Security is paramount

The government is reportedly finalising a methodology to ensure that telecom equipment imported from abroad does not contain embedded software to intercept sensitive...

Written by RRN Prasad

August 25, 2010 22:41 IST

The government is reportedly finalising a methodology to ensure that telecom equipment imported from abroad does not contain embedded software to intercept sensitive communications or to cause systems crashes. The former in times of peace and the latter in times of war to disrupt vital communications.

It seems there is a move to ban the import of telecom equipment from 26 overseas companies, of which 25 are Chinese. Though it would affect the development of telecom networks, the government has a point in not taking any risk with the country?s security.

Telecom systems are software-intensive and the chances of hidden malware/ spyware cannot be ruled out. Reports say Chinese companies have agreed to produce third-party certification, and the government was inclined to agree to equipment import from them, if they produce third-party audit reports based on tests conducted on their hardware and software.

But third-party audit report may not address the security concerns of the country entirely, as the operational software of the telecom switching systems is country-specific. For example, a certificate issued by British Telecommunications is only applicable to systems supplied to the UK to meet its network requirements and will not be valid for India. It is difficult to fully debug the entire operational software of the telecom systems, (for example, mobile switching centre), which is one of the most complex industrial software designed by man.

Telecom switching software, for instance, are designed to perform real-time task, such as giving dial tone in milliseconds. To meet the stiff real time performance criteria, they generally employ low-level programming languages such as C and C+. Some even employ assembly-level languages, whose understandability is poor.

Therefore, even if the entire source code running into millions of lines is made available, it is difficult to know the function of a particular piece of software in real time. Very often, the original developer does not maintain proper documentation, which makes the task of third parties more difficult.

So, even if a software centre is set up in the country under the department of IT, it will be difficult to certify telecom software as 100% free of malware. It is like looking for a needle in the haystack.

Already, the country has imported a large volume of telecom switching and transmission equipment from ZTE/Huawei and the like. What is really dangerous is that a number of private licensed operators have, under the so-called ?managed model?, outsourced to MNCs (including Chinese MNCs) the functions of operations and maintenance. Telecom systems are operated through hundreds of man-machine commands. It is learnt that sensitive man-machine commands are being given by foreign engineers. Even BSNL exchanges are being operated by foreign engineers, including Chinese engineers.

More than the question of import, this new system of outsourcing operations of telecom systems to third parties poses a security threat to the country. Even if there are no hidden malware in the equipment, if man-machine command is given by foreign engineers, the same can be introduced in a working exchange by engineers working for MNCs. Patches are received routinely from the vendor for system upgradation, removal of bugs and the like. These could contain spyware/malware. Latent malware/ spyware are generally triggered by man-machine or calendar based commands.

In the ’70s many Latin American countries were following this model of outsourcing network operations to International Telegraph & Telephones (ITT), an American MNC, which not only supplied telecom equipment but also operated telecom networks in many countries. In Chile, ITT collaborated with the CIA in infiltrating its sensitive communications network to eventually overthrow leftist President Salvadare Allende and install a pro-American president. Ever since this episode, many countries, including India, have never allowed a majority share to foreign companies.

The policy of majority domestic ownership of telecom firms is sacrosanct in many countries, including the US and is designed to prevent foreigners from operating sensitive telecom equipment. The licences given to telecom service providers are actually network operating licences. In no country the core network operations are outsourced to a third party.

Prior to the formation of BSNL in early 2000, DoT was directly operating the national telecom network. The department first imported computer-controlled electronic switching systems in 1980s. DoT engineers were trained by the equipment supplier in the installation, operations & maintenance of these exchanges. They directly installed and operated these exchanges. Foreign engineers were not even allowed to enter telecom installations, as these were considered too sensitive from the security angle. It is time, BSNL/ MTNL followed this time-tested policy, so that at least one network is fully secure for sensitive communications in times of war.

The author is former member, Trai/ Telecom Commission

This article was first uploaded on August twenty-five, twenty ten, at forty-one minutes past ten in the night.