Missed deadlines and half-measures: India’s telecom equipment has a security problem

Despite being the second-largest smartphone market in the world—not to mention the fastest growing—India has very few checks and balances in place to control telecom equipment quality. This has resulted in everything from mobile phone batteries heating up or outright exploding. Radiation emissions being above prescribed limits. And the very real threat of data theft and spying. These dangers aren’t just limited to smartphones either. There are examples galore of other telecom equipment, like routers, for instance, being equally susceptible to safety and quality issues. Any way you dice it, a substantial amount of poor quality products are dumped in India.

But with the Huawei controversy exploding over the past few months, this lackadaisical approach to telecom equipment standards simply isn’t tenable. For those not in the know, Chinese telecom equipment giant Huawei has faced allegations that its equipment could be used by China to spy on other countries. Huawei India’s revenue for 2017 (Huawei follows the calendar year for accounting) was a cool $1.16 billion.

Concerns about telecom equipment, though, go far beyond Huawei. Currently, about 97% of telecom equipment used in the country is imported. India imported about $21 billion worth of telecom equipment in FY18, up from $16.2 billion in FY17. And the crazy part? Most of the equipment used in the country—barring equipment procured by the government itself—is self-certified. This, despite some experts comparing self-certification to asking a student to check her own exam paper. Unless there are proper third-party audits, self-certification can’t be trusted, they say.

For government procured equipment, things are better—all equipment must be approved by the  Department of Telecom’s (DoT) nodal agency for this very purpose, the TEC (Telecom Engineering Centre). However, if the government’s recent noises are to believed, MTCTE (Mandatory Testing and Certification of Telecom Equipments) might soon become a reality across the board. This means that any telecom equipment—both imported or locally produced—will have to qualify on certain parameters to be sold to operators. TEC will be in charge of approvals, and no telecom equipment—including mobile phones—can be sold in the country without being tested and certified.

This will be easier said than done, though. While the government set 1 April as the deadline to introduce MTCTE, this is unlikely to proceed as planned. In all likelihood, this deadline will be extended, with a notification regarding the same expected before the month ends.

The impending delay is on account of strong lobbying from billion-dollar equipment manufacturing companies (backed by their telecom operator clients, of course), with the government seemingly bowing to the whims of the powers that control the market. This, despite domestic companies as well as a relatively unexpected lobby—testing companies—in staunch support of MTCTE. To make matters worse, India is also woefully underprepared to implement MTCTE, at least for the foreseeable future

With global concerns about telecom equipment security growing, the fact that India is set to allow the MTCTE deadline to come and go to no avail is worrying. It was meant to be a turning point in India’s telecom equipment security, but will instead go down as an indictment of the government’s penchant for dragging its heels. With the clock ticking, it is increasingly imperative that India acts swiftly and decisively. However, if the government does indeed want to protect the security of India’s data and telecom infrastructure, is mandatory testing really a panacea, or is it just a first step? If it is the latter, Indians should be worried because it has taken a long time just to reach this latest impasse.

Long road to nowhere

Concerns over telecom security aren’t new. As far back as 2010, DoT had amended the license agreement for telecom operators to include security-related measures. It put the onus on licensees (telecom operators) to ensure the security of their network. However, given the deeply entrenched relationship between vendors and operators, it is unclear how thoroughly this directive was implemented.

The urgency to actually do something, though, ratcheted up just a few years later when an October 2012 report by the US House Intelligence Committee indicated that Huawei and ZTE posed a threat to US national security.

Shortly after, in 2013, the Indian government set up a Telecom Testing and Security Certification Centre (TTSCC) to develop systems, processes, standards, and tools, etc. for security testing. A pilot lab was also established at the Indian Institute of Science, Bengaluru, for the same purpose.

To any casual observer, India was awake and alert to the dangers of compromised telecom equipment and infrastructure. Foreign equipment manufacturers like Ericsson and Huawei, however, had other ideas. They refused to part with details and designs of equipment they were importing into the country, which were vital for designing testing protocols. As justification for their refusal to cooperate, they argued that this would hurt their business interests. And while they stood firm, the government caved.

Since then, the government has hoped that each passing year would be the one where mandatory testing finally takes off. But just waiting and wishing doesn’t help. And while the government refused to take decisive action year after year, the threat to India’s telecom infrastructure has only increased as foreign equipment manufacturers have almost entirely taken over the Indian telecom equipment market.

