India Wants Home-Grown Products for Telecom SecurityGovernment Designates C-DoT to Develop Security Products
In the wake of increasing cybersecurity concerns, the government of India wants to leverage indigenously developed security solutions to protect telecom networks. But some security experts say that could prove difficult.
"The security products will be developed by Centre for Development of Telematics, or C-DoT, which is considered India's telecom research and development wing," Telecom Secretary Aruna Sundararajan said at a news conference. "The same will be transferred to localized manufacturing partners to undertake commercial production, which would cut down reliance on multinationals."
"C-DoT has a role to play in ensuring telecom infrastructure security, which is an important focus area for us to address," Sundararajan said, adding that the department is in the process of deploying C-DoT core products to safeguard telecom networks in India.
C-DoT and Sundararajan did not respond to ISMG's request for comments.
While security leaders commend the government's decision to leverage indigenously manufactured products for security reasons, they say this could prove difficult to achieve because telecom companies in India generally use security products made by companies in the U.S., Israel and UK.
"Despite having reasonably good security product companies in our country, not all telecom players are ready to entrust them with the security of their core infrastructure," says one security practitioner who asked to remain anonymous. "This is primarily because nobody wants to take the first step to trust their security with a new company."
Almost all mobile devices come with preloaded software and apps that have their own inbuilt security protocols. The government wants that steps must be taken to ensure that required data security measures are taken for both hardware and software in mobile phones. "This would also imply that in the future, most mobile manufacturers would have to have a product manufacturing unit in India," says Inderjeet Singh, a consultant CISO who serves some telecom firms.
"As it appears, C-DoT would be the nodal agency for R&D on security protocols, which would then be shared with device manufacturers for implementation, though at a cost," Singh says.
Many security practitioners in India are hopeful that telecom companies will eventually rely more on domestic security products because of the potential to minimize risks.
"The possibility of intelligence agency collusion and presence of backdoors is notionally reduced when it comes to local solutions," says Sahir Hidayatullah, CEO of Smokescreen. "This is two-fold. One is that an Indian entity is logically aligned to Indian national interests. Additionally, for critical sectors such as telecom, the ability to 'trust but verify' is higher when it comes to local solutions."
Others say the move will also lead to more foreign direct investments in this sector.
"I think if we look for products manufactured indigenously, it will help create employment in a niche area and attract FDI [foreign direct investment] in this space in a longer run," says Dhruv Khanna, CEO at Data Resolve.
Indian companies need to start developing a range of security solutions that detect targeted threats on the corporate network, which are often overlooked but are the starting point for many APT attacks, security experts say.
Factors Influencing the Shift to Domestic Solutions
Espionage by nation-states has steadily shifted from a reliance on human intelligence to electronic intelligence gathering.
Telecom networks are the core technologies used for communication today, so they are the focus of electronic intelligence gathering. Therefore, the government's decision isn't a surprise, given that many nations are making a move toward using locally developed products to secure their core network or critical information infrastructure.
"Every country, given the risk of ICT supply chain, cybersecurity issues and masked surveillance, is taking the effort secure assets owned by it," says Rahul Sharma, senior consultant at DSCI.
In the U.S., for example, government agencies have been told to avoid using products from Kaspersky Lab out of fears that the Russian-based firm has ties to the government there.
"The department of telecom in India has had this concern for the longest time - most of the telecom equipment used in India comes from Chinese manufacturers such as Huawei, ZTE, etc.," says K.K. Mookhey, founder of Network Intelligence. "Huawei was banned in the U.S. a few years back due to backdoors being found in their gear So while 'Make In India' is definitely one of the goals, the other is to ensure that the products deployed to protect our networks do not themselves have undocumented backdoors that might allow foreign governments to snoop on our traffic."
Telecom Sector's Readiness
Several telecom companies contacted by Information Security Media Group declined to share their views on whether they would trust an Indian player with their core security.
But an IT manager for security at one telecom company in India, who asked not to be identified, says implementing locally developed security solutions will take time. "C-DoT first needs to build a proper encryption standard for the telecom companies in India," he says. "There isn't any currently. ... Things will remain the same at least for the next two years."
The telecom IT manager says that although the company where he works is contemplating using a local security product, it won't be used for its core infrastructure. "I don't want to be seen as an outlier," he says. "The global companies have been there for years, and it makes complete sense to trust them with our security."
Challenges in Meeting Demand
The government has yet to spell out the next steps it intends to take.
"The specifics of this initiative are unclear," Hidayatullah says. "However, our experience is that for it to succeed, a public/private partnership is essential. The government can bring resources and use-cases, while the private sector contributes top talent and know-how."
Some other security practitioners also say C-DoT alone can't do much, so a change in the entire ecosystem is needed to promote local companies. One key step, they say, would be to provide adequate government funding for security.
For example, the government last year announced a INR 1000 crore fund for cybersecurity research and development. "Until now, I am not sure how much of that has been put into actual use," says the founder of one of the security product companies in India, who asked not to be identified.
Other security experts say that India isn't in a position where it has enough technological solutions to manage everything. "It's not only about replacing current products with local ones. We need to develop products which take into account changing technological developments," Sharma says.