In a landmark decision, the Cabinet Committee on Security has taken steps to strengthen the security of telecom networks in India.1 Henceforth, it will be mandatory for the telecom network providers to use only ‘trusted products’ from “trusted sources” only. The criteria for defining a trusted product or a trusted source will be developed soon.
By Arvind Gupta
With the emergence of new technologies and the expansion of digital networks, cyber security challenges are becoming more complex. Cyber attacks involving ransom ware, data and identity theft are growing exponentially. They pose a serious threat to national security. According to government figures, India is the third most attacked country in the world. It lost nearly Rs 1.24 lakh crores or about $15 billion in cyber crime alone during 2018-19. That is a staggering amount, constituting about half a percent of the GDP! The government has also revealed that Indian networks experienced 700,000 cyber attacks during 2019-20.
The new two-tier institutional structure approved by the Cabinet comprises of a “Digital Authority” to be headed by the National Cyber security Coordinator in the National Security Council Secretariat. The Deputy National Security Adviser (Dy NSA) will head a National Security Committee on Telecom (NSCT) to advise and supervise the Designated Authority. NSCT will have officials as well as independent experts as its members. The government hopes that the new structure will address 5G and supply chain security concerns. According to the official press release, a list of ‘trusted sources/trusted products’ will be prepared for the guidance of telecom service providers. Certain criteria will be notified. Indian manufacturers who meet these criteria will be given Preferential Market Access to Indian telecom networks. This will encourage indigenous production of reliable cyber security products.
Indian telecom networks are already using products and components whose reliability from the cyber security point of view is questionable. The telecom service providers will not be required to replace the existing products nor change their annual maintenance contracts. The directive applies to future products only. Thus, some vulnerabilities will remain.
The National Security Directive assumes importance in the context of the recent controversy about Chinese telecom giant Huawei, a world leader in 5G telecommunication equipment. Huawei has been banned in several countries on national security concerns. Many Indian networks use Huawei products. The government has clarified that the New Security Directive is not directed at any specific nation. The clarification is important. It remains to be seen whether the government classifies Huawei as a ‘trusted’ source or not.
The National Security Council Secretariat needs to be complimented for this pathbreaking initiative to strengthen telecom security. This is the first time that a Cabinet decision is being described as a “National Security Directive”. National security directives are common in the US. The use of the term National Security Directive for a Cabinet decision is new in India. This shows that the National Security Council Secretariat is beginning to acquire the authority that it deserves. Hopefully, there will be more national security directives in the future.
However well-meaning maybe the directive, its implementation will be the key. Presently, India lacks adequate technological infrastructure to test new products and technologies for cyber security vulnerabilities. Not enough investment has been made in setting up the testing labs and facilities. Testing is a highly complex and technical effort. Hopefully, the directive will spur greater government and private sector investment in the new testing infrastructure. The government should ensure that there is transparency in the criteria being used for designating certain products and the sources as trusted. In the United Kingdom, the National Cyber Security Centre certifies cyber security products, skills and training for use by the companies. A similar certification system might evolve in India in due course.
The cyber security policy of 2013 had envisaged the establishment of a robust testing infrastructure in the country but not much has been done so far. There was also the provision for adopting a ‘common criteria’ system whereby products tested in the laboratories and institutions of other countries with whom India has an agreement could also be adopted in India. The common criteria system would need to be strengthened.
The private sector and the government sector should come together to create standards, protocols and testing facilities for classifying products as ‘trusted’. One should hope that the setting up of a designated authority will give a boost to the further development of reliable indigenous cyber security products and technologies. The new cyber security policy which the NSCS is spearheading will hopefully provide sufficient incentives to boost to the growth of an indigenous cyber security industry.
This article first appeared in www.vifindia.org and it belongs to them. The author is a research associate with VIF.