Plugging the chinks in India's cyber armoury necessary

EVEN as missiles were being fired and drones flying towards strategic locations brought down during the India-Pakistan face-off last week, attempts were being made to disrupt key operations far away from border areas. The Indian Computer Emergency Response Team (CERT-In), India’s cybersecurity agency, detected a surge in cyberthreats in the form of ransomware attacks, distributed denial of service (DDoS) incidents as well as defacement of websites of some defence entities, data breaches and malware infections.

Such attacks are considered a significant risk to the integrity, confidentiality and availability of systems and services. The agency released an advisory on cyberattacks with a high severity rating. Based on the advisory, the Bombay Stock Exchange and other financial agencies alerted their members and market participants. Necessary measures were advised to review cybersecurity frameworks and take steps for the protection of critical digital infrastructure.

The security of digital services such as banking, stock markets, financial services, benefit transfer and e-education depends on the security of the backbone — telecom and Internet infrastructure. This, in turn, depends on the security of hardware, software and networks. A breach at any level in the backbone can potentially affect millions of people, as nearly 1.15 billion Indians use telecom networks and services riding on them. Minimising the risk of security breach would mean making every part of hardware and software safe — from telecom networks and cloud servers to mobile phones and security cameras.

In recent years, the import of critical telecom network equipment like switches, routers, repeaters and gateways, either directly from Chinese companies like ZTE and Huawei or with components sourced from them, has raised the alarm in many countries, including India. Such hardware comes with onboard software, factory settings and default passwords and poses a grave security risk.

Realising this hazard, the Joe Biden administration launched the ‘Rip-and-Replace’ initiative in 2021 to remove and replace Chinese equipment from operational telecom networks. Some EU member states have also taken steps to limit or exclude Chinese players from participating in their 5G networks. Experts have suggested a similar initiative in India because, despite government restrictions on Chinese equipment, many suppliers continue to source telecom equipment from Chinese companies.

A study conducted last year by the Voice of Indian Communication Technology Enterprises (VoICE), an industry group, warned that many Chinese-origin products, including security-sensitive ones, were allowed to be included in government and PSU procurement. Government agencies are supposed to procure their requirements from the Government e-Marketplace (GEM) portal. Unscrupulous traders source equipment from China, route it through Singapore or Thailand, integrate it locally and then list them as ‘Made in India’ products on GEM. It was noticed that government agencies, including defence units, were procuring drones from the GEM portal, and some of them were of Chinese origin.

Unmanned aircraft systems or drones involve complex interactions between hardware, software, communications systems and operational procedures — each of which may have vulnerabilities that can be exploited by malicious actors, according to an analysis done by CERT-In. For instance, a malicious code could be installed on a drone’s firmware systems, leading to persistent malware injection, unauthorised access, data theft or disruption of operations. Malware can be injected through compromised updates or remote service access. Therefore, access to the source code is important for any sensitive equipment, and this is possible when the supplier is based in India.

Suppliers also take advantage of gaps in standards and regulations. For instance, some 450 companies were found selling security cameras on the GEM portal in the absence of any national standard. After quality, safety and cybersecurity standards were developed under the STQC (Standardisation Testing and Quality Certification) system and enforced, only 13 companies qualified.

Even the smallest piece of the telecom system, such as a subscriber identity module (SIM) card, may be vulnerable because it has embedded software or operating systems (other than the operating system of the mobile phone). Mobile phone companies procure chipsets used in SIMs from different sources, including China.

A large number of SIM cards currently in use in India have not passed through the ‘trusted source approval’ mandated by the office of the National Cybersecurity Coordinator in the National Security Council. Some of these SIMs may be in the phones used by people in sensitive positions and locations, posing a significant risk. Only recently, the government began addressing this issue. The way out would be to replace millions of such SIM cards and mandate the use of an Indian operating system. The memory of paging and walkie-talkie devices exploding in Lebanon is still fresh.

In the past, we have had instances of free email services, Chinese scanning software CamScanner (now banned) and video-conferencing software with security risk used in sensitive government offices. Now, India is likely to approve high-speed satellite Internet service offered by Elon Musk’s Starlink. It was held up so far due to security concerns.

In November last year, Indian agencies that made a huge drug seizure in the Andamans found that the fishing vessel involved in the operation was using a Starlink Internet device. In Manipur, too, security agencies seized a Starlink device along with weapons in a raid on an armed ethnic group. These incidents, occurring in the absence of Starlink officially providing its services in India, show how rogue users can bypass any regulation relating to Internet access. Concerns relating to cross-border espionage as well as industrial espionage have also been raised in many countries.

All communication services are vital national infrastructure that should not be allowed to be operated by foreign entities or be dependent on foreign equipment with embedded operating systems without full safeguards. For operating systems and embedded software in hardware like drones or satellite terminals, we should demand access to the source code. Domestic solutions should be procured wherever available. Cybersecurity of all civilian as well as strategic communication systems is as vital as the ‘iron dome’ to protect the Indian airspace.

Dinesh C Sharma is a science commentator.