Telcos wary of sharing source code with DOT
Global telecom equipment manufacturers and operators have raised serious concerns on the Department of Telecommunications (DOT) asking them to share source codes of their products, used in a telecom network, as part of enhanced security measures.
Source coding testing, they have told vendors, will be undertaken by third party labs accredited by the DOT. Earlier, security testing was undertaken by manufacturers internally and operators were allowed to install the telecom gear (imported or made in India) after they received self-certification from vendors.
Many used to sign an agreement with the vendor, passing on the liability of any breach and financial consequences to the latter.
The DOT is engaged in a virtual meeting with all stakeholders, one of which was held on Thursday. It has nudged stakeholders to send compliance letters within a week.
The move is significant because it comes at a time when there have been allegations by the US of heightened security risks (due to spyware use) in telecom gear manufactured by the Chinese, like Huawei and ZTE.
This has been a key reason behind countries like Japan deciding not to buy 5G equipment from Chinese vendors. In India, however, the Chinese were permitted to apply for 5G testing with telos, after a heated debate over alleged security breaches.
Rajan S Mathews, director general of Cellular Operators Association of India, said: “This is the first time testing of these aspects of equipment is taking place. Our concern is that if testing takes time and is delayed, this could substantially delay installation of telecom equipment for months.” Telecom vendors have represented to the government via the DOT their key concerns.
They have pointed out that source code testing and review are all done by manufacturers internally, which is highly confidential given it is linked to their IPRS. Any examination by a third party could lead to potential leak.
Second, software is like a living organism and dynamically changing all the time, running millions of lines of codes that makes it impossible for a third-party lab to have the expertise to check them.
Third, if software patching is held up due to delay in testing, it will significantly impact networks.
Security concerns had been raised earlier, specifically against Chinese manufacturers. However, companies like Huawei fought back, calling the allegations “bunkum”.
To allay fears raised by the government, they offered their software code in an escrow account so that the former could intervene in case of suspected breach.