Pre-purchase Security Testing for Telecom industry - DoT_MHA_PMO playing tag

Another day another fiasco and we are witness to some governmental “jaana tha Rangoon pahunch gaye cheen...“ (a ditty from an old Bollywood movie meaning I wanted to go to Rangoon but reached China) sort of action.

Am quoting three articles that are referred and show the uni-directional forces that are acting in this multi zillion rupee valued domain. 

Aug 10, 2010 (DNA, Mumbai)
Tele-equipment imports delayed on security reasons

Aug 11, 2010 (Times of India, Mumbai)

Home ministry tells DoT to put 3G on hold

Aug 13, 2010 (Times of India, Mumbai)
PMO reverses DoT steps on equipment

For sometime there has been a lot of ‘noise’ about hardware and software used in the telecom sector and the risk this poses to national security. Reports have surfaced about Trojans, spyware and cyber espionage and a lot of sabre rattling ensued.

Then  as per the news report of Aug 10, 2010 the Department of Telecommunications (DoT) asked the suppliers to be ISO 27001 compliant and then goes on to state obvious ISMS goals. Hello Mr TRAI – how does this resolve the national security issue? I mean you are asking the company to be ISO compliant and that will just make their internal processes secure and efficient etc but it does not provide the remediation to your risk.

Reminder... your risk is national security and not the lack of security in the supplier’s organization. You seem to have lost focus.

The good thing is that they have also said quote "...submission of test reports, equipment configuration requirements, report on susceptibility to the attacks on GSM and CDMA networks, security from malware, cryptography related security issues." Unquote. 


Well the Home Ministry then said that 3G cannot happen if the telecom vendors do not meet the security requirements expected by government. Why didn’t government think about this pre-condition earlier but more about this later....

Today (Aug 14, 2010) it is reported that the PMO (Prime Minister’s Office) has, for all practical purposes, reversed the DOT’s stand by saying that operators are free to either go with the “earlier security vetting regime” or with the “new agreement base regime”. Good for the operators and their vendors and for the PMO.

I am not against security - but reactive and flip-flop positions by a responsible government body is not good for business or for the country. The same media report quotes 'babus' going on record saying that they are “mere postmen”. The government and concerned departments do deserve a wake-up call with respect to arbitrariness.

National security is not something to be trifled with – whether in the conventional sense or in respect of technology. Telecom companies have security knowledge and expertise and their internal controls are pretty good. They could have easily provided inputs to government to build strong requirements in the first instance - when they were conceptualizing the policies for telecom rollout, bidding etc.

On investigating DoT directives I find that they have been thinking about this since 2005 when they proposed to set up a Telecom Testing and Security Certification Centre (TETC) (Outcome Budget 2006-2007). 

Then why have they started making these demands since Feb 2010 - demands for  pre-approval of companies and products that want to supply to Indian telcos. Sorry! They did not even think about it (the need for national infrastructure security) until we read a media report about the malicious activities of hackers uncovered by foreign universities.

Since 2005, the TETC has been handed over by DoT to C-DoT and the 2010 - 2011 report says that they have developed testing guidelines. Unfortunately the  C-DoT site does not mention TETC so there is nothing about the testing business.  

For the security clearance, DoT has a simple form where the vendor has only got to give some information about the product and company and they will give a clearance in 30 days, else it can be assumed certified. On what grounds will DoT provide assurance to the public that this is secure ... this is a mystery. 

India is considered to be a super power in the realm of Information Technology and we continuously fail to demonstrate our leadership. So may reasons and incidents but I do not want to digress. In any case, it seems that we, as a country, are unable to define essential security baselines for capital assets meant to run our critical infrastructure.

What is needed is a firm set of security guidelines and standards that define the expectations of the government in respect of hardware and software. The government cannot expect EVERY company to provide it with their source code and this is a ridiculous demand. If the company does provide them with source code, does the government have the guts to provide adequate assurance and insurance against loss or leakage? It dare not!

What is needed is to develop adequate capability for hardware and software testing at various government labs at NIC, STQC, NTH etc., or, to recognize / authorize private institutions. These labs would undertake the testing of hardware and software, in accordance with the requirements defined in the security guidelines. The TETC lab that is proposed is a great thing, but it does not seem to be happening... and how long will be the wait.. and can we expect an incident in this interim? 

Companies wanting to supply hardware / software to telcos, defence establishments and other areas can put their products through the testing procedure at approved labs and obtain version level certification from a designated authority (CERT can easily take care of this and it is well within their mandate).

The methodology is easy to set up and can be made applicable to installed and proposed infrastructure - whether Indian or foreign. The government can allow the companies to register the list of assets and provide them with a time frame to comply. Change is not easy and the government did not take the opportunity to build security in - now it is bound to be a difficult task and all along the way there will be many more instances of different orders from different ministers !

High time, a proper security framework was developed and DSCI can help since they have done a pretty big and good job in developing the Data and Privacy frameworks. Whatever is done and who ever does it - DoT, TRAI, C-DOT, MHA, PMO... please do this quick before some new reports crop up about malicious attacks and espionage. 

  

Labels: , , , , ,