In a landmark decision, the Cabinet Committee on Security has taken steps to strengthen the security of telecom networks in India.¹ Henceforth, it will be mandatory for the telecom network providers to use only ‘trusted products’ from“trusted sources” only. The criteria for defining a trusted product or a trusted source will be developed soon.

With the emergence of new technologies and the expansion of digital networks, cybersecurity challenges are becoming more complex. Cyberattacks involving ransom ware, data and identity theft are growing exponentially. They pose a serious threat to national security. According to government figures, India is the third most attacked country in the world. It lost nearly Rs 1.24 lakh crores or about $15 billion in cybercrime alone during 2018-19. That is a staggering amount, constituting about half a percent of the GDP! The government has also revealed that Indian networks experienced 700,000 cyber attacks during 2019-20.

The new two-tier institutional structure approved by the Cabinet comprises of a “Digital Authority” to be headed by the National Cybersecurity Coordinator in the National Security Council Secretariat. The Deputy National Security Adviser (Dy NSA) will head a National Security Committee on Telecom (NSCT) to advise and supervise the Designated Authority. NSCT will have officials as well as independent experts as itsmembers. The government hopes that the new structure will address 5G and supply chain security concerns. According to the official press release, a list of ‘trusted sources/trusted products’ will be prepared for the guidance of telecom service providers. Certain criteria will be notified. Indian manufacturers who meet these criteria will be given Preferential Market Access to Indian telecom networks. This will encourage indigenous production of reliable cybersecurity products.

Indian telecom networks are already using products and components whose reliability from the cybersecurity point of view is questionable. The telecom service providers will not be required to replace the existing products nor change their annual maintenance contracts. The directive applies to future products only. Thus, some vulnerabilities will remain.

The National Security Directive assumes importance in the context of the recent controversy about Chinese telecom giant Huawei, a world leader in 5G telecommunication equipment. Huawei has been banned in several countries on national security concerns. Many Indian networks use Huawei products. The government has clarified that the New Security Directive is not directed at any specific nation. The clarification is important. It remains to be seen whether the government classifies Huawei as a ‘trusted’ source or not.

The National Security Council Secretariat needs to be complimented for this pathbreaking initiative to strengthen telecom security. This is the first time that a Cabinet decision is being described as a “National Security Directive”. National security directives are common in the US. The use of the term National Security Directive for a Cabinet decision is new in India. This shows that the National Security Council Secretariat is beginning to acquire the authority that it deserves. Hopefully, there will be more national security directives in the future.

However well-meaning maybe the directive, its implementation will be the key. Presently, India lacks adequate technological infrastructure to test new products and technologies for cybersecurity vulnerabilities. Not enough investment has been made in setting up the testing labs and facilities. Testing is a highly complex and technical effort. Hopefully, the directive will spur greater government and private sector investment in the new testing infrastructure. The government should ensure that there is transparency in the criteria being used for designating certain products and the sources as trusted. In the United Kingdom, the National Cyber Security Centre certifies cybersecurity products, skills and training for use by the companies. A similar certification system might evolve in India in due course.

The cybersecurity policy of 2013 had envisaged the establishment of a robust testing infrastructure in the country but not much has been done so far. There was also the provision for adopting a ‘common criteria’ system whereby products tested in the laboratories and institutions of other countries with whom India has an agreement could also be adopted in India. The common criteria system would need to be strengthened.

The private sector and the government sector should come together to create standards, protocols and testing facilities for classifying products as ‘trusted’. One should hope that the setting up of a designated authority will give a boost to the further development of reliable indigenous cybersecurity products and technologies. The new cybersecurity policy which the NSCS is spearheading will hopefully provide sufficient incentives to boost to the growth of an indigenous cybersecurity industry.

References

1. National Security Directive on Telecommunication Sector
   https://www.livemint.com/news/india/govt-announces-national-security-directive-on-telecom-sector-for-secure-networks-11608121644450.html
1. Considering the security concerns and for the protection of India’s essential national security interests, the Cabinet has for the first time approved a framework by issuing the National Security Directive on Telecom Sector. This will provide a significant boost in ensuring our national security by addressing 5G and supply chain concerns.
2. Guidance for the manner in which the ‘Enhanced Supervision’ and ‘Effective Control’ could be maintained by TSPs will be issued by Designated Authority at regular intervals. The Department of Telecom will suitably modify its guidelines and ensure monitoring of compliance by Telecom Service Providers.
3. The Designated Authority will put in place a portal for easy upload of applications by TSPs and equipment vendors. It will improve ease of doing business through a providing a predictable assessment methodology to TSPs and equipment vendors.
4. The Department of Telecom will make appropriate modifications in the license conditions for the implementation of the provisions of the Directive. The policy will come into operation after 180 days from the date of approval.

(The paper is the author’s individual scholastic articulation. The author certifies that the article/paper is original in content, unpublished and it has not been submitted for publication/web upload elsewhere, and that the facts and figures quoted are duly referenced, as needed, and are believed to be correct). (The paper does not necessarily represent the organisational stance... More >>