A Draft to Over-Regulate: IFF’s Analysis of the Draft Telecom Critical Infrastructure Rules, 2024

tl;dr

On August 28, 2024, the Department of Telecommunications [“DoT”], Ministry of Communications [“MoC”], released the draft Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024 [“draft CTI Rules”]. First published in the e-Gazette on August 29, 2024, the MoC also released three other draft Rules alongside the draft CTI Rules, covering internet shutdown, telecom interception, and cyber security. The MoC is seeking objections or suggestions within 30 days of their publication. Given the wide-ranging implications of these draft Rules on our constitutional freedoms, we will be releasing a detailed analysis of each of the Rules (read our in-depth analysis of the draft Suspension Rules, 2024 here, draft Interception Rules, 2024 here and draft Cyber Security Rules, 2024 here). This post includes our in-depth analysis of the draft CTI Rules along with a table providing a clause-by-clause analysis of each of the provisions in the rules. 

Important documents

1. Draft Telecommunications (Critical Telecommunication Infrastructure) Rules, 2024 (link)
2. IFF’s analysis of the draft Telecom Critical Infrastructure Rules,2024 (link)
3. The Telecommunications Act, 2023 (link)
4. e-Gazette notification for enforcement of sections of the Telecommunications Act, 2023 dated June 21, 2024 (link)
5. Public Brief on draft Indian Telecommunication Bill, 2022 dated October 27, 2022 (link)
6. IFF’s first read of the Telecom Bill, 2023 (link)
7. Indian Telegraph Rules, 1951 (link)
8. Information Technology Act, 2000 (link)
9. Information Technology (National Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties) Rules, 2013 (link)

Background

The draft CTI Rules have been released in pursuance of Section 22(4) read with Section 56(2)(w) of the Telecommunications [“Telecom”] Act, 2023, which was enacted amid widespread chaos in the Parliament while over 140 opposition Members were suspended. The Telecom Act, 2023 received Presidential Assent and was published in the gazette on December 24, 2024. On June 21, 2024, the MoC issued a gazette notification to bring into effect certain sections of the Act, namely Sections 1, 2, 10 to 30, 42 to 44, 46, 47, 50 to 58, 61 and 62, from June 26, 2024. 

Unlike the other three draft rules that have been issued under the Telecom Act, 2023, the draft CTI Rules do not supersede any pre-existing rules under the erstwhile Indian Telegraph Act, 1885.  

As per a statement made by the Union Minister of Communications, Jyotiraditya Scindia, in July 2024, all the Rules and provisions of the Telecom Act, 2023 will be notified within six months. While some of the Telecom Rules have been notified, and some have been released for public input, some rules have yet to be released. 

Section 22(3) of the Telecom Act, 2023, read with Rule 3(1) of the draft CTI Rules, states that Critical Telecommunication Infrastructure [“CTI”] shall be any telecommunication network, or part thereof, “disruption of which shall have a debilitating impact on national security, economy, public health, or safety.” The draft CTI Rules go on to prescribe compliances and obligations that are specific to telecommunication entities designated as CTI.

India already has a framework for the protection of certain critical infrastructure. Section 70(1) of the Information Technology Act, 2000 [“IT Act”] allows the government to declare any computer resource which directly or indirectly affects the facility of Critical Information Infrastructure [“CII”], to be a protected system. The explanation to this system defines CII as “the computer resource, the incapacitation or destruction of which, shall have a debilitating impact on national security, economy, public health, or safety.” This definition is almost identical in parameter assessment to the definition provided in the draft CTI Rules. Further, in pursuance of the same, the National Critical Information Infrastructure Protection Centre [“NCIIPC”] has been established under Section 70A of the IT Act as the nodal agency in respect of CII. NCIIPC has a vision to facilitate safe, secure, and resilient information infrastructure for critical sectors of the nation. These critical sectors have been defined under the Information Technology (National Critical Information Infrastructure Protection Centre and Manner of Performing Functions and Duties) Rules, 2013 as sectors that are critical to the nation, and incapacitation or destruction of these will have a debilitating impact on national security, economy, public health, or safety. 

