Cloud Hosting

Text Size:A- A+

Over the last couple of months, the Narendra Modi government has proactively issued orders and advisories that implicate routinely used digital platforms. On 12 April 2020, the Ministry of Home Affairs Cyber Coordination Centre issued an advisory, which asked government officials to avoid using Zoom, a popular video conferencing app. The governments advisory came after the company admitted that some calls were mistakenly routed via China. Media reports claimed that hackers broke into a Zoom meeting and posted obscene content.

On May 18, the Department of Telecommunications (DoT) banned WeTransfer, a service used to transfer heavy files, according to multiple media reports. In both instances, the Modi government did not reveal the technical details behind its decisions. The Cyber Coordination Centres advisory simply said that Zoom was not safe to use and outlined steps individuals should take to ensure the security of their virtual meetings. The DoT order said it banned WeTransfer in the interest of national security or public interest.

Also read: Taxes without borders: Govt revises tax on digital transactions, but ambiguities remain

Such decisions heighten the need to create a robust testing mechanism for certain applications, whose security (or lack of it) might directly affect users. The coronavirus crisis and consequent lockdowns have forced people to work remotely. As a result, they expect stable, secure and efficient applications, which help them transfer files, conduct conferences, share screens, manage large projects, and use cloud storage services. The Ministry of Electronics and Information Technology (MeitY) is supposed to develop policy and regulatory frameworks for electronics and issues related to them, in accordance with government rules.

In this context, a MeitY Compulsory Registration Order, in effect since July 2013, aims to improve the quality of electronic goods available in India. This framework mandates that products such as mobile handsets and set-top boxes, among others, also be tested. Besides MeitY, the DoT also has a testing regime. In 2017, an amendment to the Indian Telegraph Rules created the Mandatory Testing and Certification of Telecom Equipment (MTCTE) procedure, to test and certify this hardware, prior to its sale or import in India. The Telecommunications Engineering Centre (TEC), under the Department of Telecommunications, administers this process. The safety of equipment with radio interface, its immunity to electrostatic discharge, operating frequency, output power and conformance to receiver and transmitter parameters, are some aspects that are tested as part of this process.

Critically, the focus of both the MTCTE regime and MeitYs Order is limited to testing only network hardware and consumer devices. These exclude the testing of digital applications such as Zoom and WeTransfer completely. International standards, designed by expert organisations such as the International Organisation for Standardisation (ISO), the International Electrotechnical Commission, the Internet Engineering Task Force, and the Institute of Electrical and Electronics Engineers are reflected only in parts of Indias domestic standards and testing frameworks.

Unfortunately, the countrys participation in these global bodies, especially in the context of network and information security, remains limited. For instance, India sent a small three-member delegation to ISOs Committee on IT Security techniques in 2015. A small delegation size means that each member has outsized responsibilities and is unable to match the depth and breadth of representation of their counterparts from other countries. As a result, they often have to choose between two parallel negotiation sessions that cover different aspects under consideration at such fora.

The 2017 list of equipment/products to be examined under the MTCTE included software and service applications. However, the latest list includes only hardware equipment such as Internet of Things (IoT) gateways, tracking devices, smartwatches and equipment that operates under 2.4 GHz and 5 GHz frequency bands. Software and service applications do not find a place in it, despite the apparent need.

Also read: India can be a digital economic powerhouse if new IT Act removes ambiguity around e-commerce

Despite being notified in 2017, the MTCTE regime came into effect only in October 2019. This delay was primarily due to the ambiguity over the status, functioning, capacity and competence of TEC-designated laboratories. According to the MTCTE, TEC-recognised labs and facilities, designated as Conformity Assessment Bodies (CAB), are to test and certify equipment. Although the TEC targets having over 100 such facilities pan-India, it has, thus far, recognised only 54 CABs.

Such labs should possess the ability to disassemble telecom gear and review the components at application and hardware levels. At present, these labs test and certify specific telecom products, against specific standards. For instance, the capacity of a lab may be limited to testing only switching systems. Consequently, it is unlikely that a single lab can test multiple products.

Multiple stakeholders have highlighted concerns about their capacity shortages. In 2018, almost 70 mobile phone companies, including Samsung, Oppo, and Micromax, wrote a letter to the DoT highlighting challenges such as lack of testing infrastructure and limited number of test labs. The DoT appears to have recognised some of these deficiencies, which could be a reason why the MTCTEs implementation was delayed. To date, the TEC has notified that only six equipment, including fax machines and cordless telephones, should be tested an indicator of capacity shortages.