Telecom equipment accounts for an overwhelming majority of India’s electronic imports. In just three years, between 2014-15 and 2017-18, telecom equipment imports went up from $14.69 billion to $21.84 billion.

India is a large and lucrative market for foreign vendors, who supply 97% of the country’s network equipment. These vendors include the likes of Ericsson, Nokia, Huawei, Samsung, and Cisco. For Swedish equipment manufacturer Ericsson, for example, India contributes 6% of its global revenues for the quarter ending March 2018. Only the US is a larger market for Ericsson. Huawei Telecommunications (India) Pvt Ltd, which houses its networks, consumer and enterprise business, saw its revenue between FY16 and FY18 double to Rs 8,282 crore, with the biggest share coming from its networks business. And Korean major Samsung, which recently joined the big leagues in India thanks to its deal with Jio, made Rs 8,397.7 crore in revenue in FY18 from telecom equipment. This overwhelming dominance by foreign players only makes the need for enhanced testing and security measures more important.

Testing times

The good news for India is that most MNC equipment vendors—the likes of Ericsson, Nokia and Huawei—have finally fallen in line with the government’s plan for MTCTE, even if it does make things a little more expensive for them. “Now they will have to bear the cost of samples to be tested, pay the fees here, and additionally, also employ manpower here to look after testing and certification.  It is a non-tariff barrier that they will have to deal with.From what we have been told, they might look at manufacturing more here. This will not be an immediate impact though,” says a source at the TEC.

An email sent to Samsung, Huawei, Ericsson and Nokia for comment and information on their manufacturing plans remained unanswered. While Nokia and Ericsson have plants in the country, sources say these are merely assembly units.

However, even with their compliance and so many years in between to put systems in place, India is woefully underprepared to actually action MTCTE. TEC, the body that will administer testing and certification of telecom equipment, is grossly understaffed. An application for hiring 250 people was sent to the DoT, which only recently sanctioned the same. The additional staff are required to monitor and evaluate applications once the equipment testing finally begins. But it isn’t just a lack of manpower. The MTCTE website, a portal created for accepting equipment testing applications, still isn’t fully functional as testing labs have not been linked.

Adding to this fast unravelling tragicomedy is the woeful shortage of labs. In November 2018, Union telecom minister Manoj Sinha inaugurated the SASF (Security Assurance Standards Facility) in Bengaluru, which will supposedly develop Indian telecom security assurance requirements. “This facility will work for security from the national perspective and also facilitate the development of testing and certification ecosystem in the country,” Sinha had proclaimed. What he failed to mention, though, was that it was the only SASF in the country. For the deluge of equipment imports India sees, several SASFs are needed.

Sources say that DoT’s security wing and TTSCC are working together to expand the number of security labs, but it is unclear by when this will happen. A source said that the Bengaluru facility is also under-resourced and cannot handle testing on a large scale.

India also lacks a security standard. Something integral to testing. Security standards help in improving the security of telecom networks by defining both functional and assurance requirements within a product, system, process, or technology environment. Well-developed security standards enable consistency among product developers and serve as a reliable metric for purchasing equipment.

A source in TEC says that DoT has been working on the Indian telecom security assurance requirements (ITSAR) for some time now, but once again, it’s unclear when this will be finalised. So, how does testing proceed then? The TEC source says that standards might be ready by the time MTCTE is implemented, though there’s no clear timeframe.

“Across the Globe, security testing is an important parameter and there are already defined standards as per ITU-T (International Telecommunication Union-Telecom) recommendations. But in India, we are 20 years behind the EU and USA as far as the standardisation aspects,” says Dr R Lenin Raja, an independent researcher and VP of engineering at AA Electro Magnetic Test Laboratory, a private testing lab in Gurugram that will undertake electromagnetic radiation tests under MTCTE.

But even as India struggles to get its basics right, many believe that just testing won’t be enough.

No panacea

“I don’t think mandatory testing solves the problem of security in telecom equipment, for these are complex ICs (integrated circuits) of hardware and software. As long as one has access to the network, one can introduce malware from anywhere,” says the former technology officer of a foreign telecom equipment company.

Malware—malicious software, like viruses or Trojans, designed to do harm to devices, data or people—could also be introduced at the time of equipment upgrades, which are done remotely through software. Given the frequency of these equipment upgrades, it remains to be seen how this will all be monitored on an ongoing basis.

