Â It is heartening to note that close on the heels of banning Chinese Mobiles without IMEI numbers,Â and banning of telecom equipments from China, the Government of India has now moved in to create a Telecom Security Certification Agency to provide security clearance to telecom supplies from China.
It is no secret that most telecom operators including the public sector BSNL have been using Chinese supplies both for consumer end equipments such as internet modems as well as equipments in the exchange. These are security sensitiveÂ decisions where bugs may beÂ implanted to compromise the control of the entire telecom system.
With the specific instance of credit card swiping devices supplied from ChinaÂ to England having been found to have been tampered with at Chip level , there is a proven history of Chinese manufacturers being involved in espionage, cyber crime and cyber warfare.
If Indian Government had not so far reacted properly to this security threat, it was because there was lack of political will or security vision in the past. Now to the credit of the home minister Mr Chidambaram, things appear to be moving in the right direction.
The latest move to request Dr N Balakrishnan, Director, IISC, to suggest a framework under which a security certification agency can be set up is the right move in this direction is therefore heartening.
Recently, one of the major telecom operators had raised its voice against the ban on Chinese telecom imports andÂ argued Â that this would increase the cost of the equipments. Other commercial organizations who put profits before everything else would naturally support this move and one can expect that a lobby has already been working in diluting the “Ban Chinese Telecom Equipment” order.
We trust that the move to set up the security agency itself is not influenced by this industry lobby with an intention to overcome the ban by manipulating the decisions of the agency.
In the past, Chinese manufacturers are reported toÂ have even penetrated security regulatory agencies in India at the highest level and supplied equipments and computer systems because of their price advantage. We understand that Chinese supplier like Huawei has suggested their executives to sport Indian names so that they appear more friendly to Indian customers. This is indicative of the desperateness of China to penetrate the Indian telecom market.
It is flattering to think that this desperateness is because India is a commercially important market. But one cannot rule out the possibility that this is also because China would like tretain its controlÂ on the Cyber War button to overhaul India. Otherwise for a Country which keeps meddling in Arunachal Pradesh and Ladakh and which is militarily ambitious , it is not natural to appearÂ bending low to seek Indian commercial markets.
We are also aware that Chinese Cyber War strategy does not end in hacking into some Government websites but extends into planting of people in Indian Companies who may infuse malicious codes in the software supplied to their customers.
In this background, Dr Balakrishnan should ensure that the frameworks suggested for the Security Certification Agency should be strong enough to withstand commercial influences from any telecom operator or from petty politicians who may be influenced or even by some of the large IT companies who may unwittingly support a Chinese intrusion.
Some of the precautions that need to be taken in this regard are
a) Every software and hardware supplied directly or indirectly from China should be subject to prior security clearance from the agency.
b) The agency should have the right to demand recall of equipments in the market and conduct sample checks even after the clearance is given.
c) It should be ensured that in critical areas, control is exercised on the possibility of equipments being manipulated several months after supply through a “Maintenance” or “Repair” operation. Hence even the AMC contracts are to be closely monitored.
d) User companies need to be properly educated on the security risks and liabilities fixed if they donot comply with security oversight.
e) The agency should use these powers properly and report to the Parliament periodically and its work itself should be subject to a review by a high powered committee.
f) Enough checks and balances are to be built to ensure that the agency is not prevented from fulfilling its designated role through infiltration of the agency at the management or operational level.
g) Apart from IISC, only organizations such as CDAC and DRDO should be involved at the highest policy level and only persons of impeccable integrity and commitment to national security should be part of the core policy making body.
h) The intelligence agencies including NTROÂ Â which have shown their incapability to resist political influence should also be kept out of the core policy committee.
i) Organizations such as SETS which are indirectly controlled by private sector and managed by persons of tainted reputation should also be kept out of the system.
j) The head of the agency must be a statutorily appointed authority with a fixed contractual term and supported by a multimember board again consisting of persons with the requisite background and integrity.
Dr Balakrishnan has an enviable task of suggesting a framework which can undertake the onerous and technologically complex task without compromising on the possible intrusion of commercial and political interests not only now but in future as well.
We hope that the Government would be transparent on the process and let the Dr Balakrishnan recommendation be effectively debated, refined if necessary and implemented in all earnestness.
Naavi of Naavi.org
May 16, 2010