Also read: India has to toe a fine line in defining non-personal data between public interest and IPR

India can learn from the approaches of other countries in order to better design its own framework. Jurisdictions such as the UK and Singapore use the principle of security-by-design (updated throughout product lifecycles), to develop device and application-level cybersecurity standards. More specifically, testing benchmarks tend to be based on the ISO and IECs Common Criteria for Information Technology Security Evaluation. Further, in order to ensure robustness of such processes, both countries have embraced working arrangements with security experts.

Global best-practices can also serve as a guide to manage inadequate testing capacities. For instance, countries such as Australia, Singapore, UK and the US have tied up with Information Security Assurance experts CREST for cybersecurity accreditation and certification arrangements. Germany has an independent trust centre (TViT), which assesses ICT security against globally recognised standards and criteria. The centre closely collaborates with other cybersecurity testing authorities from countries such as the US, Japan, Netherlands and Switzerland. Most importantly, TViT works in close coordination with various security laboratories.

As workforces across geographies migrate online, they will expect a secure virtual office environment, in which trade secrets are protected, conversations arent intruded upon and data isnt misused. Employers and industries, for whom virtual offices are a new reality, will expect the government to evolve standards on which digital work environment applications are reviewed.

The first step to set those standards is to expand current testing mechanisms to include critical software applications, in line with global best-practices. Such a move will help address cybersecurity concerns, ensure certainty in the app ecosystem, and create consumer awareness. For India to assume a leadership role and craft a template for the future of work, it must set standards to assuage the concerns of its digital workforce.

The authors work at Koan Advisory Group, a technology policy consulting firm. This article is part of ThePrint-Koan Advisory series that analyses emerging policies, laws and regulations in Indias technology sector. Views are personal.

Read all articles in the series here.

ThePrint is now on Telegram. For the best reports & opinion on politics, governance and more, subscribe to ThePrint on Telegram.

Subscribe to our YouTube channel.

Read more from the original source:
Indias digital workforce needs secure software. Testing, not banning apps, is the answer - ThePrint

Eric Schmidt, former executive chairman of Alphabet

Photo by Bloomberg

Huawei is a national security risk and has engaged in unacceptable acts like routing network information to the Chinese government, former Google CEO Eric Schmidt has claimed.

"There's no question that Huawei has engaged in some practices that are not acceptable in national security," Schmidt said in a documentary to be aired on BBC radio.

"There's no question that information from Huawei routers has ultimately ended up in hands that would appear to be the state," he added. "However that happened, we're sure it happened."

The telecommunications giant has often been accused of posing a risk to national security, with U.S. officials worried it could enable Chinese espionage. Washington has put significant pressure on allies to bar Huawei from accessing their next-generation 5G mobile networks. The U.K. is now reviewing a decision to allow the firm a restricted role in its 5G rollout.

Experts say that Huawei would haveno choicebut to hand over network data to Beijing if it is requested due to Chinese espionage and national security laws. But Huawei has repeatedly denied accusations that it passes data to Beijing and insists it's independent from government.

The firm hit back at Schmidt for his comments Thursday, disputing the suggestion that it hands customer data to the Chinese authorities.

"The allegations made by Eric Schmidt, who now works for the US government, are simply not true and as with similar assertions in the past, are not backed by evidence," Huawei Vice President Victor Zhang told CNBC.

Schmidt, who led Google from 2001 to 2011, is now chair of the Pentagon's Defense Innovation Board.

In his interview with the BBC, he said he had previously held "prejudices" about China, such as the belief that tech firms in the country are "very good at copying things." He added that these prejudices now "need to be thrown out."

"The Chinese are just as good, and maybe better, in key areas of research and innovation as the West," Schmidt told the U.K. state-backed broadcaster. He urged Western countries to keep pace with the world's second-largest economy by investing more in research funding, ensuring increased public-private sector collaboration and remaining open to international talent.

It's not the first time Schmidt has commented on China. In 2018, the billionaire warned of a "bifurcation" of the internet into two separate models one led by the U.S., and the other by China. He also admitted to having advocated for Google's work in China when it originally pulled out of the country. Google nixed plans to launch a censored search engine in China in 2018 following outrage from employees.

For more on Schmidt's views about Huawei, read the BBC's report here.

More:
Former Google CEO Eric Schmidt says there's 'no question' Huawei routed data to Beijing - CNBC