a controller dictating how and where connections are made, so the network grows organically, driven by local interests and needs. This results in several crucial benefits that make the Internet so successful—global reach, resilience and optimized connectivity,” the report explains.
• How do the CERT-in directions impact the decentralised management and distributed routing property: 
  • Time synchronisation requirement creates the risk of a single point of failure: The CERT-In directions negatively impact the decentralised nature of network management and operation by requiring all entities and servers to connect to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC), or to the National Physical Laboratory (NPL). CERT-In’s requirement creates a real risk of a single point of failure and vulnerability. It also goes against industry best practices for synchronizing to multiple sources of time.
  • One-size-fits-all approach for logging creates a honeypot of information: Mandating all entities to retain all of their ICT logs for a period of 180 days is an extremely broad approach, creating a honeypot (a trap to lure attackers) of log information. “This will be a significant hurdle for small and medium enterprises (SMEs) who might not have the financial resources or have the capacity to maintain such enormous archives of their logs. This could have the unintended consequence of suppressing innovation and allowing only large tech companies to be able to operate in India,” the report states.

How do the cybersecurity directions impact the “enablers” of the internet?

Privacy

• What it means: Privacy on the internet is the ability of individuals and groups to be able to understand and control what information about them is being collected, and to control how this is used and shared.
• How CERT-In directions oppose this principle: 
  • Logging requirements go against data minimisation principles:  “Without specific categories of logs that specific entities need to maintain, all entities and organizations maintaining all their logs for 180 days go against the universally accepted principle of data minimization, which is central to maintaining privacy. Said differently, data that is not collected or that is securely disposed of cannot be breached. It is unfortunate that one of the most effective technical mechanisms we have to protect against a data breach—data minimization and destruction—is exactly what CERT-In is forbidding with the new directions, effectively requiring massive data retention,” the report states.
  • Eliminates consent from the equation: “The directions are not aimed at individual users, but they adversely impact individual agency by eliminating their consent from the equation. By forcing zero-knowledge services to log information they even disregard and negate a user’s choice to use such services to begin with,” the report states.
  • Information submitted to CERT can be used for surveillance: Entities must furnish information to CERT-In when directed to do so, but there are no safeguards that this information will not be used in other contexts or for different purposes. And because non-compliance can lead to imprisonment, it skews incentives towards over-compliance. “This creates the risk of information retained under these directions being used for surveillance,” the report states.
  • Requirements for customer information are unnecessary and could lead to rogue uses: “Services such as VPS and VPN providers, which by design do not collect data, should not have to collect data that are not relevant to their operations to satisfy the new directions, just as private spaces cannot be mandated to carry out surveillance to aid law enforcement purposes. It further creates a situation where data that could not be breached before now must be collected and protected against breaches and rogue uses of such data,” the report states.
  • Directions dilute tools that help keep us all safe online: “Zero-knowledge systems enable security and anonymity over the Internet, discourage tracking and profiling and help keep users safe on the Internet, especially vulnerable and marginalized sections of society. CERT-In’s directions risk diluting the essence of these tools that keep all of us safe when we are online,” the report states.
  • Violates Puttuswamy test: The directions violate the Right to Privacy recognised under Article 21 of the Indian Constitution and are also not in line with the principles of proportionality and lack procedural guarantees as enshrined in the Puttaswamy test, the report states.
  • Even more concerning that India does not have a data protection law: “What makes CERT-In’s directions related to data collection even more risky is that India does not have a data privacy law nor a data protection law. Therefore, citizens in the country do not have the surety that their data will be safeguarded against overuse, abuse, profiling, or surveillance. The current draft of the data protection bill provides sweeping exceptions to the state. Thus, the existence of requirements to retain logs that may include personally identifiable information, coupled with the lack of procedural safeguards, will have a chilling effect on speech,” the report states.

