Impractical demand

Sharing source codes with DoT will only create roadblocks

The proposal by the Department of Telecommunications (DoT) that all mobile device manufacturers and telecom network equipment suppliers must share the source codes of all equipment with the department is misconceived on several grounds. It is being opposed by the industry and rightly so. The DoT has reportedly suggested this recently as part of the protocol for the draft Indian Telecommunications Security Assurance Requirements (ITSAR), which has been in discussion for a year. The DoT wants all network equipment and devices to be supplied to the department for security certification after testing, including testing by third parties. This is supposedly to address concerns about backdoors placed in networks. The Chinese company Huawei, in particular, has been the target of such allegations. Any security gaps, deliberate or otherwise, may be exploited by hackers, or bad state actors.

There are only a handful of global network equipment vendors and they are unhappy at the thought of supplying source codes and waiting out a 12-16 week process of testing and certification. Supplying the source code represents a threat to intellectual property since it makes it easier to re-engineer equipment or compromise it. This certification process is also unrealistic. Even equipment that is certified secure could be vulnerable, depending on network configuration. It’s clearly an over-reach to demand source codes for every handset model. No national agency demands this, although agencies like the US National Security Agency carry out extensive handset testing. The long-drawn system of certification is also commercially impractical. All operating systems including network equipment may undergo upgrades, and manufacturers deliver patches and upgrades to source codes to rectify any bugs which are discovered. Mobile devices have a rapid release and turnaround cycle. New models are often released and systems upgrades are delivered to handsets after sales. Although the most popular Android mobile operating system is open source, every manufacturer adds tweaks to manage different hardware and different configurations of cameras and peripherals. Apple’s iOS system for the iPhone is not open source, though the company releases a source code webkit for developers to build apps.

A certification process would introduce long delays into this cycle especially if each upgrade (which means changes in source code) also has to undergo repeat testing and certification. Releasing the source code of a mobile could  compromise the security of the model. The privacy of all users of that model could also be severely compromised, especially if third parties are involved in testing. The industry is unhappy since this could lead to roadblocks in the release of new handsets. Such proposals are usually made with the blanket justification of enhanced security. But this one seems unrealistic. It would not serve the purpose of making networks or handsets more secure. Instead, it would introduce delays and new security risks. Existing laws already ensure that manufacturers and telecom service operators cooperate with surveillance requests from government agencies. If there is need to recover data from a specific handset, or to harden a specific network, it is always possible to ask the manufacturer for assistance. Indeed, this has often happened. But such a request should always be done with a specific, stated purpose. A blanket demand for the source codes of all equipment is not justified, and the DoT should reconsider this proposal.