Last week, the New York Times reported that telecom behemoth AT&T caved in to pressure from US authorities to rescind its agreement with Huawei Technologies to distribute its ‘Mate 10’ smartphone. The move stems from concerns voiced by US lawmakers to the Federal Communications Commission, pertaining to Huawei’s role in supporting Chinese cyber espionage activities. This situation has consequences for India, a market where Huawei is among the dominant telecom equipment suppliers already, and where it seeks to build its smartphone business.
Reports suggest that Washington is urging AT&T to end commercial ties with Huawei, and is also considering ways to halt Chinese telecom operator, China Mobile Ltd, from entering the American market. Further, Republican lawmakers have also introduced a Bill, which could bar the US Government from contracting or utilising Huawei and ZTE — another Chinese telecom firm — owing to national security threats. This is not the first time the US has acted on such threats. In 2012, the US House of Representatives commissioned an investigation into national security threats faced from both Huawei and ZTE — particularly threats posed to the resilience of critical information infrastructures.
From an Indian perspective, these developments mirror domestic security concerns and implicate flagship development schemes like ‘digital India’. Huawei has also placed bids with the Indian Government for infrastructure projects for the ‘Smart Cities’ initiative, and sells about one million phones locally under its ‘honor’ brand, annually. Enabling policy and market conditions have allowed India to generate over 1.2 billion mobile phone connections and it is consequently the second largest smartphone market in the world, with over 300 million devices. However, for such a massive digitalisation drive to be sustainable in the long term, ecosystem integrity in the telecom sector is a prerequisite.
Indian decision-makers must remain mindful of the dominance of Chinese firms in India’s smartphone and network equipment markets. For instance, by the first quarter of last year, such firms had already captured more than half of India’s smartphone market. Similarly, security experts have previously voiced concern that over 60 per cent of software and hardware utilised for telecom, including what is used by BSNL, is sourced from either Huawei or ZTE. These concerns are compounded by the fact that in 2014, Huawei had been probed for allegedly compromising BSNL’s network. In 2010, a comprehensive joint report by the Information Warfare Monitor and the Shadow Server Foundation found that Chinese cyber espionage activities (similar to subsequent US concerns) have systemically compromised critical networks in India. Evidently then, instances of cyber security threats originating from China are not new for India.
More recently, the Indian Air Force has also been reacting to national security threats posed by Chinese smartphones. For instance, in the wake of findings made by security solutions firm F-Secure, revealing that Xiaomi phones relay sensitive user information to servers in China, Air Force personnel were advised not to use the company’s products. China’s State Security Law explicitly allows any state organ of the Chinese Government to access any electronic communications or related data, stored by companies that are headquartered within its borders. Further, it has also emerged that both Xiaomi and major smartphone brand One Plus devices have been found to contain pre-installed backdoors which make their devices vulnerable to hacking. One Plus has also been found to collect sensitive user information, including IMEI numbers, phone numbers and names of mobile network operators, without prior informed consent — contravening accepted data collection and processing norms.
The (in)security of India’s smartphone ecosystem came up at the highest levels of Government and law enforcement last year. In the context of data security, the nodal Computer Emergency Response Team ie CERT-In, directed 21 smartphone manufacturers, mostly Chinese, to furnish details with respect to security practices, frameworks, standards and processes, followed by the concerned enterprises. Moreover, in the wake of the border standoff at Doklam, the Ministry of Defence advised military personnel to uninstall and remove around 42 mobile applications (predominantly Chinese), classifying them as spyware.
Most advanced jurisdictions are dealing with such threats through appropriate standard setting and testing procedures. Similarly, India’s Ministry of Communications released a notification in September last year, mandating prior testing and certification of equipment for telecom networks. However, these rules shall only become enforceable in October 2018, by which time, Chinese dominance of telecom supply chains will only be reinforced.
Emergent security requirements should reflect international standards designed by expert organisations like the ISO, IEC, IETF, and IEEE. Unfortunately, India’s participation at such standard development organisations, especially in the context of network and information security, remains less than desirable. Given that Chinese industry is actively influencing standard setting conversations, as observed with Huawei’s attempted agreements with AT&T, to develop 5G network standards, it becomes imperative that India targets strategic capacity-building on this front, along with industry counterparts from friendly countries. International summits, such as the one in Davos, should be treated as opportunities to build requisite relationships in this regard.
Most importantly, India lacks testing processes to ensure that smartphone devices adhere to cybersecurity standards. The current testing and certification framework under the Ministry of Electronics and Information Technology’s ‘Compulsory Registration Order’, only envisions phone safety through the prism of generic safety requirements, like fire, heat and chemical hazard testing. This void, if not mitigated at the earliest, poses a grave threat and amplifies opportunities for bad actors, either state or non-state, to disrupt India’s communications channels and potentially compromise data privacy. Recent reports suggest that the Government has recognised this gaping hole in current policy and is actively developing cyber security standards for mobile devices to be published for consultations this year. Reports also suggest that the Ministry of Home Affairs is developing a Cyber-Forensics Lab to help secure digital ecosystems.
While designing standards and testing requirements, India can learn from the approaches taken by other members of the international community. For instance, jurisdictions like the UK and Singapore, develop device and application cybersecurity standards using principles of Security-by-Design (updated throughout product lifecycles). More specifically, testing benchmarks tend to be based on international computer security certification standards developed by the ISO and IEC, namely the Common Criteria for Information Technology Security Evaluation. Further, in order to ensure robustness of such processes, both these countries have embraced working arrangements with security experts.
India must follow an inclusive and strategic approach to protect its telecom ecosystem, without compromising on the growth of markets, or the enthusiasm for flagship schemes which can give impetus to private investments. Indian law enforcement agencies are already used to working with non-government institutions and external experts and, therefore, there is a template available for a dynamic private-public partnership approach to cyber security. However, a formal and inclusive feedback loop is also needed for facilitating information exchange, confidence building with industry, and strengthening institutional capacities. To this end, India would do well to borrow from experiences of friendly countries rather than reinventing the wheel.
(The writers are technology policy consultants at Koan Advisory Group, New Delhi. Views expressed are personnel)