August saw a lot of activity on the telecom security front. Mobile handset brand BlackBerry, Internet giant Google, and Internet telephone service provider Skype all came under the government scanner for their communication services. So did virtual private networks (VPNs), which allow for dedicated secure communication. The government also took up issues regarding telecom infrastructure equipment. And it examined the third-generation (3G) services of Bharat Sanchar Nigam Ltd (BSNL) and Mahanagar Telephone Nigam Ltd (MTNL), which have already been rolled out, and those of other private players, which are yet to go live. In each of these cases, the government wanted access to all the communication moving through their networks.
The BlackBerry issue first. Canada-based Research In Motion Ltd (RIM), maker of the smartphones, has till the end of October to provide the government access, in a readable format, to chat messages on its BlackBerry messenger services across any network, and to the corporate emails that travel secured via encryption through the BlackBerry enterprise services (BES). A server based in India is also being sought.
But the very nature of BES cannot allow the key to the encrypted data to be generated either for RIM or third parties. This unique security feature, and BlackBerry’s major selling point, risks being lost under the current conditions. Hence, security agencies have to take a call on how much of a threat these corporate emails are in terms of inciting or facilitating anti-national acts without being detected to their actual source.
Most corporate accounts have strict, well-defined employee usage norms. The mandate should be stringent verification of such accounts, not banning corporate emails altogether.
Next is the issue of telecom equipment security. The government has raised concerns regarding low-cost Chinese telecom infrastructure equipment being deployed by many operators. There is a fear that these are bugged with listening devices.
In July, the department of telecommunications (DoT), at the behest of the home ministry, circulated a template agreement for equipment security to telecom operators, wherein it wanted them to provide an undertaking that their equipment was clear of all spyware. According to the agreement, existence of spyware or malware would mean a fine of up to Rs50 crore payable by the operator, besides it being subject to criminal action.
Also sought was the mandatory inclusion of a clause for transfer of technology for all critical equipment/software from foreign manufacturers to Indian ones within three years from the date of purchase. In case of non-compliance with the clause, the vendor and service provider would be penalized and subject to criminal proceedings. Further, the source code of the software would have to be stored in an escrow account with DoT.
In mid-August, the Prime Minister’s Office advised a two-month review so that these measures could be aligned with international commercial best practices. However, most of the operators and telecom vendors have serious issues in complying with such conditions.
Third, MTNL and BSNL rolled out 3G services in various parts of the country, including Jammu and Kashmir, in March 2009, but concerns have been raised recently about the voice over Internet protocol telephony, instant messaging and video telephony services. Both these operators have been told to come up with interception solutions of the above features within the next few days, and only then will their services be rolled out. Similarly, private operators have also been told to work on the same yardsticks. Even the watch on Google’s chat service, Skype’s internet telephone service and VPNs will not be difficult, considering the support that these operators provide to law enforcement agencies.
But by enforcing all these conditions on operators and vendors, will we be able to completely command the ever increasing exabytes (one exabyte is equal to one million terabytes) of data that go through our networks? And will this, in turn, add to network security? The answer to both is a simple no.
There are many factors that need to be addressed before we try to see through all the data traffic. First, the verification process for telecom connections is riddled with holes. This has to be strictly addressed by security agencies. People with forged documents still get connections, and this sloppy registration and verification process is by far the most important point of vulnerability in our telecom security system.
Second, how ready are the agencies in terms of infrastructure and capacity to monitor all telecom and Internet traffic? Instead of the current reactive response, modern data mining and network management infrastructure that can sift through terabytes and exabytes of data need to be set up, and human resources recruited and trained especially for the purpose.
Third, any piece of equipment is benign till it is active in a network, and the government-approved encryption will disable any kind of spyware.
No doubt section 5 of the Indian Telegraph Act, 1885, and section 69 of the Information Technology Act, 2000, amended in 2008, allow for monitoring and interception of telecom and Internet traffic and content. But, more importantly, the home ministry needs a reality check on how to reach a harmonious balance of efficient business practices and law enforcement. Many countries are taking the same call, and India will be best served to work within reasonable considerations. Otherwise, non-state agents will still have the last laugh while genuine subscribers suffer.
Subimal Bhattacharjee heads a multinational corporation in India and writes on issues of technology and security
Comments are welcome at firstname.lastname@example.org