On August 28, 2024, the Ministry of Communications (Department of Telecommunications) issued a significant notification in the Official Gazette, introducing the draft Telecommunications (Telecom Cyber Security) Rules, 2024. These rules aim to bolster the cybersecurity of telecommunication networks and services, establishing comprehensive guidelines for data collection, security measures, and incident reporting.
The draft Telecommunications (Telecom Cyber Security) Rules, 2024 are proposed under the powers conferred by the Telecommunications Act, 2023. These rules will replace the previous Prevention of Tampering of the Mobile Device Equipment Identification Number Rules, 2017, and its 2022 amendment, aligning with modern cybersecurity needs.
Definitions:
Telecom Cyber Security: This encompasses tools, policies, safeguards, guidelines, risk management approaches, and technologies aimed at protecting telecommunication networks and services.
Chief Telecommunication Security Officer (CTSO): An employee designated by a telecommunication entity to oversee compliance with these rules.
Telecommunication Entity: Any organization involved in providing telecommunication services or operating networks, including those with specific authorizations or exemptions under the Act.
Data Collection, Sharing, and Analysis:
Data Requests: The Central Government, or authorized agencies, can request traffic data and other information from telecommunication entities to enhance cybersecurity.
Data Handling: Collected data may be analysed and, if necessary, shared with law enforcement agencies or other relevant bodies, under strict safeguards to prevent unauthorized access.
Purpose Limitation: Data collected will only be used for ensuring telecom cybersecurity.
Obligations for Telecom Cyber Security
Prohibition of Misuse: The rules prohibit endangering telecom cybersecurity through fraudulent activities, security incidents, or any misuse of telecommunication identifiers.
Mandatory Measures: Telecommunication entities must adopt cybersecurity policies, conduct regular testing, and report security incidents promptly.
Security Operations Centers (SOC): Entities are required to establish or collaborate on SOCs to monitor and respond to cybersecurity threats effectively.
Protection Measures
Identification and Reporting: The Central Government may implement digital mechanisms to identify and report cybersecurity threats.
Notices and Orders: Notices may be issued to persons involved in compromising cybersecurity, with subsequent orders for suspension or termination of service as needed.
Chief Telecommunication Security Officer
Appointment: Each entity must appoint a CTSO responsible for coordinating with the government and ensuring compliance.
Responsibilities: The CTSO will oversee the implementation of these rules and manage security incident reporting.
Incident Reporting
Timely Reporting: Telecommunication entities must report security incidents to the Central Government within six hours, detailing the incident’s impact and response measures.
Public Disclosure: The Central Government may decide to inform the public about significant security incidents.
Telecommunication Identifiers and Equipment
Registration: Manufacturers and importers of telecommunication equipment with IMEI numbers must register these numbers with the Central Government before sale or import.
Tampering Prohibition: The rules prohibit tampering with telecommunication identifiers and mandate actions to block or address tampered equipment.
Digital Implementation
Digital Procedures: The Central Government may specify digital methods for implementing these rules, including data collection, incident reporting, and registration processes.
Public Consultation Process
The draft rules are open for public comment for 30 days from their publication. Stakeholders, including telecommunication entities and the general public, are encouraged to review the draft and submit any objections or suggestions to:
Joint Secretary (Telecom)
Department of Telecommunications
Ministry of Communications
Sanchar Bhawan, 20, Ashoka Road
New Delhi – 110001
Conclusion
The introduction of the Telecommunications (Telecom Cyber Security) Rules, 2024 marks a significant step toward strengthening the cybersecurity framework for telecommunication networks in India. By establishing clear guidelines for data handling, cybersecurity measures, and incident reporting, the rules aim to protect critical infrastructure and ensure the integrity of telecommunication services.
