March 30, 2014
Array
Vodafone and Verizon Spied for GCHQ and NSA

Prabir Purkayastha

THE recent disclosures that have come in the press that Vodafone and Verizon have helped their “parent” spy outfits – GCHQ (UK) and NSA (USA) – to spy on the Indian telecom network will not be a shock to the readers of this column. We have been writing on the dangers that foreign owned telecom companies pose to the Indian network as they can be used as Trojan horse. The Snowden revelations were clear; the Indian network had yielded 6.3 billion pieces of “intelligence” in March 2013 alone, something that required the cooperation not only of the US Internet companies but also of some of the Indian telecom network operators. Now we have a home ministry's internal note confirming that it has indeed happened; if we are serious about cyber security, we then need to address foreign ownership of telecom companies. IMPLANTING ROGUE SOFTWARE IN CRITICAL EQUIPMENT Before we think in terms of cloak and dagger spy stories, we must understand what is required by GCHQ, the British spy agency and the now well-known US agency, the NSA for penetrating the Indian network. Since the telecom companies in India are owned by Vodafone, a UK company and Verizon, a US company, they can be used by GCHQ and NSA to create software “implants” in the Indian network. Such rogue software can be implanted in critical equipment – routers, in switches or any other part of the telecom infrastructure. Such implants can have multiple purposes. One is simply to duplicate communications, could be metadata – who called whom when and for how long – and send them to specially designated communication hubs. These hubs can be inside or outside the country. It really does not matter. All that matters is that data is now available for siphoning off and finally storing in NSA or GCHQ systems. The second purpose of these implants is their ability to act as “logic bombs” – they need one command to initiate a shutdown or a disruption of the “host” network. As Vodafone and Verizon have access to the Indian network, it is easy to use these companies for introducing such “implants” in the Indian telecom network. Though AT&T is not mentioned by name, there is enough evidence in the Snowden revelations to show that both Verizon and AT&T have been enthusiastic partners in the US global surveillance regime. The relationship between AT&T and the US spy agencies pre-date 9-11, and it was to protect these telecom companies that the 2007 FISA Amendment was passed in the US Congress providing legal immunity to these companies. In the case of Brazil, one of the US companies was involved in not only breaking into the Brazilian network but also into the South American network. O Globo, the Brazilian newspaper reported that a subsidiary of a US telecom major was involved in this break-in. Given AT&T and Verizon's track record, it could have been either. And quite possibly, AT&T, which runs a date service in India similar to Verizon could also be a partner to NSA's surveillance and penetration of the Indian network. The problem in India is that we have a government that is extremely reluctant to take up India's violation of sovereignty and mass surveillance of Indian citizens. It is not even willing to protest against its prime minister or his colleagues being spied upon, as was done during the G20 summit in London in 2012; or the bugging of India's Embassy or consulates in the US. What is worse is that it has not registered what has been public knowledge since November last year, that the Indian telecom network has Computer Network Exploitation (CNE) implants introduced by the NSA. The slide above is a part of the Snowden documents that has been in public domain since last November. It shows clearly that such CNE implants are there in the Indian network. Worldwide, there are more than 50,000 such implants in different networks – the US has infected the world on a massive scale – both for purpose of surveillance or for cyber warfare. CONTINUATION OF INDIA-US STRATEGIC RELATIONSHIP Why should not such information send warning signals to those who are supposedly looking after India's cyber security? The reasons are many, but the most important ones are: believing that private telecom companies – even if foreign owned – will work as our first line of defence. No I am not making a conjecture here; this is what India's official cyber security policy document, released only last year, says. Ironically, in the same week, we also announced a policy of 100% foreign ownership of telecom companies. And this is what the Vodafone issue is all about – the ministry of home is examining Vodafone's record before clearing it for this 100% ownership. The second reason for not objecting the US surveillance or penetration of the Indian telecom network is of course ideological. The political and strategic leadership in India now believes that India may pose to be an IT super power, but it has no capability of protecting itself. Therefore the need to align with the US. This is why the unwillingness to rock the US boat, even if they are known to have penetrated our network. This is a simple continuation of India-US strategic relationship we saw during the Nuclear Deal. The US has for long been complaining about telecom equipment manufactured by Chinese companies, such as Huawei and ZTE. Their argument has been the close relationship that exists between the Chinese military and these companies. It is now known that CISCO and Juniper equipment all have NSA backdoors. The Der Spiegel has given us details of how the NSA's Tailored Access Organisations create and exploit backdoors in both proprietary hardware and software, almost certainly with the knowledge and complicity of large US companies. It is also known that not only the US equipment, but also Huawei has backdoors that are known to the NSA. This means that Indian network – where the entire telecom network uses equipment from these companies – is now at risk. During UPA-1, the Left had opposed foreign ownership in Indian telecom companies for strategic reasons. It had also argued that the Indian telecom network should be used to build an indigenous equipment manufacturing industry, the way the Chinese were doing. It is now clear that economically, not building a manufacturing industry will cost India dear. But the implications for cyber security are even worse: without a strong manufacturing base for telecom equipment, we are open to penetration by NSA, GCHQ and other players. If India wants to be a global player, it needs to decide what is strategic and needs to build indigenous capability for such sectors. At the level of policy, India must not only examine what the Snowden revelations show, but also what India's response should be. And in this, the first step will be to have a cyber security policy committee in which foreign companies such as AT&T do not sit. Currently, India's Cyber Security Policy sub-committee headed by the Deputy NSA has members from US/UK companies sitting on it in the guise of FICCI. No meaningful cyber security policies can be built if the members of such bodies owe their allegiance to companies that are close partners of NSA and GCHQ.