New doubt? Equipment source concerns trigger review of trusted telecom framework

At a meeting with the National Security Council Secretariat (NSCS) officials on Tuesday, domestic telecom gear manufacturers pointed out that the current regime offers only one-time certification and a limited sampling of equipment to be procured, with no ongoing or dynamic audit mechanism to verify and ensure that certified equipment remain secure once deployed, the people cited earlier said on the condition of anonymity. The meeting was attended by representatives from the telecom operators, the Cellular Operators Association of India (COAI), and officials from the department of telecommunications (DoT), among other stakeholders.

The National Security Council Secretariat is a specialized unit in direct charge of the National Security Adviser in the Prime Minister’s Office.

India’s trusted source certification framework for telecom equipment requires telecom service providers to purchase and deploy trusted gear from trusted sources only in the interest of national security. Simply put, telecom equipment require mandatory testing and certification before being imported, sold or used in India. This ensures the gear meets national and international standards for safety, radio frequency emissions, network performance and national security. After sample clearance, a trusted source certification is issued to the vendors who then procure supplies for telecom operators and others to be used for network rollouts and installed in consumer premises.

Recently, the government received complaints that chips from non-trusted sources were procured by vendors with trusted source certification and supplied to telecom operators, one of the officials cited earlier said, adding that any direction on the matter will come in after the probe is finalised.

“Some of the concerns came with regard to the current trusted source framework. The same is under investigation,” a second official said, adding that there is indeed a need to strengthen the testing and certification infrastructure of the country.

Queries emailed to NSCS and telecom industry body COAI remained unanswered till press time.

The probe is being carried out by the National Cyber Security Coordinator (NCSC) office, which works under the National Security Council Secretariat (NSCS), and coordinates with other national agencies on cybersecurity and approves trusted sources. NSCS advises the Prime Minister’s Office on matters of national security and strategic interest.

Telecom operators outsource procurement of equipment to vendors approved as trusted companies. These vendors procure the chips and other equipment from other countries before supplying them to mobile services providers.

“Presently, there is no mechanism to check whether the equipment or chips supplied by vendors with trusted source certification are really from trusted sources or not. There have been instances where some of the vendors replace the chips with chinese ones for cost-cutting after getting their samples approved from the government,” said Rakesh Bhatnagar, director general of Voice of Indian Commtech Enterprises, an organization representing domestic telecom equipment makers such as HFCL Ltd, STL Ltd, VVDN and Tejas Networks.

According to Bhatnagar, NCSC should do regular audits of the supplies procured by vendors and ask for evidence to ensure the country’s security.

During the meeting, telecom operators raised some administrative issues, too, with the trusted source certification process. The operators, however, urged the officials to do away with the practice of testing of equipment and systems for any updation or renewal.

“Once a piece of equipment has already been certified as trusted, we shouldn’t have to go through the entire testing process again for every small update or renewal. It causes delays and adds unnecessary paperwork,” an industry executive who consults telecom operators said on the condition of anonymity.

In March 2021, the DoT amended the Unified Access Service licence to prevent telecom operators from obtaining equipment from untrusted vendors. The NCSC was authorized to approve trusted sources and companies that can supply equipment. Under the Telecom Act 2023, the government can issue directions to procure telecommunication equipment and services only from trusted sources.

While India has not explicitly barred Chinese equipment makers such as Huawei and ZTE, it has instituted measures that effectively exclude them from the country’s crucial telecom infrastructure and 5G service deployment on national security concerns. Countries such as the US, Australia, Canada, the UK, and New Zealand, among others, have restricted or banned Huawei and ZTE owing to national security concerns related to potential espionage.

Governments fear that Chinese technology companies, which are subject to Beijing’s national intelligence laws, could be forced to cooperate with the Chinese government by providing access to sensitive data or infrastructure.

“India has taken strong steps in securing its telecom backbone, but as global threats increase, we believe that policy must move from static certification to dynamic enforcement. Trusted status must not be a one-time activity but a continuous compliance requirement,” said Paritosh Prajapati, chief executive officer of Sweden-based GX Group, which is also a beneficiary of India’s productivity-linked incentives (PLI) scheme for the telecom sector.

According to Prajapati, there remains a gap between policy and enforcement on the ground as there is limited or no systemic review post-certification to verify if the equipment being deployed continues to conform with the “trusted source”.

“Once certification is granted, there’s no assurance that subsequent batches or components have been altered or swapped intentionally or otherwise,” he said, adding that post-deployment audits should be mandated at the operator level.

On 8 July, Mint reported that the government is set to tag customer databases, routing systems, customer relationship management systems, submarine cable line equipment, and satellite services tools as critical telecom infrastructure or CTI.

The goal of labelling CTI is to reduce risks of data leaks, improve response to cyber threats, and build greater trust in digital services. Once notified, telcos must declare their network architecture, details of vulnerability, threat or risk analysis and cyber crisis management plan. They will also have to share security audits and compliance reports under CTI Rules, 2024. Telcos must also keep records of where the equipment has come from and share with the government when requested.