Why Bangladesh defence should have their own communication app? 

by

The use of third-party, publicly available communication platforms for sensitive defence-related communications poses a variety of security and operational risks for our country. Here are some reasons why a country's defence force should consider adopting its own secure communication network.

Reasons for Developing Own Solutions:

  1. National Security: A foreign commercial communication app poses a risk of having backdoors or vulnerabilities that could be exploited by adversaries. They may have intentional or unintentional security backdoors.
  2. Customization: Defence operations often have unique requirements that are not met by commercial applications. They may also require specific features like secure voice and video calls, geolocation services, and operational planning tools that may not be available in public apps.
  3. Data Sovereignty: Using a foreign platform poses the risk of data being stored in another country, subject to that country's laws and potential surveillance. This could expose sensitive data to various vulnerabilities including unauthorized access. Besides national laws on data storage and access can vary greatly. Storing sensitive data to another country could present legal risks or conflicts. The company providing the app might be subject to laws that compel them to disclose data under certain circumstances.
  4. Third-Party Risk: Even if a commercial app is "secured", they may themselves be vulnerable to hacking attempts by a third-party, could be another state level hackers. If the company behind the public messaging app is compromised, all associated communications, may also be compromised. Popular apps are more likely to be targeted for zero-day vulnerabilities by a third party, posing a risk. A zero-day vulnerability is a software vulnerability discovered by attackers before the vendor has become aware of it.
  5. Full Control: By developing an in-house solution, the military has full control over the software code, can quickly address vulnerabilities, and can modify the software as needed. Even if a public app claims to be secure, the source code is generally not open to scrutiny by the defence agencies to verify this claim.
  6. Integrate with Existing Systems: Public apps lack interoperability. Custom solutions can be tightly integrated with existing defence communication and other systems, software, and hardware, providing seamless interoperability.
  7. No Risk of Commercial Policy Changes: Commercial applications can change their terms of service or even shut down, disrupting defence operations.
  8. Data Encryption: While many public messaging apps offer end-to-end encryption, this is often not sufficient for military-grade requirements. A custom platform can implement stronger encryption algorithms and additional security layers to safeguard sensitive information.
  9. Audit and Accountability: Internal platforms can be designed to incorporate robust logging and auditing capabilities to review activities and changes, something critical for defence operations.
  10. Non-Specialized Infrastructure: The infrastructure might not meet defence standards for reliability and redundancy. Custom apps can be built to work only on defence intranet instead of internet.
  11. Usability: A custom app can be designed to meet the specific needs and operational practices of a defence organization, ensuring faster adoption and more effective use.

 

Developing a custom communication platform for a specialized entity like the Bangladesh Defence Force requires careful planning, deep domain expertise, and strict adherence to security standards. Here's how to specifically address the issues:

Security Concerns:

  1. Data Encryption:
    • Methodology: Use Advanced Encryption Standard (AES) with 256-bit keys or better for data at rest and during transmission.
    • Technology: Implement TLS (Transport Layer Security) for data in transit and use FIPS 140-2 compliant encryption modules for data at rest.
  2. Data Storage:
    • Methodology: Create secure, on-premises data centers within Bangladesh, perhaps even on defence installations.
    • Technology: Use secure hardware that supports full-disk encryption and secure boot processes.
  3. Third-Party Risk:
    • Methodology: Limit third-party libraries and software components to only those that have been thoroughly vetted and are essential.
    • Technology: Utilize software composition analysis tools to evaluate the risk profile of third-party components.
  4. Backdoor Access:
    • Methodology: Use Open Source components for critical parts so that they can be inspected for backdoors.
    • Technology: Implement a secure Identity and Access Management (IAM) system with multi-factor authentication (MFA).
  5. Data Sovereignty:
    • Methodology: Store all data within the jurisdiction of Bangladesh to be in full compliance with local laws.
    • Technology: Utilize domestic cloud solutions or build in-house data centers. If local cloud solutions don’t offer the security features required, go for a hybrid model with separation of application and data.

Operational Concerns:

  1. Feature Set:
    • Methodology: Conduct workshops with key stakeholders from the Defence to understand operational requirements.
    • Technology: Use modular architecture to add features like secure voice and video calling, file sharing, and geolocation services.
  2. Interoperability:
    • Methodology: Adopt international defence standards like the NATO Interoperability Standards.
    • Technology: Use APIs and SDKs that allow seamless integration with existing systems.
  3. Network Reliability:
    • Methodology: Plan for multiple layers of redundancy across hardware and network components.
    • Technology: Employ Network Load Balancing and Auto-Scaling Groups to ensure uptime.
  4. Bandwidth:
    • Methodology: Conduct network assessments in real operational settings to understand bandwidth limitations.
    • Technology: Implement adaptive bit-rate streaming and data compression algorithms to optimize for low-bandwidth environments. It is possible to use intranet or private network to communicate without internet access.
  5. Audit and Accountability:
    • Methodology: Integrate comprehensive logging and monitoring from the ground up.
    • Technology: Use tools like Security Information and Event Management (SIEM) systems for real-time analysis of security alerts.
  6. Usability:
    • Methodology: Use Agile development with constant feedback loops involving actual users from the Bangladesh Defence.
    • Technology: Invest in UX/UI design tailored for defence needs and environments.
  7. Direct Control:
    • Methodology: Offer extensive training and documentation so that the Defence can manage the system independently if needed.
    • Technology: Use Containerization and Infrastructure as Code for rapid deployment of updates and changes.

Quality Assurance:

  • Methodology: Implement rigorous testing, both manual and automated, and involve the defence personnel in the UAT (User Acceptance Testing) phase.
  • Technology: Use automated testing tools and frameworks for performance, security, and functionality testing.

Compliance and Certification:

  • Methodology: Get the platform audited by third-party agencies for security and compliance with military standards.
  • Technology: Employ continuous compliance monitoring tools.

By incorporating these methodologies and technologies, we can develop a robust and secure custom communication platform tailored to meet the unique needs of the Bangladesh Defence.

In conclusion, while commercial messaging apps do offer a certain level of security, the specialized and highly-sensitive nature of defence operations requires a more customized and controlled solution. Given these risks and operational needs, it is usually in the best interest of defence organizations to invest in developing its own secure, robust, and feature-rich communication platform.