We probably need an agency where top hackers would sit day in and day out trying to find security holes in our Internet infrastructure, and work closely with compliance agencies in the government to fix the holes found

A chief technology officer (CTO) of one of world's top mobile service providers is worried about the fact that his company routinely sources critical equipment from a top Chinese vendor. After all, Chinese vendors come ten times cheaper than other Western vendors and the decision is based on purely commercial considerations.

However, the worry is that when critical components in the telecom infrastructure are in control of a potentially hostile country, the whole network could be brought down by just sending a couple of broadcast packets.

Not that there is any evidence that the Chinese have planted Trojans or backdoors in such infrastructure. In fact, there is no evidence either way, but the technology needed to reverse-engineer such components is either not available or would require millions of dollars of research to develop, so we do not know.

The software as it currently stands may even be clean but a routine firmware update could plant software having such nefarious commands. So, the detection problem becomes even more complex. Given that the Chinese government has cyber-war as its high priority strategy, and given that it gives millions of dollars in aid/subsidy to Chinese telecom vendors—heck, we don’t even know who exactly owns Huawei, the top Chinese telecom company—there is surely reason for suspicion that control of telecom infrastructure via equipment sold by Chinese vendors could be part of the Chinese government’s strategy, and this control can then be leveraged in case of any cyber-war.

In the Indian context, BSNL and Reliance routinely source from Chinese vendors. A year back, a couple of hackers demonstrated at the Defcon conference in the US, how mass traffic from an Internet service provider can be completely redirected to another country using a critical routing software called BGP. BGP is software that helps two routers talk to exchange routing information. The interesting part is that the hackers didn’t take advantage of any bug in BGP. BGP written decades ago when the Internet was in the hands of academicians, is a trusting protocol that just believes the data that it receives is true. To give an example, all of a particular ISP's traffic from India that is bound for the US, could go through, say, a node in Dubai, which then forwards it to the US. Another route to the US could be via Pakistan or China. If the Pakistani node's BGP software sends a message to the Indian ISP's BGP router saying that a better route to the US exists via Pakistan, the Indian ISP's router would just believe the above, and change its routing table so as to send all US-bound traffic to Pakistan instead. The traffic can then be legitimately sent to the US from Pakistan, but meanwhile it could also be sniffed and thus all traffic viewed. 

So, to the end user, everything would look fine, just that the intermediate node's owner could have a look at all the traffic.

Given that today, economies are so crucially dependent on the Internet, ability to view a country's traffic is the equivalent of knowing nearly all what goes on in the country, something that could give huge leverage to competitive business, not to mention the criticality of this data if the two neighbours are hostile to each other. A new version of secure BGP is in the offing.

The question is: Have all our Indian ISPs updated their BGP protocols to secure BGP? We don’t know.

Page