The government has amended the compulsory registration order for CCTV cameras sold in India to make testing of their ‘essential security parameters’ mandatory

After a series of deliberations on how to check alleged snooping by Beijing through a web of Chinese-origin CCTV cameras installed across India, including government and military establishments, the Union government has come out with safety guidelines keeping national security as top priority.

To date, the Indian government had no mechanism to check the installation of these Chinese-origin surveillance cameras, as the certification for such devices in use in the country only looked into aspects such as fire hazard or durability, and not security or snooping threats.

But early last week, the Union ministry of electronics and information technology (MeitY) amended the compulsory registration order (CRO) for CCTV cameras sold in India. This amendment makes the testing of ‘essential security parameters’ of all CCTV cameras mandatory. Given the massive network of such cameras, the new regulation comes into effect on October 9 this year, thereby allowing manufacturers sufficient time to adapt.

Prioritising national security in such matters is crucial, especially given the sensitive nature of government and military establishments. Setting up guidelines to monitor and certify these surveillance cameras on the security aspect is a prudent move.

India is estimated to have over two million surveillance cameras, installed at every nook and corner. Out of these, around a million cameras made by Chinese companies are installed in various government institutions, posing a serious risk of snooping. It is suspected that CCTVs being deployed in most Indian government projects are of Chinese origin—imported from China and supplied as Made in India. This is a threat to national security.

It is estimated that the market penetration of Chinese CCTVs is over 80 per cent for domestic and over 98 per cent for government installations. As experts say, countries no longer need to send spies across the border. Such suspect CCTVs become the eyes of any country aiming to do mischief. Such cameras are the best tool for technical intelligence. The unchecked proliferation of such devices across India is a grave security risk.

There is the threat of China snooping on India through hundreds of thousands of such surveillance cameras, with security experts flagging serious concerns about the security threat.

In last week’s notification, dated April 9, MeitY made the testing of ‘essential security parameters’ of CCTV cameras mandatory. The notification also mandates that test reports from Bureau of Indian Standards (BIS)-recognised labs, such as the Standardisation Testing and Quality Certification, would need to be submitted by manufacturers.

Reacting to the guidelines, Lieutenant General Rajesh Pant (retired), former national cyber security coordinator for India’s National Security Council and also chairman of the Cyber Security Association of India, told INDIA TODAY that the proliferation of CCTVs in the country without any security checks had created a major vulnerability for national security, since most of these devices were imported from the country of concern. This has led to remote surveillance and loss of data. “The notification by MeitY is a long-awaited and welcome step by the government to ensure that essential security parameters are built into these devices. I hope this is extended to all IoT (internet of things) devices in the future,” Lt Gen. Pant said.

On March 6, MeitY had issued a notification for public procurement of CCTVs for essential testing of critical security parameters and giving details for local content calculations. The requirement of verification of the trusted source for sourcing the critical hardware components related to security functions are of special significance. They don’t allow proprietary network protocols or give implementation schedules and source code, and verification of all codes including third parties.

Further, one of the amendment’s primary features is the confirmation of reliable sources for crucial hardware parts associated with security operations (such as system-on-a-chip or SOC). In addition, it forbids the use of proprietary network protocols without source code disclosure and implementation timetables.

Prof. N.K. Goyal, chairman emeritus, Telecom Equipment Manufacturers Association of India, had been highlighting the issue for long. Relieved by the government order, he said: “The government has stepped in to ensure that all CCTV cameras deployed in India are free of any national security concerns and that the major components of CCTV/ video surveillance are built by trusted sources on a reliable basis. Goyal added that this would go a long way in ensuring that CCTV/video surveillance systems deployed in the country do not compromise national security.

As for compliance to BIS being a check on CCTVs rigged for snooping, industry insiders say CCTV cameras/ recorders were till date covered in the CRO Phase III (with effect from May 23, 2018). However, the same standard applies for mobile phones, cash registers, laptops, set-top boxes, power banks, scanners, etc. But these BIS norms only mention human hazards such as fire or their durability, and not national security aspects.

However, in addition to the national security threat, there is a huge economic impact in terms of billions of dollars lost in cheap and under-invoiced imports and a lost opportunity to become a net exporter of hardware through actual manufacturing with transfer of technology against just factory assemblies. The global CCTV market is expected to grow to approximately $46.52 billion at a 13.1 per cent CAGR (compound annual growth rate) during the forecast period of 2020-2030.

The issue hit Parliament sometime back when minister of state for communications and electronics & IT Sanjay Dhotre informed the Lok Sabha that around one million CCTVs from Chinese companies were installed in government institutions. “There are vulnerabilities associated with video data captured through CCTV cameras being transferred to servers located abroad,” Dhotre said.

Basically, the minister was speaking about video security surveillance (VSS), which is more than a CCTV and being connected to a telecom network. The VSS also contains a video network recorder by which all images are connected to a telecom network and then stored and analysed. That is where national security risks crop us as data can be transferred to anyone.

Intelligence agencies’ biggest fear is the continuous deployment of technology of Chinese origin across the entire nation through VSS. Security agencies fear Chinese companies and their Indian partners are sending regular data to China through backdoor access with their CCTVs installed in almost all smart cites, state police, highways, airports, metro rails, ministries, including ministry of home affairs, and organisations.

Surveillance cameras are also being used extensively for military establishments. It’s all a serious threat to national security due to proven data transfer to the Chinese intelligence establishment. As per the China Intelligence Law, 2017, these companies are duty-bound to share all their data and access to the sites with the Chinese intelligence. The Chinese government-owned companies are directly, or through their Indian subsidiaries, joint ventures or distributors, supplying VSS hardware and software.

A couple of years ago, the Integrated Defence Headquarters of the ministry of defence (MoD) flagged serious concerns over Chinese-origin CCTVs at naval installations. The internal note by the Integrated Defence Headquarters—seen by INDIA TODAY—stated that one of the market leaders in surveillance cameras is Hikvision, which has 41 per cent Chinese government holding and is operating in India through an Indian company’s collaboration.

“The modules of these camera systems are supplied by the Chinese firm. However, these products are marketed as Made in India,” claims the MoD note. It added that this loss (of data) could be through programmed or coded servers or embedded hardware for wi-fi or SIM-based connectivity, or during maintenance or replacement from the memory/cache of the CCTV and other surveillance systems.

After the border incursions in Ladakh by Chinese troops in July 2020, the Union finance ministry’s Department of Expenditure issued GFR ( General Financial Rule) 144 XI (on July 23, 2020) to ensure that Chinese companies do not directly, or through their Indian/Chinese subsidiaries, participate in procurements without prior registration with the Department for Promotion of Industry and Internal Trade (DPIIT).

(With Agency Inputs)