India’s invitation to Huawei for 5G trials sparks concerns: Insufficient security safeguards plague telecom sector
If a firm inserts backdoor into hardware—which is the concern being flagged over invitation to Huawei to take part in 5G trials—it is difficult to protect telecom security, say experts.
India’s invitation to Chinese telecom giant Huawei Technologies—a company banned in the US, which has termed it a cybersecurity threat, and from building 5G networks in Australia and New Zealand—to participate in 5G trials has aroused some concern in security and technology establishments.
The move comes eight years after India’s home ministry raised concerns that imported telecom equipment could contain “back doors” and spyware that would allow foreign governments to snoop on Indians, intercept calls or remotely control networks, posing a security threat. Huawei was banned for eight months.
Little has changed over the past decade. India still doesn’t have sufficient safeguards in the telecom sector, which forms the backbone of the digital economy, top security and technology officials said on condition of anonymity. The only thing that has changed is the technology standard — back then, the fear was of Chinese 3G equipment fitted with spyware; now it is Chinese 5G equipment.
The security threat is inevitable: it is a feature of the current capitalist economy that operates through global supply chains and in which the components of a finished product are not manufactured in one location.
If a company decides to insert backdoor into hardware products—which is the concern being flagged over the invitation to Huawei to take part in 5G trials—it is difficult to protect one’s telecom security.
Experts point out two ways that governments can adopt to guard against the perceived security threat. One, set up auditing infrastructure to test and identify vulnerabilities in the telecom equipment before deploying it in the country. Two, develop the capacity to manufacture critical hardware components within the country.
India has not made progress on either front, officials say, and the security threat is not limited to Chinese companies but applies to imported telecom equipment in general.
“The department of telecom and the department of IT (information technology) have failed in setting up credible and reliable security-testing infrastructure which has inspired confidence in foreign vendors in sending equipment to India. The policy exists on paper but has not been implemented,” a top official in the security establishment with direct knowledge of the matter said.
The telecom department promised to set up security testing labs by 2013 in order to test for bugs in network equipment, the official added, but they are still not in place.
And India still imports 90% of its telecom equipment needs. India’s import of parts of mobile phones as well as telecom equipment from China increased from $1.3 billion in 2014 to $9.4 billion in 2017, according to a recent study by the ministry of commerce and industry.
This places India on the back foot at a time when state-driven cyber warfare is no more a theoretical threat. An early 2018 estimate suggested that around 200 publicly known state-on-state cyberattacks have taken place over the past decade, according to David Sanger of The New York Times.
“Hardware security is the most difficult to track and find out. Even indigenous hardware doesn’t give you a clean chit,” said Sethumadhavan Srinivasan, former director of marketing strategy for Huawei Technologies in, India.
“It is important to understand that there does exist a possibility that you could plant some kind of microchips in hardware equipment that can be used as a key to enter the network,” he added
Why Huawei is controversial
Huawei is the world’s largest manufacturer of core telecom equipment. Western intelligence agencies have for long feared that Huawei installs backdoors in its telecom hardware. The recent arrest of Meng Wanzhou, Huawei’s chief financial officer (and daughter of the company’s founder) in Canada on behalf of the US for allegedly violating sanctions against Iran, raised tension between the US and China. She was eventually released.
Huawei says that the fears of secret interception by the Chinese government are unfounded as the company is privately run and is “100% employee-owned”. On 18th December, to further alleviate global security concerns, Huawei announced that it will invest $2 billion over the next 5 years on cybersecurity.
“So many years, so many telecom operators, so many countries—someone should have already found the back doors in our products,” Huawei India CEO Jay Chen said in an interview.
Chen said security issues over Huawei equipment have been raised by the US and its allies -- the so-called Five Eyes -- Australia, Canada, New Zealand, the United Kingdom and the United States. The current debate, he argues, is because of Huawei’s dominance in 5G, a technology in which it is “ahead of all Western companies”.
“Huawei’s operations in Germany, France and Japan is business as usual,” he said. “The ongoing controversy is only about politics. Not about technology, not about security, not about the commercial aspects. Just politics,” Chen said.
To build trust and infuse confidence among stakeholders over the last eight years, Huawei India’s Chief Security officer Debabrata Nayak said they had complied with “each and every regulation as part of the telecom security policy issued by the Indian government” and “till date, not a single incident has been found where we have been caught in the wrong.”