While not exhaustively defined, some of the critical sectors have been listed on the NCIIPC website, including the telecom sector. On a principle level, the designation of certain key sectors such as communications, energy, banking, transport, healthcare, etc. as critical infrastructure is a practice in several jurisdictions around the globe. For instance, in the United States, in April 2024, the White House released the National Security Memorandum on Critical Infrastructure Security and Resilience [“NSM”] which updates the national policy to secure and enhance the resilience of U.S. critical infrastructure and protect the same against all threats, current and future. The effort to secure U.S. critical infrastructure is led by the Department of Homeland Security with the Cybersecurity and Infrastructure Security Agency acting as the National Coordinator for Security and Resilience. The NSM has identified sixteen critical infrastructure sectors (including communications and information technology) and has identified a federal department or agency as the Sector Risk Management Agency for each sector. Across the pond, in the EU, the European Commission has launched the European Programme for Critical Infrastructure Protection [“EPCIP”] for the identification and designation of European Critical Infrastructure with a view to improve and protect the latter. In 2022, the EU issued a Directive on the Resilience of Critical Entities which aims to “strengthen the resilience of critical entities against a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage, as well as public health emergencies.” Under the said directive, member states are required to adopt a national strategy and carry out regular risk assessments to identify entities that are considered critical or vital for society and the economy. The directive covers eleven sectors, which include energy, banking, and digital infrastructure. Other countries, such as Canada, Singapore, and the United Kingdom, have a version of critical infrastructure protection and improvement schemes and/or laws. 

While it is recognised that telecom is a critical sector that warrants protection from external threats, it is also important to learn from other jurisdictions and adopt a cross-sectoral approach to critical infrastructure protection. A study published in the International Journal of Critical Infrastructure Protection attempted to identify the critical infrastructure sectors in India and culled out thirteen critical sectors – Agriculture and Food, Banking and Finance Banks, (Tele) Communications Mobile, Critical Manufacturing Industries, Defense Industrial Base, Emergency Services, Energy, Healthcare, Information Technology, National Icons and Monuments, Postal and Shipping, Transportation and Water Supply. It is apparent from a simple analysis that these sectors are heavily dependent on each other. For instance, telecommunications and information technology are inextricably linked, and so are emergency services and transportation. Given the digital nature of today’s society, information technology has become crucial for almost all other sectors, including healthcare and financial services. This solidifies the need for a multi-sectoral, coordinated, and comprehensive approach if any attempt towards protecting critical infrastructure is to be truly effective. It is highly recommended that the Union Government consider inter-ministerial collaboration and create an umbrella framework to protect critical infrastructure which can encompass sector-specific regulations such as the draft CTI Rules. 

Key Features and Concerns with the draft CTI Rules

While there is a definite need for laws that recognise and govern the telecom sector as part of critical infrastructure, the draft CTI Rules in their current form have numerous areas of concern. These concerns, along with other key highlights of the draft CTI Rules, are enumerated below:

1. Vague parameters for designation of CTI

Rule 3(1) of the draft CTI Rules states that the designation of the CTI would be based on whether the destruction of the telecom network would have an impact on the national security, economy, public health or safety of the nation. However, the assessment of ‘impact on national security, economy, public health, or safety of the nation’ is overbroad, ambiguous, and could potentially be arbitrary. Due to the vagueness of the parameters of identification of CTI, the potential for misuse of CTI designation to subject telecom entities to a higher threshold of compliance and scrutiny by the authorities looms large. 

Instead of the current vague assessment of national security, economy, public health, and safety currently specified, the draft CTI Rules could have alternatively envisaged a framework of well-defined and precise thresholds for CTI with a consideration of factors including but not limited to turnover of the entity, number of users, area of coverage, etc. Such an assessment of pre-determined factors that would qualify a telecom network as ‘critical’ would minimise executive discretion and ambiguity as well as ensure that only larger telecom entities are subject to these rules. Further, this could also ensure that MSMEs and small industry players are not brought under the ambit of CTI and made to adhere to increased compliance costs. 

