The Indian government has issued new guidelines with immediate effect allowing the import of network equipment from foreign telecoms vendors. Procurement had been barred since early 2010, with several interim proposals mooted. This uncertainty in the run up to 3G rollouts has affected the plans of mobile operators and sent equipment vendors scrambling to avoid a potential ban. The new guidelines require all source code and designs to be shared with and monitored by Indian security agencies and puts the onus for compliance squarely on the mobile operators, with stiff penalties for non-compliance.
The guidelines are meant to resolve security debate but will be contentious
The new guidelines are designed to resolve the security debate and give clarity to stakeholders. Key aspects of the ruling are that all equipment vendors are now required to share source code and designs with security agencies; all operators are now responsible for network security and must submit organizational plans to the government; third-party audit and certification is to be done for an initial list of core equipment; operation and maintenance work is to be done only by Indian engineers within two years; and operators are to create a telecoms security forum, install test labs in their own premises, and upgrade all equipment to be able to pinpoint subscribers existing positions to within 50 meters.
The Department of Telecommunications has also mandated that all equipment vendors allow thorough inspection of hardware, software, and facilities at time of procurement and periodically thereafter. Most contentiously, any security breach is now the sole responsibility of the operator, which is liable for penalties of $10 million per purchase order and 100% of the service contract value.
The onus for maintaining security is now squarely on the mobile operator
For Indian mobile operators and equipment vendors, enhanced security due to this set of new guidelines will increase the cost of doing business in India. Operators will now have to incur significant costs to create a security apparatus, install the required testing facilities, and hire trained Indian engineers. Moreover, they will have to spend significant amounts upgrading networks to meet the new location standard.
The stiff penalties proposed by the new guidelines will lead to contentious negotiations during procurement, as operators will seek to insure themselves against security breaches by asking vendors to shoulder the costs or rapidly comply with the new guidelines. Previous proposals by the government would have imposed penalties on the vendors but this is potentially tricky due to jurisdiction issues. Foreign vendors will be reluctant to share source code and designs but they must now comply with all new guidelines or risk being blacklisted by the Indian government. This would effectively exclude them from any business in India. Foreign vendors must also ensure that the increasing number of networks they are managing for local operators be maintained by Indian engineers, which will involve significant investment in training and facilities.
Sign up for CIO Asia eNewsletters.