India’s National Cyber Security Coordinator (NCSC) Lt General (retd) Rajesh Pant, has clarified that Chinese telecom gear makers Huawei and ZTE are not barred from participating in the process to identify “trusted sources and products” and are going through the process of scrutiny like European and American vendors.
Pant, the designated authority to give approvals to gear vendors and their equipment, said that the first list of approved trusted companies or trusted sources will be out in the first week of October.
“We have a meeting scheduled and we will release the list after that. And, every time the committee meets, the (trusted) names will be there,” Pant was quoted as saying by the Economic Times.
Pant revealed that India had formed a committee under the Deputy National Security Advisor (NSA), called the National Security Committee on Telecom, which will take decisions allowing or barring companies under the trusted sources and products regime.
“In that committee, we have industry representatives, IIT professors, joint secretary-level officers, and it is chaired by the deputy NSA. That is the one that takes a decision based on all the inputs that are given through the portal,” he said.
The Indian government had in March announced setting up the “National Security Directive” to secure the country’s telecom infrastructure by designating a “trusted source” for the purchase of equipment by telecom operators. Effective June 15, the new regime makes it mandatory for Indian telecom operators to use trusted network equipment from “trusted sources”.
“We have done something that no other country in the world is doing. Other countries have created a negative list of entities whereas we are saying that we will go through a proper process, verify the company and the semiconductors inside the products as well,” Pant said.
He added that the authority evaluates telecom and networking equipment at the semiconductor level to rule out any snooping-related concerns. “In the product, we are seeing information about the semiconductor used because that is where manipulation can be found.”
As per the Indian government, “trusted products” are products whose critical components and the products themselves are sourced from “trusted sources.” Under the new process, the designated authority seeks detailed information related to active components, place of manufacturing, the equipment player’s ownership structure of the organisation, and details about intellectual property rights.
The new directive, however, does not mandate the replacement of existing equipment already deployed by telcos. Additionally, the directive will not affect ongoing Annual Maintenance Contracts (AMC) or updates to existing equipment already deployed in the network.
Indian telecom operators had reportedly delayed large scale network expansion orders to their partners such as Nokia and Ericsson in the absence of approvals from the office of the National Cyber Security Coordinator (NCSC), the designated authority to give approvals to gear vendors and their equipment.
Pant, however, rejected Indian telecom operators’ claims and said that the authority has come up with the provision of a one-time exemption for one year, which allows telcos to execute “critical” network deployment without the trusted sources approvals.
“We have gone out of the way to take care of requests, especially Vodafone Idea. We have got requests from Reliance Jio and Bharti Airtel and we are taking care of that,” Pant said.
Indian telecom operators had also said that the delay in the approval process might derail the 5G launch timeline in the country.
Pant said that “there won’t be any delay in 5G since it is still two years away. There is no 5G equipment that everyone is putting in the pipeline.”
Pant said that data collection from 1,150 companies under the unified licensing regime, including telcos, ISP and NLD, among others, led to minor delays in the whole approval process.
“We have created this process without any background of the work. There are about 1,150 companies under the unified licensing regime…so, you can imagine how many people wanted to register as TSPs, so that was the first challenge as to how we deal with so much information,” Pant said.
Once all details are furnished, the NCSC will assess the vendors and the sources of the components to determine trusted sources and trusted products, which will be intimated to the vendor concerned and the applicant telecom operator to make their procurements.
Pant added that the authority’s focus is to ensure that sensitive data submitted by vendors and original equipment makers (OEMs) doesn’t leak out. “…the OEMs don’t trust the TSPs with their data, they trust the government. We have the key responsibility,” he told the publication. This year, Pant said, India will also release a new cybersecurity strategy, adding that the strategy would holistically cover the entire ecosystem of cyberspace in India.