ThePrint’s op-ed by ex-IAS officer K.B.S. Sidhu (@kbssidhu1961) tries to mock India’s Swadeshi tech movement by comparing Zoho to Signal and calling the government’s digital-sovereignty push naïve. The facts tell a different story — one of misplaced comparisons, Western bias, and total ignorance of how cyber-sovereignty actually works.

🧭 Introduction

On 8 October 2025, ThePrint ran an opinion titled “Zoho is No Signal: India’s Swadeshi Security Mirage”.
Its author, K.B.S. Sidhu, a retired bureaucrat turned columnist, portrays India’s move toward domestic platforms as a dangerous delusion.

But here’s the problem: his argument collapses under its own contradictions. He mixes up products, cherry-picks data, and conveniently forgets the West’s own record of digital overreach. Let’s dismantle it — line by line, fact by fact.

⚙️ 1 – A Headline Built on a False Premise

Comparing Zoho Workplace (a cloud-based office suite) to Signal (an encrypted messenger) is like comparing a train to a telegram. Different tools, different risk surfaces, different purposes.
Calling one “not the other” is not insight — it’s confusion packaged as critique.

🧾 2 – Yes, the Ministry Adopted Zoho — and for Good Reason

The Ministry of Education officially switched to Zoho Office Suite integrated with NIC Mail on 3 October 2025, confirmed by Reuters, Times of India, and The Register.
This wasn’t cronyism; it was part of India’s long-planned open-source & data-localization policy.

Sidhu spins this as blind nationalism. The truth? It’s called strategic de-risking — the same playbook Europe itself now calls digital sovereignty.

🧨 3 – The “Zoho is Unsafe” Line — Technically True, Factually Misleading

Yes, Zoho ManageEngine had several CVEs (CVE-2021-40539, CVE-2022-47966, CVE-2025-9428).
Yes, one was linked to the ICRC breach.
But here’s what Sidhu doesn’t tell you:

  • Those were on-prem enterprise IT tools, not the Zoho Workplace cloud the Indian government adopted.
  • All vulnerabilities were patched within days — with public disclosure and advisories from CISA.
  • Meanwhile, Microsoft’s own graveyard of CVEs — from ProxyLogon to PrintNightmare — cost the world billions in ransomware fallout.

If security lapses are disqualifying, every Western cloud vendor would already be disqualified.

🧱 4 – NIC Reliability — One Outage ≠ Systemic Failure

Sidhu calls NIC unreliable.
Yes, NIC had a four-hour outage on 31 December 2024.
But afterward it built dual-site redundancy and 24×7 monitoring.
Compare that to Microsoft Azure’s global meltdown of 2023, which took down half the internet for hours — yet nobody called Azure “unreliable.”
Perspective matters.

🔐 5 – Signal as the Gold Standard? Check the Fine Print

Sidhu romanticizes Signal as if it’s beyond reproach.
Reality check:

  • Signal’s metadata protection is good, but not magical. Law-enforcement subpoenas have already yielded IP logs and timestamps in multiple jurisdictions.
  • Signal servers are hosted abroad; their governance is still Western-centric.
  • Some European regulators have flagged its closed governance model as a single point of geopolitical risk.

And no, Signal isn’t certified for classified or official government communications anywhere. India has Sandes/GIMS for that — built and hosted by NIC under national law.

Signal is fine for activists. Not for national administration.

🧭 6 – The Part He Didn’t Dare Mention: Nayara vs Microsoft

In July 2025, Microsoft abruptly suspended cloud services to Nayara Energy, citing EU sanctions — even though Indian law required no such action.
The company went dark until it filed a case in Delhi High Court, forcing Microsoft to restore service.
That’s the textbook example of jurisdictional vulnerability — when foreign cloud providers can pull the plug on sovereign entities overnight.

Sidhu ignores this because it blows a hole clean through his argument.

If dependency on external clouds can kneecap critical Indian infrastructure, then Swadeshi cloud = national security — not the other way around.

⚖️ 7 – The Bias and the Blind Spot

Sidhu’s op-ed reeks of Western gatekeeping:

  • He parrots the “local is unsafe” trope while ignoring Western surveillance programs (PRISM, XKeyscore).
  • He calls Zoho a risk but treats foreign clouds with diplomatic immunity.
  • He quotes security CVEs like gospel but never mentions the NSA’s own exploit stockpiles leaked by Shadow Brokers.

It’s the same tired playbook — dress Western dependence as “maturity” and local innovation as “risk.”
That isn’t journalism. It’s intellectual outsourcing.

🧰 8 – Facts vs Fiction Table

Sidhu’s ClaimVerified Reality
“Zoho products are regularly hacked.”ManageEngine (on-prem) was exploited once; Zoho Workplace not affected. Patches issued within days.
“NIC is unreliable.”One 4-hour incident in Dec 2024; > 99.93 % uptime since then.
“Signal is the secure choice for government.”Signal is consumer-grade; India’s Sandes uses govt-audited E2EE and local hosting.
“Swadeshi tech is a mirage.”EU, France, and Germany are building their own “sovereign clouds.” India is just catching up.
“Foreign vendors are trustworthy.”Nayara Energy proved otherwise — services can vanish overnight on foreign policy whim.

💣 9 – Security Isn’t About Accent or Passport

Cybersecurity is a process, not a nationality test.
Every serious product — American, Indian, or European — has CVEs.
What separates resilience from risk is how fast you patch, how transparent you report, and who holds the kill switch.

Right now, that kill switch sits in California and Dublin — not Delhi.
That’s the real security problem.

🛠️ 10 – What India Should Do (Constructive Steps)

  1. Publish independent CERT-In audits for every government app.
  2. Mandate patch SLA compliance & incident disclosure for NIC and vendors.
  3. Separate messaging vs productivity risk models — no more apples-to-airplanes comparisons.
  4. Diversify jurisdictional risk: multi-cloud, data escrow, and exit clauses under Indian law.
  5. Fund domestic security research so “Make in India” also means “Audit in India.”

🌐 11 – Finally

Sidhu’s piece is less a critique and more a confession — a relic of the era when bureaucrats believed security came stamped with a Western logo.

But 2025 is different.
India has engineers who build, deploy, and defend at scale.
Zoho is one of them.

The real mirage isn’t Swadeshi security — it’s the illusion that outsourcing your digital backbone to Seattle somehow makes you safe.

📚 Sources

  • Reuters (3 Oct 2025): Indian ministers push domestic alternatives to Google and Microsoft
  • The Register (24 Sep 2025): IT Minister switches to Zoho in Swadeshi push
  • CISA Advisories for CVE-2021-40539, CVE-2022-47966
  • DatacenterDynamics (Jul 2025): Microsoft cuts off cloud services to Nayara Energy
  • Delhi High Court Order (Sept 2025): Nayara Energy v. Microsoft India Pvt Ltd
  • CERT-In Vulnerability Notes 2021–2025
  • Times of India (Oct 2025): Zoho sees strong uptake from govt and PSUs

🏁 Closing Line

Dear @kbssidhu1961 — next time you want to lecture India on “security,” start by reading your own sources.
Facts aren’t a foreign commodity.
Sovereignty is security — and this time, India isn’t outsourcing either.

Categorized in:

Miscellaneous, Social Issues,

Last Update: October 10, 2025

Tagged in:

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,