“The good thing is that this time, in India, the industry is much more mature. Because of our transparency, our security controls, and the efforts that we have put in, the Indian industry has the confidence in our company,” Chen said.
The security official cited above said India needs to be prepared for the security challenge irrespective of the source of telecom equipment. The American ban on the Chinese companies should be looked at in the larger context of the ongoing trade war between the world’s two biggest economies, the official said.
“From India’s perspective, the threat is not limited to Huawei or other Chinese companies. Issues have been discovered even with Cisco equipment as well,” the official added. “Installing backdoors and vulnerabilities in hardware equipment is an established practice by all countries. These backdoors act as silent and vigilant sleeper cells.”
India is neither capable of participating in building such equipment nor is it capable of testing what’s coming into the country, the official added.
Cisco could not be reached for comment despite repeated attempts to contact them.
India’s telecom service providers and local equipment manufacturers have diverging views on the issue.
Last week, the Telecom Equipment and Services Export Promotion Council (TEPC), a government-promoted telecom equipment manufacturers’ group, requested national security advisor Ajit Doval to ban Huawei and other Chinese companies in the interest of national security.
In response, the Cellular Operators Association of India (COAI), which represents telecom service providers, , defended Huawei and requested the government to not take any “arbitrary” action. “We acknowledge and appreciate Huawei being one of the major companies at the forefront of 5G innovation. They are suitably equipped to prepare operators and industry to build 5G capabilities in operations, in organization, and most importantly, in the ecosystem, that they are fully compliant with all government requirements,” Rajan S Mathews, the director general at COAI, said in a statement.
Critics argue that Indian telcos support Chinese manufacturers as they provide cheaper equipment and other incentives and a ban will raise their costs.
“Overarching security of the network and cybersecurity is not possible unless we improve our technical prowess and manufacturing capability in this country which is only possible through the concerted effort of all agencies and we removing all bureaucratic strongholds in the Indian industry. Our thinking is not far-fetched,” Ram Narain, who had charge of telecom security at the Department of Telecom (DoT) from 2007 to 2014, said in an interview. DoT functions under the ministry of communications.
Why is India lagging?
“In 2007-08, there was hardly any awareness about the criticality of the telecom equipment,” Narain said.
“We did not want a blanket ban right from the beginning. If you ban imports without creating adequate indigenous capacity, it will introduce a supply constraint,” he explained. “The challenge confronting us was how to take care of security while not disrupting the supply.” The Indian government then devised plans for auditing telecom equipment and boosting indigenous manufacturing.
In May 2011, India issued comprehensive guidelines for telecom security. It was mandated that only those elements shall be inducted into India’s telecom network that have been tested according to Indian or International security standards.
“It was planned that until India gets an in-house testing infrastructure in place, we will rely on testing reports from other countries. But eventually, it is crucial that we test within India,” Narain said. International testing was just an interim solution.
But seven years later after the guidelines were formulated, India still doesn’t have adequate testing equipment in place. “DoT has failed in addressing emerging issues, known since 2011,” the security official quoted earlier said on the condition anonymity. “They promised to install infrastructure in 2013 but they kept on extending the dates.”
In December 2012, the then minister of communication and information technology Milind Deora told Parliament that “from 1st April 2013 the certification [of telecom equipment] shall be got done only from authorized and certified agencies/labs in India.” In December 2015, the ministry said that the date was set to April 2016. Most recently, in September, the government again extended the deadline from October 2018 to April 2019.
On November 15, the government inaugurated the “Security Standards Facility of the National Centre for Communications Security, Department of Telecommunication” located in Bengaluru. This Centre will facilitate “security testing and certification of equipment, security audits, threat intelligence and reporting of security incidents.”
Huawei executives said that the company is “fully prepared” for the testing process in the new lab .
But the security official said the facility launched is “mundane” and doesn’t meet India’s requirements. “It is like setting up a primary health care centre at a time when we need hospitals with high-end diagnostic machines,” the official explained.
Narain, the former telecom security chief, said: “Bureaucrats and politicians get influenced by people from Cisco, IBM and other vendors. They come and meet them to say that the requirement of security testing labs is unnecessarily creating barriers.”
DoT did not respond to HT’s request for comment.
Narain believes that the ultimate solution lies in boosting telecom manufacturing in India. “However good labs you may establish, however good equipment you may have, it is impossible to screen out millions of equipment to test each and every one of them that no hardware or software bug is there.”