Accountability

• What does it mean? Accountability on the internet is the assurance given to users that organisations they interact with are acting in a transparent and fair way.
• How CERT-In directions oppose this principle: 
  • CERT-In in India has a larger mandate than its global peers: Across the world, the role of Computer Emergency Response Teams (CERTs) is to respond to cybersecurity incidents to regain control and minimise damage, to provide or assist with effective incident response and recovery, and to prevent computer security incidents from re-occurring. “Generally, the primary mission of CERTs is to act as a trustworthy partner of the public and private sectors in responding to and resolving cybersecurity incidents,” the report explains. But in India, “the directions expand the remit of CERT-In and make it less effective,” the report states.
  • CERT-In acting as a law enforcement agency: The directions “threaten to incapacitate CERT-In, as network operators and service providers will be reluctant to acknowledge and share details of incidents if CERT-In is also acting in a law enforcement or regulatory role,” the report points out.
  • CERT’s ability to undertake emergency response is questionable: “The requirement to report a broad range of incidents within six hours risks overwhelming CERT-In with large volumes of reports, compromising its ability to undertake any ‘emergency response’,” the report states.
  • Crypto-related directions should be left out: CERT-In also oversteps its mandate by asking cryptocurrency exchanges and wallets to maintain information for five years about their customers and transactions. “This should not be part of the CERT-In directions. Instead, these services and service providers should be regulated through financial statutes, compliance mechanisms, norms and practices,” the report states.

Easy and Unrestricted Access

• What does it mean? The internet has to be affordable and accessible to all users and networks can easily become part of the internet without unnecessary regulatory or commercial barriers.
• How CERT-In directions oppose this principle: 
  • Entry-barriers arising due to the logging requirement: The CERT-In directions required all entities to mandatorily enable logs of all their ICT systems and maintain the same for a rolling period of 180 days. “In doing so, the CERT-in directions discourage new actors from easily entering the market by significantly raising the barriers for entry, and pose considerable challenges for existing entities,” the report states. Logging is necessary for security-related events, but other types of logs may not hold much value and also not all entities play an essential role in providing services for the digital infrastructure in India.
  • Cutting access to zero-knowledge systems: The directions force no-log VPNs and other zero-knowledge systems to retain information that was not being logged to begin with. “This opens up questions about the continued legality of such services as they operate currently, and risks cutting off users in India from accessing them,” the report states.
  • The burden on SMEs owing to the 6-hour timeline: The requirement for entities to report cyber incidents within six hours of noticing them will put pressure on small and medium enterprises (SMEs) who might be unable to hire staff around the clock to comply with this requirement.” SMEs have a key role to play in helping this national ambition, and will increasingly rely on the digital infrastructure available to them to engage in trade and service delivery. The CERT-In directions will create barriers for SMEs to easily connect to the Internet or rely upon it for their purpose,” the report states.

Collaborative Development, Management, and Governance

• What does it mean? The technologies and standards that underpin the internet should be developed, managed, and governed in an open and collaborative way. This also extends to the services built on top of the Internet.
• How CERT-In directions oppose this principle: 
  • Follows a top-down approach: By following a top-down approach, the CERT-In directions contradict this principle. “Cyber incidents, similar to disasters and crises, are best addressed collaboratively, where the multi-stakeholder model is adopted and various entities are involved. Creating security and trust in the Internet requires different players (within their different responsibilities and roles) to take action, closest to where the issues are occurring. Most often, for greater effectiveness and efficiency, solutions should be defined and implemented by the smallest, lowest or least centralized competent community at the point in the system where they can have the most impact. Such communities are frequently spontaneously formed in a bottom-up, self-organizing fashion around specific issues (e.g. spam, or routing security) or a locality (e.g. protection of critical national infrastructure, or security of an Internet exchange),” the report explains.

Data Confidentiality of Information, Devices, and Applications

• What does it mean? The internet should allow end-users to send sensitive information that eavesdroppers and attackers cannot see. This is usually accomplished with tools such as encryption.
• How CERT-In directions oppose this principle: 
  • Undermines time security: Data confidentiality through encryption is highly dependent on the correct time, but syncing to a one-time source as required by the directions undermines this, the report states. This issue is better examined in the next section.

