To improve security, the government of India, starting June 15, will require telecom companies to only use equipment that’s been certified as trustworthy by the Ministry of Electronics and IT, also known as MeitY.
It’s not yet clear which vendors’ technologies will be approved using this “white listing” approach. Some other nations, including the United States, have essentially banned the use of telecom tech from certain Chinese providers, including Huawei, citing national security concerns.
“The work is in progress at the moment as we are building a portal to list the trusted vendors and products that can be sourced with a focus on cybersecurity of built-in network products; it will be done in a month,” Lt. Gen. (retired) Rajesh Pant, national cybersecurity coordinator at the Prime Minister’s Office, tells Information Security Media Group.
How the Directive Works
The government’s cybersecurity division is validating the trusted vendors based on the brand’s reputation and its history of breaches, Pant says.
The new policy will not impact existing telecom tech deployments, he points out. “The directive is primarily to address cybersecurity of the telecom service providers from a supply chain point of view and protect the entire ecosystem,” Pant says.
Evaluation criteria for “trusted sources” of telecom equipment includes whether the organization meets regulatory requirements and stipulated compliance frameworks and can be used in the best interests of the nation protecting the critical infrastructure, Pant says.
Dmitry Kurbatov, chief technology officer, Positive Technologies, says the government’s new policy will help remove threats posed by what he calls “high risk” vendors, perhaps including Huawei.
He points out, however, that as some vendors’ technologies are banned, other vendors will emerge to fill the void. “We will need to keep up with the new challenges, innovation, and opportunities 5G and IoT bring,” Kurbatov says. “The ‘trusted source’ evaluation criteria will need to keep pace with the far more dynamic working practices to secure the new threats and innovation we will experience.”
Prashant Mali, president of Cyber Law Consulting, says the key criteria for evaluating the ‘trusted sources’ for telecom tech should be the quality of the product, organizational ownership and standards, previous security incidents and how much indemnity the manufacturer is willing to provide in case of an incident.
Securing the Networks
Commenting on the new government policy, Sujan Chinoy, director general of the Manohar Parrikar Institute for Defense Studies and Analyses, writes in a blog that network security will be improved by using only those technologies identified as trustworthy.
“The onus is also on the telecom service providers to demonstrate their capability for ‘enhanced supervision’ and ‘effective control,’” Chinoy writes. “Moreover, they have to prove that they have the necessary human resources, processes and control systems and technologies in place to fulfill their part of the obligations.”
As critical infrastructure networks are connected, it’s imperative to have a solid strategy to protect them, Shomiran Das Gupta, founder of Netmonastery stresses.
Kurbatov suggests that organizations supporting critical infrastructure should monitor whether tech providers have policies in place to audit and monitor security and report incidents or results to regulators.