India Issues New Security Rules for Phone Operators

India has relaxed some of its security rules for telecommunications operators and equipment suppliers, after earlier rules that required equipment makers to deposit software source code with the government came in for criticism.

The new rules released late Tuesday make operators totally responsible for the security of their networks. They can however face prosecution and a fine of up to 500 million Indian rupees (US$11 million) if there is a security intrusion because the operator did not take adequate precautions.

The rules also require that operators get their networks audited and certified by authorized agencies once a year. Equipment introduced into the network will have to be certified to national and international security standards. From April, 2013 the certifications will have to be done entirely by Indian labs.

Concerned about possible security intrusions into the country’s telecommunications networks through malicious software in equipment, the Indian government said in December, 2009 that operators would have to get a security clearance from the DOT for equipment and software they intended to procure from foreign vendors.

Chinese equipment vendors like Huawei Technologies found that their orders were blocked. Although there wasn’t an official ban on Chinese vendors, security clearances from the country’s home ministry were held up from February to July last year, affecting rollouts by a number of operators.

India and China fought a war in 1962, and still have a border dispute. But Chinese equipment makers are popular with some mobile operators, because their equipment tends to be priced low.

The Indian government then introduced new rules that among other things required equipment makers to give the government access to source code and engineering designs for the equipment. While some makers like Huawei indicated that they would follow the rules, rather than lose business in India, other companies like Ericsson said that “some of the clauses (in the rules) are unprecedented”.

India’s Prime Minister Manmohan Singh asked the DOT to review the rules last year.

“The new rules are certainly a dramatic change from the time when the government was demanding source code from equipment makers,” an executive at a European equipment supplier said on Wednesday on condition of anonymity.

A Huawei spokesman said the company has to study the new rules before it can comment.

The new rules also require operators to employ only Indians in technical and network monitoring positions such as chief technical officers, chief information and security officers, and other executives in charge of network operations.

John Ribeiro covers outsourcing and general technology breaking news from India for The IDG News Service. Follow John on Twitter at @Johnribeiro. John’s e-mail address is john_ribeiro@idg.com