The National Telecommunication and Information Technology Security Board (NTISB) has issued a warning to government departments regarding the use of Indian/Israeli IT-related products and services. The advisory highlights the potential cyber threats associated with these products and services, especially in critical information infrastructure (CII). While these solutions may appear to be cost-effective, there is a concern about the presence of backdoors or malware that could compromise cybersecurity.
The NTISB emphasizes that several incidents in the public sector have revealed the involvement of Indian-based threat actors, leading to service disruptions, data loss, and reputational damage for organizations. To mitigate these risks, the advisory suggests that federal departments should protect their businesses and critical data by avoiding the procurement of IT hardware solutions from these countries, in accordance with the existing ban imposed by the Commerce Division.
Additionally, the NTISB recommends against procuring IT security solutions, such as intrusion detection and prevention systems, security information and event management, extended detection and response, mobile device management, and DDoS mitigation solutions from these countries or their partners, due to the potential presence of backdoors or malware.
Organizations are advised to discontinue the use of online software solutions and transition to alternate offline solutions to ensure business continuity. Offline solutions should be used with the acceptance of associated risks, without applying updates/patches or connecting to the internet.
The NTISB further states that vendors/OEMs should provide a certificate guaranteeing the absence of backdoor eavesdropping or remote access mechanisms. Failure to identify unauthorized access or data leakage may result in contract cancellation and blacklisting of the firm. Service level agreements (SLAs), if applicable, should include security clauses to safeguard businesses and critical data.
For critical information infrastructure, code walkthroughs and comprehensive security assessments should be conducted through PTA-approved auditing firms. Random penetration testing should also be carried out to ensure the effectiveness of security measures.
The advisory emphasizes that all government organizations have a responsibility to implement cybersecurity measures in their respective domains and should adopt a cautious approach to mitigate potential risks.