In Short:
A disagreement between major telecom companies like Cisco, Nokia, and the Indian Department of Telecommunications (DoT) could stall broadband growth in India. The DoT insists on a security mandate starting October 1, requiring firms to share sensitive product data for certification. Companies are resisting due to concerns over intellectual property and costs, and so far, no products have been certified.
New Delhi: A conflict between leading global telecom equipment manufacturers, including Cisco, Nokia, Ericsson, and Hewlett Packard Enterprise (HPE), along with the Department of Telecommunications (DoT), is poised to impact India’s broadband expansion significantly.
Security Mandate and Industry Resistance
The DoT stands firm on the October 1 deadline for the enactment of a new security mandate. This regulation stipulates that only those Wi-Fi customer premises equipment (CPE) and Internet Protocol (IP) routers that have received government security certification can be sold.
However, the telecom companies are opposing this mandate, which requires them to disclose sensitive data, such as source code and internal test reports, to obtain the necessary certification. They cite concerns over intellectual property rights as well as security and sensitivity issues.
Impending Challenges for Broadband Expansion
Industry executives familiar with the matter indicated that, as of now, no products have secured the required security certification. Consequently, if the situation remains unresolved, new units of Wi-Fi CPEs and routers essential for broadband expansion may not be available on the Indian market starting next month.
The industry has requested a two-year extension to comply with the new regulations; however, the DoT is adamant about maintaining its October deadline, stating that ample time has already been allocated for compliance.
“The industry has been aware of the timelines since they were announced a few years ago. Furthermore, there is hesitation among companies to share proprietary information, such as source code and internal testing reports, for product assessment,” remarked an anonymous official.
Certification Process and Current Applications
So far, only a limited number of companies have applied for security certification at the National Centre for Communication Security (NCCS), which operates under the DoT. Among those seeking certification are Cisco, Nokia, Ericsson, HPE, and Ciena. However, it may take approximately 14 to 16 weeks for any of these applications to be approved, contingent upon meeting all necessary criteria.
In response to inquiries, spokespersons from Cisco, Nokia, HPE, and Ciena have yet to provide comments. An official from Ericsson mentioned, “The requirements for sharing source code are being replaced by internal reports, and the industry is currently in discussions with the government on this matter.”
NCCS’s Role and Ongoing Issues
The NCCS has emphasized the necessity of testing source code to identify existing vulnerabilities. They clarified that the source code would not be replicated onto any device during testing; instead, the code provided by the company would be assessed using specialized tools, with test results shared to facilitate addressing vulnerabilities.
Established in 2019, the DoT‘s mandatory testing and certification of telecommunication equipment (MTCTE) scheme is designed for various network components, with the Telecommunications Engineering Centre (TEC) implementing several parameters. However, the NCCS is tasked specifically with testing and certifying against security requirements through the Communication Security Certification Scheme (ComSec).
Despite the industry’s relative ease with MTCTE certification through TEC, challenges persist regarding security certification via NCCS, primarily due to uncertainties surrounding several issues. An executive noted that while 512 Wi-Fi CPE and router models have achieved MTCTE certification, none have qualified for ComSec certification to date.
“Numerous products are awaiting security certification, and besides the data-sharing concerns, the financial costs for product testing are substantial. Additionally, there are no clear guidelines specifying how these products will undergo testing,” conveyed another executive, who requested anonymity.
In the context of security testing, there are only six laboratories in the country authorized to conduct these assessments, with testing fees ranging from ₹40 to 50 lakh per product, as per industry executives.
