Responding to the MHA advisory, a Zoom
spokesperson said: "Zoom takes user security extremely seriously. A large number of global institutions ranging from the world’s largest financial services companies
and telecommunications providers, to non-governmental organisations and government agencies, have done exhaustive security reviews of our user, network and datacenter layers and continue to use Zoom for most or all of their unified communications needs."
The Indian Computer Emergency Response Team (CERT-In) put out an advisory on March 30 about "Secure usage of Zoom video conferencing application," detailing the steps users should take to ensure their data remains protected.
Salman Waris, managing partner at New Delhi-based specialist technology law firm TechLegis Advocates & Solicitors, said the issue is the Government both at the Centre and individual state level working remotely and using Zoom to conduct official meetings and discuss the emergency response. This includes planning a critical official strategy to Covid-19 having to operate outside the secured workplace and managing machine sprawl— when the numbers of virtual machines on a network increase, securing hundreds of thousands of endpoints becomes a much bigger challenge.
The popularity of the US-based platform has skyrocketed during the ongoing Covid-19 pandemic, as more and more people use Zoom for virtual meetings, online education, and even for friends to catch up. However, several reports have pointed out that Zoom may be vulnerable to hacking, and earlier this month, an investigation even claimed that some of its encryption keys were routed through China-based servers.
In response, Zoom CEO Eric Yuan apologised for the the company failing to fully implement its usual geo-fencing best practices, while assuring customers that there was no impact on Zoom for Government Cloud, a separate cloud service for government customers.
“There is a serious threat to national security due to the very critical nature of the issues being discussed via these Zoom conferences,” said Waris.
Indian government officials, in addition to a host of enterprise customers, have also been using Zoom for virtual meetings. While many foreign-based firms and governments have banned the use of Zoom for official work, there hasn't been a large scale directive in Indian companies
to do so thus far.
“Besides, the rapid uptake of Zoom as a standard teleconferencing platform by State and Central Governments and other Departments of the Government of India, without proper vetting, potentially puts state secrets and the national security at risk,” said Waris.
“The Government of India, its agencies and departments, therefore, need to underscore the need to maintain cyber hygiene in these tumultuous times. Given that the inimical impact of the Covid- 19 pandemic will be long-drawn, organisations should work towards putting in place a tailor-made work-from-home cyber defence strategy,” said Waris.
Adhering to such aspects as multi-factor authentication, whereby a user’s identity is verified by using multiple credentials is essential. Equal attention should be paid to emergency response planning and disaster recovery, in order to minimize damage post-incidence.
In March 2020, the user base on Zoom reached 200 million participants per day, both free and paid. This sudden surge exposed Zoom’s vulnerabilities in rapid-fire succession. One of the major security flaws of Zoom came out due to the company’s rapid response to the pandemic, namely making their services easily accessible for free. This led to many professionals adopting the platform, ranging from small businesses, education institutions all the way to administrative and government establishments.
Big names that have disallowed/banned Zoom use:
- Elon Musk's SpaceX
- New York City Schools
- Standard Chartered
- Taiwan government
- Canada Government