India approves game-changing framework against cyber threats

New Delhi: In a significant decision, India on Wednesday introduced its first and biggest framework to protect itself from cyber attacks, data theft and other virtual vulnerabilities threatening its national security.

The Union cabinet has approved the ‘National Security Directive on Telecom Sector’ in view of the alarming magnitude of cyber threats to India, official sources said.

The IANS, in an exclusive report, had recently put spotlight on India’s vulnerabilities in the cyberspace.

India is amongst the top three countries in the world with highest number of cyber-attacks. In 2019, India faced around four lakh cyber attacks as monitored by the Indian Computer Emergency Response Team (CERT-In).

The Ministry of Electronics and Information Technology (MeitY) recently told the Parliament that till August 2020, Indian citizens, government and business entities faced around seven lakh cyber attacks.

As per their estimates, Rs.1.24 lakh crore was lost due to cyber crimes in India during the last year. Recent ransomware attacks, as well as data and identity thefts, have been a serious cause for concern for India’s national security.

The cyber attacks are generally perpetrated through interconnected networks and devices. They are also committed through compromised hardware and software components of telecom networks, officials pointed out.

The office of National Security Advisor Ajit Doval, sources said, noted that with the increasing use of Internet of Things (IoT) devices, the risk will continue to increase manifold and the advent of 5G technology will further increase the security concerns resulting from telecom networks.

Maintaining the integrity of the supply chain, including electronic components, is also necessary for ensuring security against malware infections.

Telecom is also the critical underlying infrastructure for all other sectoral information infrastructure of the country such as power, banking and finance, transport, governance and the strategic sector.

Security breaches resulting in compromise of confidentiality and integrity of information or in disruption of the infrastructure can have disastrous consequences.

Sources said that in view of these issues, the NSA office had recommended a framework — ‘National Security Directive on Telecom Sector’, which will address 5G and supply chain concerns.

Under the provisions of the directive, in order to maintain the integrity of the supply chain security and in order to discourage insecure equipment in the network, government will declare a list of ‘Trusted Sources/Trusted Products’ for the benefit of the Telecom Service Providers (TSPs).

The list of equipment to be covered under this directive and the methodology to designate ‘Trusted Products’ will be devised by the designated authority who is the National Cyber Security Coordinator (NCSC). TSPs are required to connect new devices which are designated ‘Trusted Products’, as per the directive.

The designated authority will make its determination based on approval of a committee headed by the Deputy NSA, official sources said.

The committee will consist of members from relevant departments/ministries and will also have two members from the industry and an independent expert. The committee will be called National Security Committee on Telecom (NSCT), sources said.

Similarly, a list of ‘Designated Sources’ from whom no procurement can be done may also be created, sources said.

The present directive is not directed at any nation but will ensure that only trusted products are procured by the TSPs.

The directive does not envisage mandatory replacement of the existing equipment already inducted in the networks of the TSPs, sources said.

The directive will also not affect the ongoing annual maintenance contracts (AMCs) or updates to existing equipment already inducted in the network as on date of effect of the directive.

From among the sources declared as ‘Trusted Sources’ by the designated authority, those which meet the criteria of the Department of Telecom’s Preferential Market Access Scheme will be certified as ‘Indian Trusted Sources’.

The National Security Committee on Telecom will take measures to increase the use of equipment from such ‘Trusted Sources’ in the domestic telecom networks.

This will fulfil the desired incentives of the ‘Aatmanirbhar Bharat’ mission, officials said.

Guidance for the manner in which the ‘Enhanced Supervision’ and ‘Effective Control’ could be maintained by TSPs will be issued by the designated authority at regular intervals.

The Department of Telecom will suitably modify its guidelines and ensure monitoring of compliance by the TSPs.

Sources said the designated authority will put in place a portal for easy upload of applications by TSPs and equipment vendors.

It will improve ease of doing business by providing a predictable assessment methodology to the TSPs and the equipment vendors.

The Department of Telecom will make appropriate modifications in the licence conditions for the implementation of the provisions of the directive. The policy will come into operation after 180 days from the date of approval.