India's Department of Telecom (DoT) has amended rules on imported telecom gear, requiring operators to have the equipment independently vetted.
The new rules compel trunk operators and ILD to use international accredited network audit agencies to perform tests on network gear, according to documents dated August but published to the DoT's site on Tuesday.
These tests include network forensics, hardening, penetration tests and risk assessment. Equipment must be vetted on purchase, then at least once within the first year of purchase and every two years thereafter. Auditors may be chosen from a list of approved firms to be kept by the DoT.
The initial security rules had made operators “completely and totally responsible for security of their networks,” including the security audits.
Audit will at first be limited to core equipment, including routers, switches, firewall and VoIP gear.
Operators will still be the ones held financially accountable for any breach - the amended rules spell out a penalty of 500 million rupees ($11.1m) per purchase order, as well as 100% of the value of the supply contract.
Operators will be required to set up test labs on their own premises, monitor all network intrusions and frauds and report them to the DoT or the national computer security group CERT-IN.
They must also still make the designs and source codes of ordered equipment available in escrow for vetting by experts designated by the government, and reduce their dependence on foreign engineers for operation and maintenance to “almost nil” within two years.
The rules may still be vetoed by the prime minister's office, which in August ordered a two-month review of the initial equipment rules over widespread vendor opposition to the escrow concept.
The DoT may also come under pressure to change the rules from President Obama – whose administration is reportedly meeting with vendors to discuss discomfort over the rules – when he visits India in November.