Spies & shields: Telcos must get battle-ready soon

Given the rising tide of attacks on telecom and computer networks worldwide, India is taking no chances.

The government is set to tag customer databases, routing systems, customer relationship management systems, submarine cable line equipment, and satellite services tools as critical telecom infrastructure or CTI, two people aware of the plans said. This would subject them to greater disclosures and compel them to prepare better as nation states put their weight behind cyber warfare.

Read more: Backhaul spectrum clash: Telcos face off against tech giants over India’s internet backbone

“CTI was introduced under the Telecom Act, 2023, but what constitutes CTI is undefined. The government would first notify a few elements from the mobile services, satellites, submarine cable infrastructure, and internet services as CTI. A committee will review the same every six months based on the feedback,” one of the two officials said on the condition of anonymity.

Guards up

The goal of labelling CTI is to reduce risks of data leaks, improve response to cyber threats, and build greater trust in digital services. Once notified, telcos must declare their network architecture, details of vulnerability, threat or risk analysis and cyber crisis management plan. They will also have to share security audits and compliance reports under CTI Rules, 2024. Telcos must also keep records of where the equipment has come from, and share with the government when requested.

Queries emailed to the Department of Telecommunications (DoT) and the Cellular Operators Association of India (COAI), which represents private telecom operators, remained unanswered.

“It is critical to notify these elements to start compliance. Without a clear notification, entities will not be able to scope their risk assessments or allocate budgets for testing and certification,” said Harsh Walia, partner at Khaitan & Co. “Such regulatory clarity will prevent the need for multiple audits (and associated costs) and avoid any instance of inadvertent non‑compliance,” Walia said.

Read more: India’s satcom vs telecom fight just refuses to die

He added that there have been existing requirements such as network inspections, cybersecurity obligations, and equipment certification standards but those were implemented without a formally defined or statutorily recognized category of CTI.

Example

Mobile services (2G, 3G and 4G) have an element called Home Location Register (HLR), a database of subscribers like their phone number, location, and services. It will be part of CTI, the first official said. Telcos will have share its details with the government, the first official explained. In modern networks such as 5G, unified data management (UDM) manages subscriber records and will be notified CTI.

Similarly, in satellite services, the system and application of the Operations and Management Control (OMC) that keeps track of and controls the satellite network’s performance and health has been identified to be notified as CTI to ensure secure and reliable operations, the official said, domain name servers and corresponding IP addresses are also being tagged as CTI.

CERT-In twin

“A new security audit portal will be soon notified for telecom operators to declare key details of the notified CTI,” the second official said, adding that a Telecom Computer Security Incident Response Team (TCSIRT) framework will also be implemented for telecom cyber security incidence reporting and analysis.

Just like CERT-In (Indian Computer Emergency Response Team) is the national- cyber security agency under the ministry of electronics and IT (MeitY), TCSIRT deals with threats related to telecom networks, infrastructure, and service providers. The body was notified by the government in 2023.

“A space has been identified in National Communication Academy (NCA) Ghaziabad to set up TCSIRT. Hardware and tools will soon be procured for security incidence analysis and staff for the same will also be posted exclusively,” the second official added.

Pressing need

“There is a need to identify CTI, especially the programmable parts or software that can be controlled from other geographies. The same should be under control of Indian companies, and soon, there should be a plan to replace key critical equipment with the domestic ones,” said Rakesh Bhatnagar, director general of VoICE (Voice of Indian Commtech Enterprises), which counts local telecom companies such as Tejas Networks, HFCL and STL as members.

Read more: Push for faster WiFi for next gen gadgets faces spectrum interference concerns

In November 2024, DoT notified the Critical Telecommunication Infrastructure Rules, 2024 under the Telecom Act. As per the rules, each telecom entity should comply with the requirements relating to filing details about the CTI through the portal and designate a chief telecommunication security officer (CTSO) responsible for all security and related obligations. 

Compliance

The operators will also have to ensure that all CTI hardware and software undergo mandatory testing by the Telecommunication Engineering Centre, National Centre for Communication Security and submit the reports to the government.

Further, the government will also have to carry out periodic security audits, comply with incident response procedures and prepare detailed compliance reports, comply with government orders and provide access to authorized government personnel to inspect the hardware, software and data related to the CTI.

On the compliance burden on telecom operators, Walia of Khaitan & Co said, “the CTI Rules definitely enhance the compliance obligations and resultantly, increase compliance burden. This entails mapping complex infrastructure to determine what qualifies as CTI, which is especially challenging for pan‑India operators with thousands of cell‑sites and switching centres.”

Due to the certification requirements, there might be deployment delays and potential revenue impact for new services. Smaller service providers may struggle with the capital expenditure and operating expenditure impact due to the requirements stemming from the CTI Rules, he added.