India has relaxed its stringent demand for telecom equipment suppliers to hand over proprietary source code, a move hailed as a significant relief for multinational corporations (MNCs) and local telecos. This decision marks a shift from a "code red" situation to one of greater clarity and ease of doing business, balancing national security concerns with industry demands.
The Policy Shift
Previously, the Communication Security Certification Scheme, notified in 2020, mandated telecom gear manufacturers to submit their software source code to government-approved third-party labs as a pre-requisite for selling their equipment in India. This applied to a range of equipment including Wi-Fi equipment, routers, and customer premises equipment, with plans to extend it to radios.
Under the relaxed norms, manufacturers are now only required to provide a summary of internal security test results and confirm adherence to testing procedures. However, in the event of a security breach that raises suspicion of product vulnerability, companies will be required to submit full test reports and cooperate with the Telecom Department's source code testing unit.
Winners and Losers
This change in policy is expected to benefit global giants like Ericsson, Nokia, and Cisco. These companies had previously expressed concerns that source code disclosure could compromise their intellectual property rights (IPR), increase the risk of cyberattacks, and potentially fall into the hands of competitors. The EU delegation had also raised concerns, stating that such a mandate does not exist internationally.
However, the relaxation may pose a setback for local gear makers. The Global Trade Research Initiative (GTRI) cautioned that relaxing local content norms and easing the source code demand could undermine Indian manufacturers who have invested in domestic production and innovation. They may face losing market share to foreign MNCs whose products remain largely imported and foreign-owned.
The Government's Balancing Act
The Indian government's decision reflects a balancing act between national security imperatives and the need to foster a conducive environment for foreign investment and technological advancement. The initial source code demand stemmed from concerns about security vulnerabilities and potential backdoors in telecom equipment, particularly from Chinese vendors. In 2012, Huawei and ZTE had offered unrestricted access to their source code in response to allegations of their connections with the Chinese government and military.
However, the government also recognized the practical challenges and potential drawbacks of the mandatory source code submission. Global telecom equipment manufacturers argued that their equipment already undergoes rigorous audits to ensure adherence to global security processes, such as the GSMA-led Network Equipment Security Assurance Scheme (NESAS).
Impact and Future Outlook
The relaxation of the source code mandate is expected to ease concerns for foreign companies involved in US and EU trade talks with India. It could also potentially encourage greater foreign direct investment (FDI) in the telecom sector and boost the deployment of advanced technologies like 5G and 6G in India.
However, some industry experts believe that the process of sharing internal security tests could still be burdensome. There are also concerns about the potential impact on domestic innovation and manufacturing.
Moving forward, it will be crucial for the government to strike a balance between ensuring security and promoting a vibrant and competitive telecom ecosystem. This could involve strengthening testing and certification processes, promoting local manufacturing through incentives, and fostering collaboration between domestic and foreign companies. By doing so, India can harness the growth potential of its telecom sector while safeguarding its national interests.
