Yesterday, after the NSE technical glitch, Naavi.org raised the suspicion that it could be a Cyber Attack probably emanating from China. Today, it appears that this angle is being pursued with further investigation by the Home Ministry taking into account other recent incidents that occurred recently.
According to this report in Hindu, “The government’s senior cyber security officials are looking into both the Airtel and Jio incidents to see if they were possible attacks,” ….” they expected to know more about the cases in the next few days”….”the attacks could have emanated from a neighbouring country.”
The incidents flagged include the 32 lakh debit card data that was breached, Network outage experienced by Airtel on July 7, and Jio data breach reported on July 9.
This “China Risk” has long been ignored by the Telecom industry in pursuance of “Profits at any cost”. A few years back, the Government had set up a “Security Certification Lab” at IISc in Bangalore to certify telecom equipments from security perspective after coming to know that some of these equipments had a backdoor apparently to enable remote servicing of the software. We have not heard much about the activities of this lab except that the operations of the lab were sponsored by none other than “Huawei” !. The logic of getting the activity sponsored by the Chinese equipment supplier with connections to the Chinese Government must be known only to the then Government and the officials who represented in the committee that supervised in this project.
It is not clear if our Government under Modi has come out of the clutches of Chinese influence and the perception is that it has not. In this context the caution sounded by the Home Ministry as per this report is welcome.
The report also says that the Home Ministry official also said “We have been warning the telecom companies for long regarding the use of Chinese products. Earlier personalisation of SIM cards was being done by Bharat Sanchar Nigam Limited (BSNL) for a fee, but later on the contract was given to Chinese companies. Essentially all telephone data is with the Chinese and we had warned against this dependence,”
Now that the Home Ministry has flagged this issue, we need to see some action to remedy the situation.
I had recently pointed out the danger of using Chinese made Finger Print scanners to be used for Aadhar Enabled Payment System suggesting that the data would be diverted to China. I therefore suggested that unless we are able to develop “Tamper Proof” biometric scanners in the facilities of BEL or ECIL, we should defer the implementation of AEPS.
I wish that at least now the relevant ministry officials realize the risk of using imported Biometric devices in AEPS and ensure that we donot make the mistake of going ahead with AEPS without proper preparation.
We know that Jio uses a biometric device for registration of customers and we donot know if it is a Chinese made equipment. May be some of the security professionals check out with the Jio dealers and let us know if this could be one of the reasons how the Jio customer data was leaked. According to one report even the CDR data of 120 million Jio users is available in the dark web for a price. If this is so, then Jio has a lot to explain about its security preparedness. Probably the giant IT companies who are working with Jio in designing the systems some of them are Indian companies, need to explain their perspective of security in Jio.
I have a doubt that apart from the data that was leaked out, there is a possibility of Aadhar registered biometric data also being available in a stored form because all Jio customers were registered with Aadhar KYC.
Now the Government has asked other mobile service providers also to link Aadhar and some of them are stating that it would require biometric based KYC and not merely providing the Aadhar number. The risk of biometric data being leaked is therefore very much there in this process.
I therefore request the Government to ensure that no Chinese made biometric devices are being used by the mobile service providers to register Aadhar.
In the meantime we await the result of the investigations about NSE technical glitch to find out whether it was in deed a Cyber Attack from China as we surmise or it was really a normal technical glitch.
Naavi.org is fully in support of the movement to reduce the national dependence on Chinese products as a means of opposing the Chinese support to Pakistani terrorists through border skirmishes. Many feel that the Chinese dependency is so deep rooted that it would be difficult to impose “People’s Sanctions” that can really hurt China, but it is still a mark of protest that requires pursuing.