This isn’t a dystopian scenario either. There have already been cases of networks coming under attack in the past. A senior official from CDOT (Centre for Development of Telematics), an R&D organisation under DoT, and two other officers from DoT-promoted bodies confirmed that vulnerabilities have been discovered in India’s telecom hardware. He did not name the companies involved but said that this has irked the highest levels of government.

The country’s largest telecom network—state-owned BSNL—faced a botnet attack in 2017 which affected the information built into modems used for BSNL’s broadband services across the country. Over 2,000 customers were affected, with many facing issues with their broadband connectivity for over three days. In another data breach in 2017, 120 million Reliance Jio customers’ data was leaked online.

Home comforts

For Tarun Wig, founder of cybersecurity startup Innefu labs, the most appropriate way to secure India’s telecom networks is to use domestic products. “Be it Chinese, US, or any other country,” he asserts, “the risk of snooping will always be there with foreign telecom equipment. While China has garnered a lot of attention, US has equally been found guilty of snooping through one of its equipment companies,” he says. He declined to mention which US equipment company he was referring to.

At least four people The Ken spoke to—two from the government and one each from industry and academia—felt that the domestic telecom equipment industry in India can scale up much further. Especially with a little attention from the government. “ From a technical competence perspective, we have the best of capabilities to build world class products in evolving technologies. Strong Govt resolve is required  for self reliance,” says Sanjeev Kakkar, President and Chief Strategy Officer at Vihaan Networks, a Gurugram-based domestic equipment firm that specialises in mobile technology products

A company like Bengaluru-based Tejas Networks is a good example of this. Its transmission products for both 4G LTE and GPON are on par with offerings from MNCs. The company has more than 340 patents in the US, EU and India and exports to 70 countries. In an interview with the Economic Times, Sanjay Nayak, founder of Tejas Networks says that the company has adequate manufacturing capacity and can completely substitute the imports of optical transmission equipment in the country. Just this reduction in imports, he argued, would save nearly a billion dollars of forex each year.

However, domestic players can’t succeed without help from the government. MNCs have, over time, developed standards and technologies, managed large footprints for their products globally, and achieved economies of scale and market presence. Domestic equipment manufacturers cannot match this. They’ve also built brand loyalty among both consumers and service providers, further denting the prospects of homegrown products. Government intervention, therefore, is critical to reviving local telecom equipment manufacturing. However, despite the government’s focus on its Make in india and Startup India initiatives, it has done little in this regard.

In August 2018, the Telecom Regulatory Authority of India (Trai) produced a paper on domestic manufacturing of telecom equipment, aiming for net-zero imports by 2022. The paper hit on some critical issues that needed to be addressed. For starters, barring low-end commodities like sheet metals, plastics, wires, etc., the ecosystem required to support local telecom equipment manufacturing is almost non-existent. What further worsens the problem is inverted duty—the duty on raw materials being higher than finished products—as well as the lack of fiscal incentives for electronic system design and manufacturing (ESDM).

Trai’s paper also mentions the importance of local manufacturers having access to capital, soft loans, contract financing, and credit default insurance. In China, for example, state-owned organisations like Sinosure look after the capital and insurance requirements of Chinese manufacturers in various sectors.

The preferential market access (PMA) policy was another thing TRAI highlighted as a problem. It was designed to promote public procurement for domestic companies, but its implementation has been miserable. For one, the PMA policy applies only to central government procurements, leaving a large number of projects undertaken by PSUs and state goverments.

Then, there are the conditions issued by the government. “Many tenders are floated with eligibility conditions that eliminate domestic players and favour MNC vendors. For example, there will be a criteria that all products should come from the same vendors. Domestic suppliers obviously have a smaller bouquet of products, and that’s how we get eliminated,” explains one of the officials from a domestic telecom equipment company.

Thus far, none of TRAI’s recommendations have been actioned.

With the deadline for MTCTE set to be extended and the lack of support for indigenous telecom equipment manufacturers, it seems increasingly like the government is more focused on saying the right things than actually doing them. Take telecom minister Manoj Sinha as well as Telecom Secretary Aruna Sundararajan, for instance. Both have spoken of the importance of promoting domestic equipment manufacturing to boost data security. But until the government actually starts actioning its statements, India’s telecom infrastructure will remain vulnerable.

Leave a Comment