CERT-In Cybersecurity Directions

Why Does It Matter?

Every Internet service relies on the correct time to maintain secure, compliant systems, especially where systems and users are spread across broad geographies.

The Indian government mandates that all entities covered under these directions must connect to two government-controlled NTP servers. These are the National Informatics Centre (NIC), and the National Physical Laboratory (NPL).

This government has a long history of shutdowns and policies that harm the Internet as we know it, and critics argue that these NTP servers aren’t transparent. It’s impossible to know if they’re reliable, or will continue to be.

If you have time servers that aren’t coordinated, and the discrepancy is large enough, you wouldn’t know the correct time, so you might not show up for a meeting, or know that you’re about to miss your flight. But even tiny misalignments can be catastrophic for financial transactions, which rely on time that’s accurate to the millisecond, or cybersecurity, where correct time logs are vital for spotting and responding to attacks.

Malicious intent isn’t required here. Even a lag in one of the NTP servers can reverberate across the Internet, and undermine its resilience.This policy is already in effect, and has been since 2022. Internet Society carried out an impact brief, and wrote to CERT-In and the IT ministry. We believe CERT-In should reconsider its one-size-fits-all approach and respect the decentralized nature of the network, and the long-established practice of depending on multiple NTP servers for the time.