This Dependency Didn’t Happen by Accident
The Engineering Phase Begins
The penetration of Chinese
surveillance and IoT hardware into India—and globally—was not just free-market
competition. It was engineered. And the engineering has entered a new phase.
China’s 2026–2028 IoT Action Plan
In mid-March 2026, nine central
Chinese ministries jointly released a new action plan for China’s IoT industry
covering 2026–2028. It builds on directives dating back to 2009, when Beijing
designated IoT as a “strategic emerging industry” and a “commanding heights”
driver of industrial competition.
From Gadgets to Cyber-Physical Control
This plan defines IoT not as
consumer tech, but as a total cyber-physical environment—aimed at “ubiquitous
intelligent connections among people, machines, and things,” linking the
digital and physical worlds.
Five Layers of Control
The industry is structured
across five layers:
- Sensing
(physical devices like cameras and sensors)
- Networks
(communications infrastructure)
- Platforms (software
aggregating, storing, processing data)
- Applications
(services built on top of everything)
- Security
(access, authentication, and trust frameworks)
Control the layers, and you
control what runs on them.
Standards as the Strategic Weapon
The most consequential element
is standards. The plan calls for improving the IoT standards system and mapping
the “core industrial chain.” Standards determine discovery, authentication,
data movement, and interoperability. If the country writing the rules also
controls the largest base of connected devices, the rest of the world must
comply.
Alignment With China’s 15th Five-Year Plan
Read alongside China’s 15th
Five-Year Plan (also released in March 2026), the vision becomes vertically
integrated: pooled computing power, satellite internet for coverage beyond
terrestrial networks, telecom modernization from 5G through 6G, and data systems
governing authentication and access.
A Vertically Integrated Stack
Together, the IoT action plan
and five-year plan imply a cyber-physical system where China supplies multiple
layers—from endpoints and platforms to compute, connectivity, and standards.
Dependency Becomes Interoperability
This is what much commentary
misses: it’s not merely cheap devices being sold. It is architecture being
defined—so that even “local replacements” may still operate within rules
written elsewhere.
Every Layer Deepens the Attack Surface
Each layer increases
interoperability, remote manageability, and embedding into city, factory,
power, and transport systems—expanding the surface area for attack even without
increasing the number of devices.
The “Secure and Controllable” Meaning
“Backdoors” as a Recognized Risk
Chinese security discussions
acknowledge that connected products can include backdoors enabling remote
control or covert data collection.
Control Over the System—not Just the Equipment
When leaders emphasize “secure
and controllable” digital infrastructure, “controllable” functions as
political-technical leverage: shaping who benefits, who can access systems, and
what happens when relationships turn adversarial.
How India Is Trying to Fix It
STQC: The Most Immediate Lever
While Delhi removes Hikvision
cameras, the policy framework enabling this shift has been building. The
clearest tool is STQC certification.
The Essential Requirements (April 2024)
In April 2024, the Ministry of
Electronics and Information Technology introduced Essential Requirements for
CCTV cameras and video surveillance systems. Internet-connected cameras sold or
imported in India must be tested and certified at accredited STQC labs before
entering the market. Manufacturers must declare the origin of critical
components—especially SoCs and firmware—and submit both hardware and software
for vulnerability testing.
Compliance Deadline: 1 April 2026
The industry had two years to
comply. That window closed on 1 April 2026.
Who Gets Denied Certification
STQC is significant not only for
testing—it also restricts access. As described in the text, Indian authorities
refused to certify products from Hikvision, Dahua, and TP-Link, and also
devices using Chinese-origin chipsets or firmware. Without STQC clearance,
those products cannot legally be sold.
Certification Numbers and Market Control
As of early 2026, 507
camera models had been certified. Indian brands reportedly control over 80%
of the domestic CCTV market. Companies like CP Plus, Sparsh, Prama, Matrix, and
Qubo have shifted supply chains toward Taiwanese chipsets and locally developed
firmware, while global players like Bosch and Honeywell focus on premium
segments.
Delhi’s Replacement Plan
Delhi’s PWD announced an initial
rollout of 50,000 cameras, replacing Chinese units with “secure and trusted
systems,” using a phased approach to avoid disrupting live surveillance
coverage.
But the Problem Is National
Delhi is the beginning.
Hikvision and Dahua hardware remains embedded across metro systems and central
government buildings, and eventually each installation would need similar
treatment.
Can CP Plus Rebuild Its Independence?
CP Plus’ Three Moves
With Dahua distribution
effectively ended, CP Plus is investing in three areas:
- Developing
indigenous Indian-IP SoCs via collaboration with L&T Semiconductor
Technologies
- Working
with VVDN Technologies for embedded systems and IoT device
design/manufacturing
- Establishing
an R&D center in Noida (with 86 engineers as of March 2025)
The Speed Challenge
The direction is correct, but
the pace is the question. Designing production-grade vision-processing SoCs
that compete with a decade of refinement is a multi-year effort—measured in
years, not quarters.
India’s Security Layers Beyond CCTV
Telecom: Trusted Vendors and Managed Risk
India blocked Huawei and ZTE
from 5G and new telecom infrastructure contracts years ago through security
directives beginning December 2020 and tightening over time. The framework
requires operators to procure equipment only from “trusted sources” approved by
the National Cyber Security Coordinator. Huawei and ZTE were excluded from 5G
trials in 2021.
Telecom Act 2023 and Tightening Enforcement
The Telecommunications Act 2023
replaced the Indian Telegraph Act 1885 and established a modern telecom
security framework. Since then, oversight has expanded: formal cybersecurity
policies, always-on monitoring, and appointment of senior security officers.
Time-Bound Breach Reporting
Breach reporting has become more
time-bound, aligning with CERT-In’s six-hour disclosure expectations. The
government also reserves audit and intervention rights when vulnerabilities are
discovered.
IoT Certification Schemes and Code of Practice
For consumer IoT devices more
broadly, India introduced the Code of Practice for Securing Consumer IoT
Devices and the IoT System Certification Scheme under ITSAR. These may not yet
match STQC’s enforcement readiness, but they extend security-by-design and
certification direction beyond CCTV.
Patchwork Instead of One Big Law
Rather than a single sweeping
law like the EU’s Cyber Resilience Act, India is assembling a layered
patchwork—trusted telecom vendors, national security directives, STQC for
surveillance devices, telecom cyber rules for detection and response, and IoT
certification schemes for a wider set of connected products.
The Contest Still Isn’t Finished
STQC Fixes Endpoints, Not the Stack
STQC addresses endpoints
(cameras and terminals) but not the deeper layers underneath.
What China Covers—and India Still Doesn’t
Beijing’s model covers sensing,
networks, platforms, applications, security, and standards. India is contesting
sensing and beginning guardrails on networks, but the platform and standards
layers remain largely open.
Replacing Devices May Not Replace the Rules
If standards and protocols
remain defined elsewhere, swapping a camera or base station won’t fully fix the
underlying dependency—because systems will still operate within externally set
interoperability rules.
Still, Every Replacement Creates Leverage
Even incomplete progress
matters. Each removal forces integrators to compete with non-Chinese
components, builds a procurement pipeline, and creates market momentum toward
alternatives.
The Risk of Declaring “Finish Line” Too Soon
Replacing a camera brand isn’t
the same as replacing the architecture it was designed to plug into. The
ceiling camera was a symptom. The disease is dependency on an ecosystem built
to keep that dependency invisible until it is too late.
India Has Begun the Surgery
The question is whether the
surgery will go deep enough to reach the architecture—not just the hardware.
