Critical telecom infra rules come into effect
The Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024, were released for public consultation on August 29 under Section 22(4) of the Telecommunications Act, 2023
Telecom entities whose networks are designated as Critical Telecommunication Infrastructure (CTI) must give access to government-authorised personnel to inspect hardware, software and data of certified CTI parts, according to new rules that came into effect on November 22.
The Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024, were released for public consultation on August 29 under Section 22(4) of the Telecommunications Act, 2023. The section empowers the central government to notify telecom networks as CTI if their disruption could severely impact national security, economy, public health or safety.
The rules require appointment of a chief telecom security officer (CTSO) to oversee implementation. Entities must report cyber security incidents within 6 hours, revised from 2 hours in the draft rules.
This brings them on par with the recently notified Telecom Cyber Security Rules and the 2022 CERT-In directions.
Despite the revision, for experts, this is still not a deadline that can be complied with and does not meet global standards. Experts point out that this also raises the issue of over-regulation in the space because telecom sector is notified as critical information infrastructure under the Information Technology Act and thus falls within the domain of National Critical Information Infrastructure Protection Centre (NCIIPC) as well. In addition, the Information Security Practices and Procedures for Protected System Rules of 2018 under the IT Act have overlapping requirements for organisations with “protected systems”, which are akin to critical information infrastructure.
“There is definitely a need for clarity on how various connected frameworks will interact with each other, including the Telecom Act, the IT Act, the Digital Personal Data Protection Act, and the CERT-In directions. It is not clear how different government agencies will coordinate,” said Namrata Maheshwari, senior policy counsel at Access Now.
Maheshwari flagged concerns about lack of thresholds for government-authorised personnel and data access limitations. “The rules do not set out when an inspection can be triggered, or the factors that must be taken into account, or limitation on the use of information obtained during these inspections,” she said.
She added that the rules also do not provide for accountability measures in case of abuse of powers by the government-authorised personnel. It is also not clear whether in such inspections, the government authorised personnel can access personal data of the telecom entity’s subscribers.
For the notified CTI, the telecom entity must share network architecture details of the CTI; list of authorised personnel who have access to CTI; inventory of hardware and software used in the CTI; details of vulnerabilities; cyber crisis management plans; security audit reports and audit compliance reports; and service level agreements (SLAs) related to the CTI with the government.
The telecom entity must also provide all CTI-related logs to help detect anomalies and generate real-time intelligence. The logs and documentation of the telecom network architecture must be preserved securely for at least two years. The draft rules did not specify a time period.
Remote repair or maintenance of CTI from outside India requires prior written government approval. For upgrades to software or hardware, entities must submit test reports for government review. The government will have to either seek more details, issue directions for more testing, or approve/reject the application within 14 days. If the government doesn’t act within 14 days, the telecom entity can proceed with the upgradation activity.
However, immediate upgrades are allowed during cyber security incidents, with notification to the government within 24 hours with details of the incident and the upgrades done.
The government will create a digital portal to implement the rules but can still issue directions through “secure mode of communication” case by case. “Secure communication from the government to telecom entities should not mean opaque directions that cannot be scrutinised for accountability,” Maheshwari said.
“There has to be a system for record-keeping that enables effective review, for instance, by an independent expert committee or constitutional body,” she said.
All CTI hardware, software and spares must meet government standards, including Essential Requirements, Interface Requirements, Indian Telecommunication Security Assurance Requirements, and other standards that may be notified by the government.