Watch Free Classes
UPSC » Daily News Analysis ‘The Draft Indian Telecom Security Assurance Requirements (ITSAR)’ : 12 January

Daily News Analysis ‘The Draft Indian Telecom Security Assurance Requirements (ITSAR)’ : 12 January

Table of Content

Why in News? 

  • The Ministry of Electronics and Information Technology (MeitY) has recently assumed the mandate to discuss smartphone security standards under the Indian Telecom Security Assurance Requirements (ITSAR) framework.

Institutional Framework and Context

  • Origin and Mandate: ITSAR is a set of detailed technical security requirements formulated by the National Centre for Communication Security (NCCS), which operates under the Department of Telecommunications (DoT).
  • Part of MTCTE: These requirements are a critical component of the Mandatory Testing and Certification of Telecom Equipment (MTCTE) regime, which ensures that any telecom gear used in India is safe and trusted.
  • Shift in Authority: While NCCS drafts the standards, the responsibility for discussing and implementing these specifically for consumer mobile devices (smartphones) has been shifted to MeitY, acknowledging the intersection of telecom and consumer electronics.
  • Scope: The framework covers a wide range of equipment, from core network infrastructure (like 5G gear) to consumer devices (like Wi-Fi routers and smartphones), ensuring end-to-end network security.

Key Proposed Provisions for Smartphones

  • Source Code Disclosure: The draft proposes that manufacturers must submit their proprietary source code to government-designated laboratories for screening to detect hidden “backdoors” or vulnerabilities.
  • Removal of Pre-installed Apps: It mandates that users should have the ability to uninstall pre-loaded applications (bloatware) that are not essential for the basic functioning of the device.
  • Data Logging and Retention: Manufacturers may be required to retain security and operation logs for a period of 12 months to aid in forensics during cyber incidents.
  • Mandatory Malware Scanning: The rules propose continuous and automatic scanning for malware on devices to prevent them from being used as botnets or spying tools.
  • Update Oversight: Companies might need to notify the government before rolling out major software updates or patches to ensure they do not introduce new security risks.

Strategic Objectives

  • Cyber Sovereignty: The primary goal is to assert national control over the digital ecosystem and prevent foreign state actors from exploiting telecom networks for espionage.
  • Supply Chain Security: It aims to “sanitize” the hardware and software supply chain, reducing reliance on unchecked components from nations with which India has adversarial relations.
  • Consumer Protection: By curbing non-essential pre-installed apps and enforcing malware checks, the government seeks to protect user data from commercial exploitation and privacy breaches.
  • Trust-Based Ecosystem: The initiative aligns with the global trend of “Trusted Telecom,” ensuring that critical infrastructure is built only on verified and certified technologies.

Industry Concerns and Challenges

  • Intellectual Property Risks: Smartphone manufacturers (both global and domestic) strongly oppose source code disclosure, fearing it compromises their trade secrets and proprietary technology.
  • Operational Feasibility: Industry experts argue that retaining logs for 12 months on consumer devices is technically difficult due to storage constraints and potential performance degradation.
  • Lack of Global Precedent: Critics point out that such stringent mandates, especially regarding source code access by the state, are not common practices in other major democratic markets.
  • Cost and Delays: Mandatory testing and certification for every model and update could increase compliance costs and delay the launch of new devices in the competitive Indian market.