In less than two months from now, the Indian government proposes to screen all telecom gear imported into the country for bugs and malicious software, before deploying them into the country's telecom network.
If things go as planned, Indian software company Wipro will step in to help the government test and certify 12 "high-risk" telecom products in the first phase starting October 1, 2013. This will clearly have a major impact on the domestic and international telecom sector.
The dozen security-sensitive products are part of a longer list of 25 products, classified as high, medium, and low value asset value, based on the security implications they have on a network. The 12 products include mobile devices, SIM cards, 3G and 4G systems, network management systems, customer database servers, back-end infrastructure like MPLS, Internet telephony system, and billing systems.
Industry players are worried about delays in network expansion if their telecom gear imports are declared "unsafe" by the proposed test lab. And even if they are ruled safe, there are concerns about delays. Both GSM and CDMA operators as well as smartphone makers are likely to be affected if every new feature, app, or design change is subjected to screening. Worse yet, there is an absence of an established global telecom standard for security testing of core network elements, mobile handsets, and SIMs.
Imports dominate India's telecom gear market with the import bill currently estimated at $10 billion and expected to total $150 billion in the next 10 years. The demand for telecom equipment in India constituted 6.2 percent of the global demand in 2012 through 2013. The government has therefore been introducing a slew of policy measures to reduce the telecom imports bill, including preferential market access for government procurement and indigenous manufacturing, as reported in E2 earlier.
Meanwhile, the global concern over malware embedded in imported telecom gear has also prompted the Indian National Security Council Secretariat (NSCS) to propose country-specific safety standards and certification for imports. Recent remarks by the former chief of the US Central Intelligence Agency, Michael Hayden, over alleged spying by Chinese telecom giant Huawei Technologies Co. Ltd. has stoked fears afresh. Similar allegations surround ZTE Corp., which has won an enterprise solutions contract from the Power Grid of India to provide fixed-network transmission services across the country.
Because of this and despite protests over what is perceived as technical barriers to trade (TBT) by the US Trade Representative (USTR), India has opted for the UK system of testing imported gear domestically instead of falling back on the Common Criteria Recognition Arrangement (CCRA) clearance alone.
The CCRA is a global agency that defines common processes to evaluate security-sensitive IT products used in critical infrastructure networks in the telecom, power, aviation, and defense sectors. But the Department of Telecom, the Department of Electronics & IT (DeiTY), and the National Technical Research Organization are working on fresh standards.
To confound matters further, the Indian policy makers have decided to extend the local sourcing norms to the private sector where companies are involved in security-sensitive projects. So while telecom operators are permitted to import telecom gear (subject to testing if it falls in the security-sensitive category) for their own expansion, they will have to source equipment from local telecom equipment manufacturers if they are involved in a project deemed security-sensitive.
That's a lot of hurdles. It is also a lot to pull together by October. Even if everything goes perfectly smoothly, telecoms have a massive set of new hurdles to overcome. Foreign companies need to work with the government to speed testing procedures. Domestic companies will need to expand efforts to take to exploit the advantages they've been given. Between now and October, things will get very interesting.