Governments Notifies Telecommunications Cyber Security Rules 2024

Introduction

On November 21, 2024 the Government of India through Department of Telecommunications (hereinafter referred to as DoT) under the Ministry of Communication notified new Telecommunications (Telecom Cyber Security) Rules, 2024 and on November 22, 2024 notified another set of rules called Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024 (hereinafter referred to as Critical Rules) and (collectively referred to as 'The Rules'). The Rules have been introduced to provide for the measures to protect and ensure cyber security of telecommunication network and telecommunication services.

Why are The Rules enacted?

The rapid advancement of telecommunications technology has transformed India's communication, with over 700 million smartphone users as of January 2023¹ and an expected 1.05 billion users accessed the internet via their mobile phones². This interconnectedness, while enabling innovation, has also increased vulnerabilities with the around 284 cybersecurity incidents per 10,000 according to Kaspersky Managed Detection and Response (MDR) statistics for January- June 2024.³ One such recent example is of a major public telecom company which suffered alleged data breach as a threat actor claimed to have 'critical information' pertaining to the company's 32,000 lines of data and disclosed the same on dark web including sensitive personal information.⁴

A leading cybersecurity firm claimed that around 750 million telecom users' data was breached exposing personal information including names, mobile numbers and Aadhaar information. This extensive database, amounting to a staggering 1.8 terabytes, is being sold by threat actors from CyboDevil and UNIT8200.⁵

The increase in the crime rate where the customer's personal data, a crucial information for an individual is at stake had lead government to come up with measures to protect the communication networks and services by including specified timelines for telecos ( telecommunication operator) to report security incidents and make disclosures.⁶

On whom will The Rules apply?

The Rules apply on telecommunication network and any other authority as identified by the central government. Further, The Rules cover entities like telecommunication entity and Chief Telecommunication Security Officer, a person providing telecommunication services or establishing, operating, maintaining or expanding telecommunication network are consider telecommunication entity.⁷

The Cybersecurity Rules

Definition of Telecom Cybersecurity

Telecom cybersecurity is defined as protection of telecommunication networks and services through combination of tools, policies, security concepts, security safeguards, risk management approaches and technologies. The primary objective is to shield telecommunications systems from security risks within the cyber environment.

Prohibition on Misuse of Telecommunication

The Cybersecurity Rules explicitly prohibits any person to misuse telecommunication equipment, identifier, network or services for activities such as-

Fraud, cheating or personation
Transmitting any messages which is fraudulent
Committing or intending to commit any security incident

Regulation of Telecommunication Equipment

To enhance security, it established strict guidelines for telecommunication equipment:

Manufacturer and importer of equipment in India having International Mobile Equipment Identity (IMEI) number shall register this with central government prior to first sale.
No person shall intentionally remove, obliterate, change or alter unique telecommunication equipment identifier number.
Their shall not be any use, production, traffic in, have control or custody of or possess hardware or software related to telecommunication identifier or equipment.

The Critical Infrastructure Rules

Critical Telecommunication Infrastructure (hereinafter referred to as CTI)

It means any telecommunication network, or part thereof, notified by central government as Critical Telecommunication Infrastructure, disruption of which shall have debilitating impact on national security.

Compliance Measure

The Critical Rule, entity will ensure that Critical Telecommunication Infrastructure are in compliance with Essential Requirements, Interface Requirements, Indian Telecommunication security assurance requirements and specifications, testing requirements or conformity assessment.

Key highlights of both The Rules

The Government of India has addressed several overlapping concerns in Cybersecurity Rules and Critical Rules, highlighting their interconnected objectives. The table below provide a comparative view of key aspects addressed in both frameworks:

