The Department of Telecommunications (DoT) has announced more stringent security norms for governing the telecom equipment sector. Under the new framework, the responsibility of security maintenance would lie with the telecom operator. In case of a breach, the operator could be subject to criminal proceedings and a penalty of up to Rs 500 million. A five-member group will be set up by DoT to decide on the cases.

According to the earlier clause, penalties that are equivalent to 100 per cent of the contract value could be imposed on vendors if any spyware or malware was found in the imported equipment. Doing away with this, DoT notes that hereafter, ?The telecom licensee shall be completely and totally responsible for the security of its networks.?

In addition, mobile companies have been asked to keep call and data records for 12 months and provide DoT access to all such details. They will also have to inform the department of any updates or changes in equipment within 15 days.

According to DoT, ?Telecom operators will have to create their own policy on the security organisation and management of their networks. They  will have to submit their policy to the licensor by end-June.?

To keep DoT in the loop, telecom companies will have to create monitoring facilities by mid-2012 and inform DoT about the same.

Further, telecom operators have to furnish the location details of their users. This would entail operators installing a system to track all mobile phone users in their service area. The details have to be part of the call data records in the form of longitude and latitude. According to a DoT internal note, in urban areas, users need to be tracked within a 50-metre radius of their location, with an accuracy of 30 per cent. For semi-urban and rural areas, the user must be tracked within a 100-300-metre radius with 60-80 per cent accuracy.

Changing some of the licensing rules for the import and use of telecom equipment in India, DoT has stated that operators can import equipment certified by Indian or international agencies till March 31, 2013. Thereafter, it will have to be certified by Indian labs only.

The most contentious clause, which mandated that foreign equipment companies put their software, source codes in the equivalent of a ?sealed envelope? and submit it to the government, has been done away with.

The new set of rules also dilute the earlier system that mandated vendors to employ only Indian engineers for maintaining the networks of local mobile phone companies. The fresh norms state that only top personnel in vendor firms need to be Indians. The names of these individuals would have to be cleared by DoT and the Ministry of Home Affairs prior to their appointment.

The changed policy also directs that mobile phone companies appoint Indians in the positions of chief technical officer, chief information security officer or as nodal executives for handling monitoring and interception functions across networks.

The government has been concerned about the adverse security implications with regard to the presence of malicious software in foreign equipment. In fact, telecom equipment imports from China had been banned for several months last year. In July 2010, new rules were drafted after some Indian mobile operators complained that their expansion plans were being hit. Currently, India has two separate policy guidelines for import of telecom equipment. Chinese vendors such as Huawei and ZTE follow the July 2010 guidelines while equipment manufacturers such as Ericsson, Nokia Siemens Networks and Alcatel-Lucent have the option of following the policy issued in late 2009, after they refused to operate under the stringent July 2010 rules. To resolve the ambiguity arising from the two differing policies, the Prime Minister?s Office asked DoT to bring out a new policy. 

The industry?s reaction to the fresh policy has been mixed. Expecting a substantial cost increase on account of the new rules, telecom operators are asking for assistance from the government in putting up monitoring and location-based systems. Both the primary telecom industry associations ? the Cellular Operators? Association of India and the Association of Unified Telecom Service Providers of India ? have asked the government to share the burden of extra costs for setting up such security systems that could go up to Rs 5 billion in some cases.