India must fortify its digital defences
ON September 17, hundreds of pagers used by Hezbollah members exploded nearly simultaneously across various locations in Lebanon and Syria, killing at least 12 people, including two children, and injuring at least 2,000. A second wave of attacks followed when dozens of two-way radios blew up, killing at least 20 people and wounding more than 450.
The modification of hardware & software to gather intelligence or sabotage critical infrastructure is not a new phenomenon.
Many believe that Israeli intelligence, particularly Unit 8200 — Israel’s cyber warfare division — masterminded the attacks. The motive appears clear: to paralyse Hezbollah’s communication infrastructure and instil widespread fear. Wary of mobile phone vulnerabilities, Hezbollah had recently shifted to using pagers as their primary means of communication.
According to reports, a small amount of explosives hidden in the pagers was triggered by a remote signal. The procurement chain of the pagers traces back to a Taiwanese company, Gold Apollo, which initially manufactured the AR-924 model pagers. However, the Hezbollah pagers were not directly sold by Gold Apollo but distributed by BAC Consulting, a Budapest-based company that held a licensing agreement with Gold Apollo. The New York Times reported that Israeli intelligence operated BAC Consulting and had created two unnamed shell corporations to obscure its involvement.
Headlines following the attack have talked of terrifying implications for the future, a new chapter in cyber warfare and the weaponisation of everyday objects. While the Israeli attack was brilliantly planned and executed, its success should not surprise anyone familiar with state-sponsored cyber espionage. The modification of both hardware and software to gather intelligence or sabotage critical infrastructure is not a new phenomenon.
Edward Snowden revealed in June 2013 the existence of the PRISM programme, under which the US National Security Agency (NSA) collected data from Internet communications. The programme’s scale was staggering and included planting backdoors and spyware in electronic devices. According to a report in Der Spiegel, the NSA had planted backdoors to access computers, hard drives, routers and other devices from companies such as Cisco, Dell, Western Digital, Seagate, Maxtor, Samsung and Huawei.
More NSA documents, released in Glenn Greenwald’s book No Place to Hide, detailed a specific instance of how NSA employees intercepted Cisco routers intended for organisations targeted for surveillance and implanted them with backdoors before shipping them on. Cisco publicly distanced itself from these actions, but the incident raised concerns about the vulnerability of global supply chains for tech hardware.
America is one of many countries that use these practices. A 2018 Bloomberg report alleged that Chinese intelligence agents had placed tiny microchips on server motherboards manufactured by Supermicro. These servers were sold to major US tech companies, including Amazon and Apple. The chips allegedly allowed for remote backdoor access.
In 2020, The Wall Street Journal quoted US officials as saying that Huawei was covertly accessing mobile networks via backdoors meant for law enforcement use, prompting several nations to ban the company's products. Similarly, Chinese surveillance equipment makers Hikvision and Dahua have been blacklisted over concerns of sending sensitive data back to Beijing.
Despite the Snowden revelations of 2013, those responsible for cybersecurity in India were slow to react. Foreign hardware and software continued to be procured for critical military and civilian communication networks. It wasn’t until 2020, after the Chinese incursions in Ladakh, that the Indian government restricted Chinese telecom equipment. Yet, by then, more than half of the state-owned BSNL’s mobile network was based on equipment from ZTE and Huawei. Private telecom operators like Airtel and Vodafone also remain heavily dependent on Chinese equipment. In March 2021, Bharti Airtel awarded a telecom infrastructure expansion contract worth around Rs 300 crore to Huawei.
Efforts to reduce dependency on China and promote indigenisation have not yielded adequate results. As per a report by the Global Trade Research Initiative, China and Hong Kong accounted for an overwhelming 56 per cent of India’s total imports in electronics, telecom and electrical products in the 2023-24 financial year.
In July 2022, the Department of Telecom banned the use of non-trusted telecom gear for the expansion of communication networks in the country. However, this alone cannot prevent the poisoning of supply chains. Cisco, which has a significant presence in India, including in military communication networks, has received approval as a ‘trusted source’. According to data provided by the Voice of Indian Communication Technology Enterprises (VoICE), Cisco is the largest importer of equipment such as access points and switches from China.
The Indian Army recently adopted a secure mobile ecosystem called SAMBHAV (Secure Army Mobile Bharat Vision). However, the system does not address the fundamental vulnerability as it is based on a foreign handset and rides on commercial networks seeded with foreign equipment. It could end up providing a false sense of security.
It is well understood that foreign dependencies cannot be eradicated overnight, but there is a visible lack of a national strategy to work in this direction. We have been hearing about a new cybersecurity strategy since 2020, but it is yet to be promulgated. One essential element of this strategy must be replacing foreign hardware and software in critical systems.
In 2019, the US enacted the Secure and Trusted Communications Networks Act, which mandates that US network operators remove network equipment from Chinese vendors Huawei and ZTE. This initiative, often referred to as the ‘rip and replace’ programme, provides federal funding to network operators. The fact that the programme is facing delays shows the depth of Chinese gear in the networks, but the US intent and direction are clear.
Mirroring the US move, the Chinese government recently ordered ‘rip and replace’ for US-made chips in its telecommunication networks by 2027. This follows a 2023 order banning government agencies from using iPhones and foreign-branded smartphones for work.
Aatmanirbharta is not just a goal; it is a strategic imperative. Its importance is magnified in domains directly impacting national security, where dependency is a vulnerability. One such domain is cybersecurity, where safeguarding the nation from state-sponsored cyber threats must be a top priority. We must fortify our digital defences, enhance indigenous capabilities and eliminate reliance on foreign technology that could be weaponised against us.
