It is heartening to note
that close on the heels of banning Chinese Mobiles without IMEI
numbers, and banning of telecom equipments from China, the Government of
India has now moved in to create a Telecom Security Certification Agency
to provide security clearance to telecom supplies from China.
It is no secret that most
telecom operators including the public sector BSNL have been using
Chinese supplies both for consumer end equipments such as internet modems
as well as equipments in the exchange. These are security
sensitive decisions where bugs may be implanted to compromise the control
of the entire telecom system.
With the specific instance
of credit card swiping devices supplied from China to England having
been found to have been tampered with at Chip level , there is a proven
history of Chinese manufacturers being involved in espionage, cyber crime
and cyber warfare.
If Indian Government had
not so far reacted properly to this security threat, it was because there
was lack of political will or security vision in the past. Now to the
credit of the home minister Mr Chidambaram, things appear to be moving in
the right direction.
The latest move to request
Dr N Balakrishnan, Director, IISC, to suggest a framework under which a
security certification agency can be set up is the right move in this
direction is therefore heartening.
Recently, one of the major
telecom operators had raised its voice against the ban on Chinese telecom
imports and argued that this would increase the cost of the equipments.
Other commercial organizations who put profits before everything else
would naturally support this move and one can expect that a lobby has
already been working in diluting the "Ban Chinese Telecom Equipment"
order.
We trust that the move to
set up the security agency itself is not influenced by this industry
lobby with an intention to overcome the ban by manipulating the decisions
of the agency.
In the past, Chinese
manufacturers are reported to have even penetrated security regulatory
agencies in India at the highest level and supplied equipments and
computer systems because of their price advantage. We understand that
Chinese supplier like Huawei has suggested their executives to sport
Indian names so that they appear more friendly to Indian customers. This
is indicative of the desperateness of China to penetrate the Indian
telecom market.
It is flattering to think
that this desperateness is because India is a commercially important
market. But one cannot rule out the possibility that this is also because
China would like tretain its control on the Cyber War button to overhaul
India. Otherwise for a Country which keeps meddling in Arunachal Pradesh
and Ladakh and which is militarily ambitious , it is not natural to
appear bending low to seek Indian commercial markets.
We are also aware that
Chinese Cyber War strategy does not end in hacking into some Government
websites but extends into planting of people in Indian Companies who may
infuse malicious codes in the software supplied to their customers.
In this background, Dr
Balakrishnan should ensure that the frameworks suggested for the Security
Certification Agency should be strong enough to withstand commercial
influences from any telecom operator or from petty politicians who may be
influenced or even by some of the large IT companies who may unwittingly
support a Chinese intrusion.
Some of the precautions
that need to be taken in this regard are
a) Every software and
hardware supplied directly or indirectly from China should be subject to
prior security clearance from the agency.
b) The agency should have
the right to demand recall of equipments in the market and conduct sample
checks even after the clearance is given.
c) It should be ensured
that in critical areas, control is exercised on the possibility of
equipments being manipulated several months after supply through a
"Maintenance" or "Repair" operation. Hence even the AMC contracts are to
be closely monitored.
d) User companies need to
be properly educated on the security risks and liabilities fixed if they
donot comply with security oversight.
e) The agency should use
these powers properly and report to the Parliament periodically and its
work itself should be subject to a review by a high powered committee.
f) Enough checks and
balances are to be built to ensure that the agency is not prevented from
fulfilling its designated role through infiltration of the agency at the
management or operational level.
g) Apart from IISC, only
organizations such as CDAC and DRDO should be involved at the highest
policy level and only persons of impeccable integrity and commitment to
national security should be part of the core policy making body.
h) The intelligence
agencies including NTRO which have shown their incapability to resist
political influence should also be kept out of the core policy committee.
i) Organizations such as
SETS which are indirectly controlled by private sector and managed by
persons of tainted reputation should also be kept out of the system.
j) The head of the agency
must be a statutorily appointed authority with a fixed contractual term
and supported by a multimember board again consisting of persons with the
requisite background and integrity.
Dr Balakrishnan has an
enviable task of suggesting a framework which can undertake the onerous
and technologically complex task without compromising on the possible
intrusion of commercial and political interests not only now but in
future as well.
We hope that the Government
would be transparent on the process and let the Dr Balakrishnan
recommendation be effectively debated, refined if necessary and
implemented in all earnestness.
Naavi
May 16, 2010
Related Article:
Govt To Go for Telecom Security Regulator.. Indian Express
ANALYSIS - India security jitters rattle growing China ties
.. Yahoofinance
China
Bugs India.. Pioneer
What's behind China-India security dispute?. Moneycontrol.com
Internet Embargo Required on China
..Naavi.org
How Do We Respond to Chinese Cyber Aggression?..Naavi.org
Role of Corporate Sector in National Cyber Security..Naavi.org
Indian National Cyber Security challenges..Naavi.org
Comments are Welcome at
naavi@vsnl.com
