Swedish telecom gear maker Ericsson and India’s telecoms representative body COAI raised serious concerns and opposed the government’s demand to provide equipment “source code” for scrutiny.
They told the authorities that reviewing or verifying equipment source code may not be possible since it comprises “commercially valuable, confidential, and sensitive information.” They are also of the view that a meaningful review of the source code would take substantial time and effort, thereby will lead to delay in network rollouts in the country.
Ericsson’s Chief Technology Officer (CTO), Erik Ekudden, in his letter to the Department of Telecommunications (DoT), said that outcome of source code review “would be questionable”. He said that it was virtually impossible to bring out the software free from known vulnerabilities.
“A network can be compromised through weaknesses in deployment or configuration and operations, which software-related tests are not aimed to address,” Ekudden said in his letter to the DoT secretary Anshu Prakash. “Certifying software or hardware does not mean it is flawless. Un-noticed imperfections of testing lead to a false sense of security.”
The department is reportedly planning to seek source code of every network equipment deployed in India as a part of the security assurance testing initiative proposed by the DoT’s National Centre for Communications Security (NCCS), based in Bengaluru.
The DoT hasn’t issued any official order in the same regard yet.
India had briefly imposed a similar security condition in 2010, but it withdrew the order after the industry-wide consultation.
Chinese telecom gear vendors –Huawei and ZTE –previously offered access to their respective product or equipment source code to allay security-related concerns of the Indian government.
The Cellular Operators Association of India (COAI), in a separate letter to the DoT said that submission for security testing is not necessary to address security requirement due to frequent software delivery on the networks and mobile devices.
COAI represents Airtel, Vodafone Idea, Reliance Jio and multinational vendors like Ericsson, Nokia, Huawei, and ZTE.
The representative body said that the telecom industry is already required to comply with the security requirements as per the license conditions, which translates to using the 3GPP Security Assurance Specification (SCAS).
COAI and its partners have said that they already comply with worldwide standards practice, including GSMA’s Network Equipment Security Assurance Scheme (NESAS).
The body said that discussions with the telecom department on the Indian telecom security assurance requirements (ITSAR) have been ongoing for over a year and the requirement to submit the source code was never raised earlier by the security testing team of the department.
“This source code requirement has come up recently in the last two months…we request DoT to provide at least two years from the date of release of modified ITSAR document to address the requirements which original equipment makers would need to develop in the relevant product release,” COAI said in its letter.