Integrity of Information, Applications, and Services

• What does it mean? The integrity of data sent over the Internet and stored in applications should not get compromised.
• How CERT-In directions oppose this principle: 
  • Forcing entities to adopt one source of time undermines security services: “A lot of security services rely on precise and accurate time, and making sure time is reliable is an important goal. […] One of the main purposes of the NTP protocol is that it eradicates clocks with the wrong time by comparing several sources of time. Ideally, an NTP instance takes its time from at least three sources that do not share a common source. By forcing all users in India to use clocks that depend on one source they completely undermine the resiliency offered by using diverse sources of time,” the report explains.
  • Prescribed NTP servers do not support Network Time Security (NTS) standard: An important requirement missing from the NTP servers listed by CERT-In is the support for Network Time Security (NTS)—a standard that is designed to ensure that the time network is getting is coming from a trusted source and is not modified by an attacker.

Reliability, Resilience, and Availability

• What does it mean? The internet is considered reliable when technology and processes are in place that permits the delivery of services as promised. If an internet service’s availability is unpredictable, then users will observe this as unreliable.
• How CERT-In directions oppose this principle: 
  • Time synchronisation requirement makes the internet unreliable: As explained in the previous sections, the requirement to connect to the Indian government’s NTP servers for time poses multiple risks that affect the reliability of the internet. The requirement creates a single point of failure and vulnerability, the report states.
  • Uncertainties about the specifications and capacity of the NTP servers: “There are also uncertainties about the location, geographical distribution, and configuration of the NIC and NPL servers. In a system where everything is dependent on the time drift not being more than a nanosecond, it is important that any questions about the configuration, latency, service levels, and time sources of the NIC and NPL servers be clearly and publicly answered. There are also concerns about the capacity of the Indian government’s servers, and whether the NIC and NPL servers are able to serve potentially millions of entities and billions of devices hitting the same set of servers from the perspectives of technical capacity, budget, and human resources,” the report explains.

What are the recommendations made by ISOC?

1. Use multiple servers for time: ISOC recommends that CERT account for the decentralized nature of network management, where depending on multiple servers for accurate time is a long-established practice. “There are more than 3,000 publicly available NTP servers on the Internet at present. Industry best practice encourages connecting to multiple NTP servers simultaneously. This enables the NTP algorithms to determine which is the best overall source of time. Risks such as noise in measurements, network delays, and network asymmetries are mitigated by connecting to many NTP servers, as long as the servers are reasonably independent of each other,” the report states. The report also states that if CERT-In operates high precision NTP servers that are stable and well-reachable, then the NTP protocol will converge to use it, without any mandate.
2. Implement a focused approach to logs: “CERT-In should conduct a comprehensive risk assessment, and specify the categories of entities and logs such organizations must maintain,” the report recommends.
3. Clearly lay our scope of use of information by CERT: CERT-In should clearly lay out the scope of use of information demanded from entities in case of cyber incidents. This is crucial for the privacy of users’ and business data, the report states.
4. CERT-in should not deviate from its original mandate: “CERT-In was essentially established to coordinate communications among security and computer experts during emergencies and to help prevent future computer security incidents. It should therefore not deviate from its original mandate,” by requiring broad access to logging information and acting as a financial watchdog for crypto exchanges and wallets, the report states.
5. Increase reporting timeline and base it on severity: “The requirement for entities to report cyber incidents within six hours of noticing them is not aligned with global best practices. The EU’s General Data Protection Regulation (GDPR) allows a three-day window to report breaches. […] CERT-In must identify the most important vulnerabilities, severities, and criticalities that need to comply with the six-hour timeline, allowing second- and third-level criticalities more time to report cyber incidents,” the report states.

Update (3 June, 5:30 pm): Featured image has been changed.

Also Read

• Global Coalition Criticises India’s Cybersecurity Directive
• Fact Check: Do Other Countries Have Lesser Than 6 Hours To Report Cybersecurity Incidents?
• Why India’s New Cybersecurity Directive Is A Bad Joke
• Deep Dive: The Legality Of India’s New Cybersecurity Directive

Update (3 June, 5 pm): Featured image has been changed