DoT Imposed Managed by Indians Norm to Increase Mobile Infrastructure Security

The Department of Telecommunications in March 2011 imposed a Managed by Indians norm to escalate security in mobile infrastructure after a Made in India policy to ban outsourcing contracts to foreign vendors met strong opposition. The DoT order specified that service providers can only employ resident trained Indian nationals as chief technical officers, chief information security officer, nodal executives for handling interception and monitoring cases and in charge of gateway mobile switching centre, mobile switching centre, softswitch, central database as well as system administrators.

The amendments to the Unified Access Service Licence Agreement provide the dos and don’ts for the service provider in inducting network elements. The service providers will be fined Rs 50 crore in case of security breach is caused due to an inadvertent inadequacy in precaution on the part of the licensee.

For acts of intentional omissions, deliberate vulnerability left into the equipment or in case of deliberate attempt for a security breach, the penalty on the licensee would be Rs 50 crore per breach.

In 2010 the proposed penalty for breach of security was 100 percent of the contract value. In 2011 it was decided that criminal proceedings would be initiated against the vendor and the licensee under Indian Penal Code and Criminal Procedure Code.

Licence can also be cancelled for vendor or supplier who supplied the hardware/software that caused the breach could be blacklisted for doing business in the country. All licensees would have to include blacklisting discretion clause when signing agreement with vendors or suppliers.

The DoT guidelines on the security in mobile infrastructure also include:

•    Licensee will be responsible for security including network forensics and network penetration tests.
•    Licensee can induct only that telecom equipment that is tested as per relevant and contemporary Indian or International security standards.
•    Indian agencies and labs would be responsible for all equipment certification beginning April 2013.
•    Records of O&M procedure, O&M logs for a year, software updating and supply chain of products must be kept.
•    Licensee must inspect equipment, manufacturing facility and supply chain of vendors.
•    Licensee must also install advanced tracking devices on every cell tower within a year to pinpoint the location of specified mobile numbers to a specified accuracy.
•    All licensees will have to expand the location pinpoint for all mobile calls within 3 years.

The DoT would also constitute a 7-member committee, including two cyber security experts, which would decide the penalty and the punishment.

The Prime Minister’s Office had suggested that security concerns on telecom equipment and management will be better addressed if service providers were barred from outsourcing key functions to foreign vendors with operations and maintenance contracts awarded only to Indian firms.