Over the last couple of months, the Narendra Modi government has proactively issued orders and advisories that implicate routinely used digital platforms. On 12 April 2020, the Ministry of Home Affairs’ Cyber Coordination Centre issued an advisory, which asked government officials to avoid using Zoom, a popular video conferencing app. The government’s advisory came after the company admitted that some calls were “mistakenly” routed via China. Media reports claimed that hackers broke into a Zoom meeting and posted obscene content.
On May 18, the Department of Telecommunications (DoT) banned WeTransfer, a service used to transfer heavy files, according to multiple media reports. In both instances, the Modi government did not reveal the technical details behind its decisions. The Cyber Coordination Centre’s advisory simply said that Zoom was “not safe” to use and outlined steps individuals should take to ensure the security of their virtual meetings. The DoT order said it banned WeTransfer “in the interest of national security or public interest”.
Need for software tests
Such decisions heighten the need to create a robust testing mechanism for certain applications, whose security (or lack of it) might directly affect users. The coronavirus crisis and consequent lockdowns have forced people to work remotely. As a result, they expect stable, secure and efficient applications, which help them transfer files, conduct conferences, share screens, manage large projects, and use cloud storage services. The Ministry of Electronics and Information Technology (MeitY) is supposed to develop policy and regulatory frameworks for electronics and issues related to them, in accordance with government rules.
In this context, a MeitY Compulsory Registration Order, in effect since July 2013, aims to improve the quality of electronic goods available in India. This framework mandates that products such as mobile handsets and set-top boxes, among others, also be tested. Besides MeitY, the DoT also has a testing regime. In 2017, an amendment to the Indian Telegraph Rules created the Mandatory Testing and Certification of Telecom Equipment (MTCTE) procedure, to test and certify this hardware, prior to its sale or import in India. The Telecommunications Engineering Centre (TEC), under the Department of Telecommunications, administers this process. The safety of equipment with radio interface, its immunity to electrostatic discharge, operating frequency, output power and conformance to receiver and transmitter parameters, are some aspects that are tested as part of this process.
Critically, the focus of both the MTCTE regime and MeitY’s Order is limited to testing only network hardware and consumer devices. These exclude the testing of digital applications such as Zoom and WeTransfer completely. International standards, designed by expert organisations such as the International Organisation for Standardisation (ISO), the International Electrotechnical Commission, the Internet Engineering Task Force, and the Institute of Electrical and Electronics Engineers are reflected only in parts of India’s domestic standards and testing frameworks.
Unfortunately, the country’s participation in these global bodies, especially in the context of network and information security, remains limited. For instance, India sent a small three-member delegation to ISO’s Committee on IT Security techniques in 2015. A small delegation size means that each member has outsized responsibilities and is unable to match the depth and breadth of representation of their counterparts from other countries. As a result, they often have to choose between two parallel negotiation sessions that cover different aspects under consideration at such fora.
The 2017 list of equipment/products to be examined under the MTCTE included software and service applications. However, the latest list includes only hardware equipment such as Internet of Things (IoT) gateways, tracking devices, smartwatches and equipment that operates under 2.4 GHz and 5 GHz frequency bands. Software and service applications do not find a place in it, despite the apparent need.
Despite being notified in 2017, the MTCTE regime came into effect only in October 2019. This delay was primarily due to the ambiguity over the status, functioning, capacity and competence of TEC-designated laboratories. According to the MTCTE, TEC-recognised labs and facilities, designated as “Conformity Assessment Bodies” (CAB), are to test and certify equipment. Although the TEC targets having over 100 such facilities pan-India, it has, thus far, recognised only 54 CABs.
Such labs should possess the ability to disassemble telecom gear and review the components at application and hardware levels. At present, these labs test and certify specific telecom products, against specific standards. For instance, the capacity of a lab may be limited to testing only switching systems. Consequently, it is unlikely that a single lab can test multiple products.
Multiple stakeholders have highlighted concerns about their capacity shortages. In 2018, almost 70 mobile phone companies, including Samsung, Oppo, and Micromax, wrote a letter to the DoT highlighting challenges such as lack of testing infrastructure and limited number of test labs. The DoT appears to have recognised some of these deficiencies, which could be a reason why the MTCTE’s implementation was delayed. To date, the TEC has notified that only six equipment, including fax machines and cordless telephones, should be tested – an indicator of capacity shortages.
Global best practices
India can learn from the approaches of other countries in order to better design its own framework. Jurisdictions such as the UK and Singapore use the principle of security-by-design (updated throughout product lifecycles), to develop device and application-level cybersecurity standards. More specifically, testing benchmarks tend to be based on the ISO and IEC’s Common Criteria for Information Technology Security Evaluation. Further, in order to ensure robustness of such processes, both countries have embraced working arrangements with security experts.
Global best-practices can also serve as a guide to manage inadequate testing capacities. For instance, countries such as Australia, Singapore, UK and the US have tied up with Information Security Assurance experts CREST for cybersecurity accreditation and certification arrangements. Germany has an independent trust centre (‘TÜViT’), which assesses ICT security against globally recognised standards and criteria. The centre closely collaborates with other cybersecurity testing authorities from countries such as the US, Japan, Netherlands and Switzerland. Most importantly, TÜViT works in close coordination with various security laboratories.
As workforces across geographies migrate online, they will expect a secure virtual office environment, in which trade secrets are protected, conversations aren’t intruded upon and data isn’t misused. Employers and industries, for whom virtual offices are a new reality, will expect the government to evolve standards on which digital work environment applications are reviewed.
The first step to set those standards is to expand current testing mechanisms to include critical software applications, in line with global best-practices. Such a move will help address cybersecurity concerns, ensure certainty in the app ecosystem, and create consumer awareness. For India to assume a leadership role and craft a template for the future of work, it must set standards to assuage the concerns of its digital workforce.
The authors work at Koan Advisory Group, a technology policy consulting firm. This article is part of ThePrint-Koan Advisory series that analyses emerging policies, laws and regulations in India’s technology sector. Views are personal.