New Security Framework unveiled by the Telecom Department

The telecom department unveiled a new security framework on 31 May 2011. The new security framework did away with many controversial clauses such as mandating foreign equipment makers to put their software in the equivalent of a sealed envelope and submitting it to the government.

The new framework dropped another controversial clause that stipulates penalties of 100% of the contract value on vendors if any spyware or malware is found in the imported equipment. The framework instead laid down that any security breach will invite a maximum penalty of Rs 50 crore in addition to criminal proceedings against the mobile phone company.

The new policy also diluted the earlier rule that mandated vendors to employ only Indian engineers to maintain the networks of local mobile phone companies. The fresh norms mentioned that only top personnel with vendors need to be Indians. The names of these individuals will have to be cleared by the telecom and home ministries prior to their appointment. This measure is in line with the rules for mobile phone companies where top executives are required to be resident Indians.

The changed policy mandated that mobile phone companies must only appoint Indians as chief technical officer, chief information security officer or as nodal executives for handling monitoring and interception functions across mobile networks.

Currently, India has two separate policy guidelines for import of telecom gear. Chinese vendors such as Huawei and ZTE follow the July 2010 guidelines while Western gearmakers such as Ericsson, Nokia Siemens and Alcatel-Lucent were given the option of following the policy issued in late 2009, after they refused to operate in India under the July rules. The Prime Minister’s Office (PMO) had in August 2010 asked the communication and home ministries to review the strict security standards unveiled during the previous month (July).

The new security norms intend to bring all these vendors under a common security framework. It mandated mobile phone companies to get their networks audited once a year by reputed international agencies for bugs and other security breaches.

The new rules also mandated telcos to install within 12 months, advanced tracking devices on every cell tower in the country to pinpoint the location of a minimum 30% of their customers within 50 meters of accuracy and 80% of their customers within 300 meters of accuracy. In the second year, the telecom companies will have to further enhance this facility to ensure that 50% of the customers can be tracked within 50 meters of accuracy and 95% within 300 meters. This facility is similar to that of Enhanced 911, or E911, in the US.

Mobile phone companies are likely to oppose this, citing huge capital expenditure. The Cellular Operators Association of India, the body that represents all GSM-based telcos highlighted that the total cost of installing these will be about $5 billion. All operators will have to install advanced tracking devices on every cell tower, each of which costs up to $13,000 according to the COAI. The Association of Unified Service Providers of India (AUSPI), the body that represents dual tech and CDMA telcos wants the government to share the costs for installing the facility.

Highlights of new security framework introduced by the telecom department are as follows:

•    Clauses such as mandating foreign equipment makers to put their software in the equivalent of a sealed envelope dropped.
•    Controversial clause that stipulates penalties of 100% of the contract value on vendors if any spyware or malware is found in the imported equipment dropped.
•    Rule that mandated vendors to employ only Indian engineers to maintain the networks of local mobile phone companies diluted.
•    Only top personnel with vendors need to be Indians.
•    New rules also mandated telcos to install within 12 months, advanced tracking devices on every cell tower in the country.