The Telecommunications (Telecom Cyber Security) Rules, 2024, made under sections 22 and 56 of the Telecommunications Act, 2023, recently came into force. They are the first systemic step in bolstering the safety and resilience of the telecom sector, replacing the Prevention of Tampering of the Mobile Device Equipment Identification Number Rules, 2017. They aim to prevent increasing cyber threats disrupting digital communication networks by requiring them to establish accountability, enhance security frameworks and respond rapidly to cyber incidents.
The rules aim to achieve these objectives by having every telecom entity implement cybersecurity policies setting out security safeguards, risk identification, assessment and management, and the prevention of and recovery from security incidents. A security incident is defined as an event posing an actual or potential risk to telecom cybersecurity. This includes not only actual attacks and breaches but also latent vulnerabilities within the telecom network, equipment or service which could be exploited to compromise cybersecurity. Telecom entities are required to allow certified agencies to conduct regular audits to ensure they can adapt to emerging cyber threats.
A key provision is the appointment of a chief telecommunication security officer (CTSO) by every telecom entity. The CTSO must be an Indian citizen residing in India. They will be the primary liaison between the government and the telecom entity in implementing the rules as well as reporting as required. Telecom entities are to notify the government within six hours of detecting security breaches and to submit detailed incident reports within 24 hours, outlining their scope and impact.
The government, through its authorised agencies, is empowered to collect traffic or other data, except the contents of messages, from telecom entities to ensure telecom cybersecurity. Safeguards are prescribed when collecting non-content data to ensure they are used only for cybersecurity purposes. Manufacturers and importers of devices carrying international mobile equipment identity (IMEI) numbers are required to register such identifiers with the government before sale or import. Tampering with telecommunication identifiers, such as IMEI numbers, is prohibited and subject to penalties. Telecom entities are also required to establish security operations centres (SOC) to monitor, detect and respond to cyber threats. These centres will play a pivotal role in real-time threat assessment and incident management. The government is authorised to direct telecom entities to mitigate identified risks, conduct forensic analyses and upgrade security infrastructure to address evolving cyber challenges. The rules, however, are silent as to how SCOs will do this.
Despite their extensive scope, the rules present challenges. The broad definition of a security incident may lead to inconsistent interpretations and enforcement. Although data safeguards are mentioned, the absence of explicit guidelines for data storage, retention and sharing raises concerns about misuse and privacy breaches. Sweeping powers granted to the government under rule 5, including that to penalise users detected through identifiers, lack adequate procedural safeguards. Actions such as the suspension or disconnection of services can be undertaken without prior notice. Legitimate security concerns may be misused to carry out arbitrary enforcement and misuse.
The rules and the act are unclear as to whether security incidents and cyber incidents as defined under the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013, overlap.
Financial and logistical burdens for telecom operators are worrisome. Establishing SOCs and complying with other security measures impose significant costs, particularly for smaller players. This may create market imbalances.
The rules represent a concerted effort by the government to protect the telecom sector against emerging cyber threats. However, their broad scope, operational challenges and high costs need critical revision. By incorporating procedural safeguards, aligning with global standards and addressing industry-specific concerns, the rules can strike a balance between national security and individual privacy.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
