The growth of communication and networking systems in a country leads to increasing telecom security concerns. The governments of several countries have raised concerns with regard to protecting critical communication services and lawful interception of the same. India, the world’s second largest telecom market with a number of cross-border issues, has been facing a number of telecom security-related concerns over the past two-three years.

While the telecom market in India has grown at a phenomenal rate, the laws with respect to interception of voice communication, levels of encryption and cyber security have failed to keep pace. The loopholes in the telecom security guidelines became evident during the terror attacks in Delhi and Mumbai in recent years. In light of the growing security concerns, the government has laid down stringent guidelines to tackle safety-related concerns with regard to telecom networks.

Telecom security breaches take place on three levels – network equipment, messenger services and subscriber verification. To future-proof the current security guidelines, Minister of Communications and IT Kapil Sibal has stated that the government would address security concerns at all three levels in the National Telecom Policy 2011.

Network equipment

The security of telecom infrastructure is threatened by the heavy reliance on imported equipment. Given the all-encompassing nature of electronics, the absence of regulation poses severe threats to India’s strategic sectors as well as to cyber security.

The need for a structured and transparent regulatory regime became evident following the ad hoc ban on Chinese network equipment in April 2010, which attracted international criticism. The ban on procuring equipment from Chinese vendors not only affected their revenues, but also stalled the network rollout of operators in India.

To address these issues, in June 2011, the Department of Telecommunications (DoT) announced stringent security norms with regard to telecom network equipment. Under the new framework, the responsibility for maintaining security was given to the telecom operator, which could face a penalty of up to Rs 500 million in case of a breach. Also, operators were asked to inform the department of any updates or changes in equipment within 15 days.

“Telecom operators will have to formulate their own policy with regard to security organisation and management of their networks. They will have to submit their policy to the licenser,” read a DoT note. To keep DoT in the loop, telecom companies were asked to create monitoring facilities by mid-2012.

The norms also mandated that the top personnel in vendor firms must be Indian nationals whose names would have to be cleared by DoT as well as the Ministry of Home Affairs prior to their appointment. DoT directed all operators to appoint Indian nationals in the positions of chief technical officer, chief information security officer or as nodal executives for handling monitoring and interception functions across networks.

Further, the department plans to call for a periodic audit of the networks of all operators by security agencies, government departments or reputed international agencies for security breaches.

Messenger services

The use of email and messenger services offered on the wireless platform by companies like BlackBerry, Gmail and Nokia with its push-mail service has also been recognised as a key area of concern by the Indian security agencies. The fact that terrorists had used these services to plan the terror attacks in Mumbai and Delhi added to concerns regarding the misuse of telecom technology.

Consequently, the government tightened its hold on these companies and asked for real-time interception as well as encryption codes and keys for all the communication carried out on these platforms. BlackBerry faced the maximum heat due to the high level of encoding in its messenger services and enterprise server.

A year-long logjam between DoT and BlackBerry maker Research In Motion (RIM) finally ended in September 2011 when the latter provided a solution for real-time interception of its messenger and enterprise services. If the solution provided by RIM withstands scrutiny, the government plans to ask other smartphone makers to come up with a similar solution.

Subscriber verification

In a bid to make telecom services more secure, the government tightened the subscriber verification norms. This followed the security threat posed by unverified telecom connections, especially in insurgency-hit areas like Jammu & Kashmir and the Northeast.

In 2010, the Ministry of Communications and IT asked security agencies to conduct a secret audit to gauge if operators were following the revised guidelines that comprised strict verification norms. The audit revealed that of a sample size of 500 cellular phones, the verification norms were violated in as many as 65 per cent of the cases.

Following this revelation, DoT asked operators to ensure 100 per cent subscriber verification and set the deadline as October 2010. Operators that failed to comply with the process suffered subscriber losses as unverified connections were permanently or temporarily deactivated in October 2010.

Also, to keep tighter control on telecom subscribers, the ministry amended the telecom licence conditions in May 2011 and asked operators to provide location-specific details of their customers in the licensed service area. Location-based details enable operators to keep track of the geographical location of the mobile device using their network.

The new mandate required operators to install a system for tracking all mobile phone users within their service area and include the details in the call data records in the form of longitude and latitude. In urban areas, users need to be tracked within a 50 metre radius of their location, with an accuracy of 30 per cent. For semi-urban and rural areas, the user must be tracked within a 100-300 metre radius with 60-80 per cent accuracy.

Conclusion

Undoubtedly, the government is taking all possible measures to make telecom usage in the country more secure. However, the interception and decryption of all communication is a painstaking, time-consuming and expensive process for operators. Also, some level of encryption that cannot be accessed by any agency is mandatory to ensure secure e-transactions as well as for carrying out confidential electronic communications. With the growth of m-banking services, mobile transactions and exchange of confidential information by ministry officials and corporates through wireless telecom, the government and security agencies will need to lay out the security guidelines with caution to ensure that the privacy and personal safety of citizens is not compromised.