Description	Critical Rules	Cybersecurity Rules
Risk Assessment	Entities must perform vulnerability, threat, or risk analysis for cyber security architecture of CTI and Ensure it is carried out annually or in such intervals as may be directed by the Central Government Maintain a risk register including graded risk assessment associated with different elements, identify severity of risk and solutions to mitigate the same.	The entities shall adopt a cybersecurity policy which shall include risk management approaches, risk assessment, identification and prevention of security incidents and further reduced the risk
Maintenance of logs	Maintain logs and documentation related to the network architecture of CTI, including any changes. Regularly back up logs and implement standard operating procedures for incident response and business continuity. Ensure that the logs for remote access to CTI are preserved for at least one and for two years in case of infrastructure of telecommunication network architecture of CTI or as long as directed by central government.	Entities shall maintain command logs of operation and maintenance, Logs of Security Operation Centre (SOC), Intrusion Prevention System (IPS), or Security Information and Event Management (SIEM) or other such solution, of elements of telecommunication service or network or any other element required for security. Logs of telecommunication network and services.
Obligations of telecommunication entity	Maintain list of critical telecommunication infrastructure. Plan, develop and maintain verification practices, service level agreements, Maintain record of supply chain of telecommunication equipment, Implement standard operating procedures for security incident response system Furnish detailed report relating to action taken. Report security breach incidents	Entities shall adopt and notify central government of telecom cybersecurity policy Conduct periodic cybersecurity audits and share report to central government, Report security breach incidents within 6 hours of becoming aware and provide remedial measure within 24hours and maintain details of threat actors.
Chief Telecommunication Security Officer (CTSO)	CTSO is responsible for implementation of the rules.	Responsible for implementation of the rules in coordination with Central Government.
Central Government duties	Shall specify on the portal, the form and manner in which every telecommunication entity shall provide the details in respect of Critical Telecommunication Infrastructure.	Seek from telecommunication entity, traffic data and direct to establish necessary infrastructure and equipment for collection and provision of such data from designated points to enable its processing and storage. Put in place adequate safeguards, digital and other mechanisms as it may consider necessary to identify, or for enabling any person to identify and report, acts that may endanger telecom cyber security, take immediate actions where ever necessary.

Conclusion

The Rules will ensure protection of telecom cyber security, prohibit or limit the access to telecommunication service. The new rules will help in preventing altering of Mobile Device Equipment Identification number.⁸ Further if on any contravention of The Rules, the Act provides for civil penalty of up to INR 25,000 and on subsequent offence further Civil penalty up to INR 50,000 every day after the first during which the contravention continues.⁹

Abhishekta Sharma, Assessment Intern at S.S. Rana & Co. has assisted in the research of this article.

https://ssrana.in/articles/india-gets-new-telecom-act/

https://ssrana.in/articles/telecom-act-india-digital-privacy-data-protection-act-2023/

Footnotes

1 https://www.weforum.org/stories/2023/12/how-smartphones-can-boost-digital-literacy-among-indias-rural-communities/

2 https://www.statista.com/statistics/558610/number-of-mobile-internet-user-in-india/

3 https://ciosea.economictimes.indiatimes.com/news/security/telecoms-are-prime-targets-for-cyberattacks-in-2024-kaspersky/112166561

4 https://telecom.economictimes.indiatimes.com/news/industry/bsnl-suffers-data-breach-sensitive-info-of-users-up-for-sale-on-dark-web/106197459

5 https://www.indiatoday.in/technology/news/story/data-of-750-million-telecom-users-in-india-being-sold-on-dark-web-cyber-experts-claim-2495752-2024-01-31

6 https://www.nextias.com/ca/current-affairs/23-11-2024/telecommunications-telecom-cyber-security-rules-2024

7 https://www.indiacode.nic.in/showdata?abv=CEN&statehandle=123456789/1362&actid=AC_CEN_37_58_00002_202344_1721027001853&sectionId=91717&sectionno=3&orderno=3&orgactid=AC_CEN_37_58_00002_202344_1721027001853

8 https://timesofindia.indiatimes.com/india/government-rolls-out-norms-to-seek-user-information-from-telecom-companies-for-cyber-security/articleshow/115541087.cms

9 Schedule third of Telecommunication Act, 2023 https://egazette.gov.in/WriteReadData/2023/250880.pdf

For further information please contact at S.S Rana & Co. email: info@ssrana.in or call at (+91- 11 4012 3000). Our website can be accessed at www.ssrana.in

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.