The Army's sensitive Command and Information Decision Support System (CIDSS), which is employed during war-time operations, has been found to be vulnerable to virus and trojan attacks and potential hackers.
The CIDSS, named Operation Samvahak, is a software project based on the web and has a database that operates on a number of networked servers and clients. Documents available with Deccan Herald indicate that Bangalore-based defence public sector undertaking Bharat Electronics Ltd (BEL), which was awarded the Rs 140-crore contract by the Army's Directorate General of Information System (DGIS), did not “provide services as per the provisions of the contract.”
rmy sources said although the CIDSS system is not classified, it assumes that status once critical, top secret information is uploaded. The disruption was noticed across several Army field units in Fazilka, Suratgarh, Kota and Jaipur among others in the western sector which is one of the important commands.
What is alarming is that about 116 performance certificates generated over the past two years at the field-level units were suppressed, preventing the matter from being investigated by Army headquarters.
Even when the CIDSS was operationalised in a limited way, virus attacks were noticed, making the system “unstable” and forcing personnel of the technical group of the Electronics and Mechanical Engineers (EME) who subsequently had to refeed the data.
The purchase order for the software for phase-1 of the project was issued by the Army to BEL and the Defence Research and Development Organisation's Centre for Artificial Intelligence and Robotics (CAIR) in 2006. After the project was outsourced to two other firms, Tata Elxi Ltd and YM Tech Pvt Ltd, it was implemented on a pilot basis in Punjab and Rajasthan.
Although phase-1 was declared complete in 2010, the CIDSS system was far from effective because it was based on the old Windows 2000, updates of which are hardly available today. Besides, no anti-virus or firewall was provided, making the system ‘highly vulnerable to virus and trojans.’
Once the warranty and extended warranty of the system expired in September 2010, the Army again awarded BEL the annual maintenance contract (AMC) in June 2011 for a year, at an estimated cost of Rs six crore. Through limited tendering, BEL in turn transferred the entire AMC to a third party civilian vendor, MSM Networks Enterprises, for slightly over Rs three crore.
In 2011, the Army also negotiated with BEL to provide suitable antivirus for the CIDSS, but it was only in the fourth quarter of the AMC that the defence PSU made available a few ‘QUICKHEAL’ antivirus whose market price could not have exceeded Rs one lakh. Sources disclosed that no indigenous action was taken to thwart cyber threats to the system.
The Army, however, continued to battle an unstable system that required frequent server formatting, re-installation and re-feeding of data as BEL even failed to provide backup support and maintenance / repair work cover within the stipulated time frame as agreed in the AMC.