Introduction
On November 21, 2024 the Government of India through Department of Telecommunications (hereinafter referred to as DoT) under the Ministry of Communication notified new Telecommunications (Telecom Cyber Security) Rules, 2024 and on November 22, 2024 notified another set of rules called Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024 (hereinafter referred to as Critical Rules) and (collectively referred to as 'The Rules'). The Rules have been introduced to provide for the measures to protect and ensure cyber security of telecommunication network and telecommunication services.
Why are The Rules enacted?
The rapid advancement of telecommunications technology has transformed India's communication, with over 700 million smartphone users as of January 20231 and an expected 1.05 billion users accessed the internet via their mobile phones2. This interconnectedness, while enabling innovation, has also increased vulnerabilities with the around 284 cybersecurity incidents per 10,000 according to Kaspersky Managed Detection and Response (MDR) statistics for January- June 2024.3 One such recent example is of a major public telecom company which suffered alleged data breach as a threat actor claimed to have 'critical information' pertaining to the company's 32,000 lines of data and disclosed the same on dark web including sensitive personal information.4
A leading cybersecurity firm claimed that around 750 million telecom users' data was breached exposing personal information including names, mobile numbers and Aadhaar information. This extensive database, amounting to a staggering 1.8 terabytes, is being sold by threat actors from CyboDevil and UNIT8200.5
The increase in the crime rate where the customer's personal data, a crucial information for an individual is at stake had lead government to come up with measures to protect the communication networks and services by including specified timelines for telecos ( telecommunication operator) to report security incidents and make disclosures.6
On whom will The Rules apply?
The Rules apply on telecommunication network and any other authority as identified by the central government. Further, The Rules cover entities like telecommunication entity and Chief Telecommunication Security Officer, a person providing telecommunication services or establishing, operating, maintaining or expanding telecommunication network are consider telecommunication entity.7
The Cybersecurity Rules
Definition of Telecom Cybersecurity
Telecom cybersecurity is defined as protection of telecommunication networks and services through combination of tools, policies, security concepts, security safeguards, risk management approaches and technologies. The primary objective is to shield telecommunications systems from security risks within the cyber environment.
Prohibition on Misuse of Telecommunication
The Cybersecurity Rules explicitly prohibits any person to misuse telecommunication equipment, identifier, network or services for activities such as-
- Fraud, cheating or personation
- Transmitting any messages which is fraudulent
- Committing or intending to commit any security incident
Regulation of Telecommunication Equipment
To enhance security, it established strict guidelines for telecommunication equipment:
- Manufacturer and importer of equipment in India having International Mobile Equipment Identity (IMEI) number shall register this with central government prior to first sale.
- No person shall intentionally remove, obliterate, change or alter unique telecommunication equipment identifier number.
- Their shall not be any use, production, traffic in, have control or custody of or possess hardware or software related to telecommunication identifier or equipment.
The Critical Infrastructure Rules
Critical Telecommunication Infrastructure (hereinafter referred to as CTI)
It means any telecommunication network, or part thereof, notified by central government as Critical Telecommunication Infrastructure, disruption of which shall have debilitating impact on national security.
Compliance Measure
The Critical Rule, entity will ensure that Critical Telecommunication Infrastructure are in compliance with Essential Requirements, Interface Requirements, Indian Telecommunication security assurance requirements and specifications, testing requirements or conformity assessment.
Key highlights of both The Rules
The Government of India has addressed several overlapping concerns in Cybersecurity Rules and Critical Rules, highlighting their interconnected objectives. The table below provide a comparative view of key aspects addressed in both frameworks:
Description |
Critical Rules |
Cybersecurity Rules |
Risk Assessment |
|
|
Maintenance of logs |
|
|
Obligations of telecommunication entity |
|
|
Chief Telecommunication Security Officer (CTSO) |
|
|
Central Government duties |
|
|
Conclusion
The Rules will ensure protection of telecom cyber security, prohibit or limit the access to telecommunication service. The new rules will help in preventing altering of Mobile Device Equipment Identification number.8 Further if on any contravention of The Rules, the Act provides for civil penalty of up to INR 25,000 and on subsequent offence further Civil penalty up to INR 50,000 every day after the first during which the contravention continues.9
Abhishekta Sharma, Assessment Intern at S.S. Rana & Co. has assisted in the research of this article.
https://ssrana.in/articles/india-gets-new-telecom-act/
https://ssrana.in/articles/telecom-act-india-digital-privacy-data-protection-act-2023/
Footnotes
2 https://www.statista.com/statistics/558610/number-of-mobile-internet-user-in-india/
9 Schedule third of Telecommunication Act, 2023 https://egazette.gov.in/WriteReadData/2023/250880.pdf
For further information please contact at S.S Rana & Co. email: info@ssrana.in or call at (+91- 11 4012 3000). Our website can be accessed at www.ssrana.in
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.