One would think that testing for security flaws and embedded malware would be de rigeur for components used in military applications, right? Especially if those components come from a country with which one has a history of military conflict? The answer for India, apparently, is definitive: “Nope!”
The Hindu Times is reporting that the Indian army’s communications system is “riddled with security flaws” and infested with nasty malware of Chinese origin that could disrupt communications and spy on military activities.
Yikes. This is a country with nukes and a lot of irons in the fire when it comes to borders and skirmishes and territories and everything else.
The paper noted that thousands of military documents are housed in vulnerable systems. “War plans would be protected by hundreds of firewalls but there are enough sensitive documents that can be stolen,” said Indian Air Force chief Fali Major, speaking to the Times. “The attackers can crash your systems and corrupt your data by gaining full control of computers.”
Oh well if that’s all…
But wait, there’s more!
“This has been compounded by the fact that origin of a large amount of electronic circuitry being used in communication equipment is of Chinese origin,” reads a report prepared by the Army Design Bureau (ADB).
Most advanced nations have laboratories that check communication and IT equipment for malware before installing it, the report noted. However, what’s good for the goose isn’t good for the gander, in this case.
“Even the US is deeply worried about systems being infected with Chinese malware,” Rakshit Tandon, a cybersecurity researcher, told the Times.
Yes, even the US, with its hackable elections and everything, even WE don’t use Chinese components without testing them first.
“India is extremely vulnerable to such attacks, and the military needs to evolve very stringent testing methodology to make sure hardware and software systems are not compromised,” Tandon added.
The ADB report offers a wish list for rectifying the situation, starting with “military-grade security,” which would seem to be self-evident.
Also on the list: Software-based encryption, developing a “hardened, indigenous OS” in-house for extra security, and “all-in-one communication handsets” that will do away with the need to carry multiple devices.
The report attempts to assuage fears by noting that “the army realizes the threat. It had set a target of one year to develop the capability for ‘high assurance testing’ to check the hardware for ‘embedded malware, backdoors and hidden processes’ that hackers could abuse.”
Yet we must ask the question: In the age of cyber-warfare, how is it possible that one of the world’s major democracies and major economies, not to mention a major nuclear power, can be this vulnerable?