2. Rehashing of existing security requirements

Rule 4(1) of the draft CTI Rules requires CTI to be in compliance with security, testing, and conformity requirements as issued by relevant Union Government authorities such as the Telecommunication Engineering Centre [“TEC”] and National Centre for Communication Security [“NCCS”]. However, these requirements are pre-existing under the Indian Telegraph Rules, 1951. Part IX of the Indian Telegraph Rules, 1951, requires that every telecom equipment must undergo mandatory testing and certification prior to sale, import, or use in India. In pursuance of the same, the Procedure for Mandatory Testing and Certification of Telecommunication Equipment [“MTCTE Procedure”] has been formulated under the aegis of the DoT. The MTCTE Procedure is periodically updated and issued by the TEC. The MTCTE Procedure with respect to specific security requirements is implemented through the Communication Security Certification Scheme by the NCCS, including formulating Indian Telecommunication Security Assurance Requirements. In essence, the security and compliance requirements under Rule 4(1) are more or less a reiteration of an existing DoT framework. It is also to be highlighted that Part IX of the Indian Telegraph Rules, 1951, is still operational and has not been superseded by the draft CTI Rules. . 

Further, it is to be noted that the draft CTI Rules are silent on the nature of penalties in the case of non-compliance with its provisions. However, Part IX of the Indian Telegraph Rules, 1885, specifically Rule 537, allows for the issue of notices to persons who are in contravention of the mandatory testing and certification requirements of the said Part. Clarity on the mechanisms to ensure compliance and deter contravention under the draft CTI Rules would be required to assess the efficacy and practicality of the draft law. 

3. Excessive powers of access and inspection

Rule 5 of the draft CTI Rules allows the Union Government to authorise its personnel through an order to access and inspect hardware, software, and data pertaining to CTI of telecom entities. However, this power of the Union Government to access the CTI of telecom entities remains largely unfettered and is not backed by principles of due process. By a mere order, the Union Government gains virtually full access to the assets of telecom entities. There is no provision for a prior intimation or notice to the telecom entities before their facilities are accessed by the Union Government. Such broad and overarching inspection powers have a significant potential to be misused by the Government authorities. 

The Union Government is empowered to authorise its ‘personnel’ to access and inspect CTI. However, the term ‘personnel’ has not been defined and expanded upon. The exact authority and/or office post that would have access to inspect and access the data of telecommunication entities has been left unspecified. This is a clear instance of lack of due process and transparency, whose impact is heightened in the case of broad-based powers of access and inspection as in the present case.

These powers of inspection are reminiscent of the powers of inspection under Section 43 of the Telecom Act, 2023, wherein officers authorised by the Union Government are empowered to search location on the suspicion that an unauthorised telecom network/ telecom equipment/radio equipment has committed specified offences. However, the inspection powers under the draft CTI Rules are more intrusive in comparison to the Telecom Act, 2023, as under the former, the Union Government does not even require suspicion of commission of offence to inspect and access the assets of the telecom entities. 

4. Lack of data protection safeguards

Rule 5 of the draft CTI Rules allows the Union Government to access data pertaining to CTI of telecom entities. This could include access to user data, which could amount to a violation of the right to privacy of individuals who have consented to share their data only with specific telecom entities. This access to data has been allowed in the absence of any data protection safeguards, without any checks and balances, and in complete disregard of the ‘privacy by design approach. Further, the draft CTI Rules have allowed for access to data without incorporating privacy principles such as storage limitation, purpose limitation, data retention, etc. 

5. Overregulation and high compliance costs

The draft CTI Rules impose several compliance requirements on telecom entities that seem both unrealistic and inefficient at the same time. For instance, Rule 7(1)(l) requires telecom entities to report security incidents to the Union Government within two hours of occurrence. This is a shorter deadline for reporting security incidents as opposed to the draft Telecom Cyber Security Rules, 2024 which stipulates a six hour time bar. While six hours itself is likely to be an unfeasible timeline for telecommunication entities to report security incidents, two hours is a further unrealistic time bar. Instead of a thrust on quick reporting, the focus ought to be on allowing for a response time to the telecommunication entity and realistic timelines for accurate reporting. 

Another instance of unrealistic and excessive compliance under the draft CTI Rules is Rule 8, which requires telecom entities to seek prior permission from the Union Government to conduct upgradation activities on their CTI. A requirement for prior permission for upgrading CTI would result in significant compliance costs and inefficiencies for telecom entities. Instead of fast-tracking upgrade procedures, the telecom entities would now be forced to wait for permission to carry out upgrade activities, even if they are routine in nature. Instead of permission, the rules could perhaps implement an ex-post reporting framework, where telecommunication entities could periodically report upgrades.

Overall, there is a need to consider easing the compliance burden on telecom entities, especially considering that the possibility remains that the telecom networks of smaller telecom entities could be potentially designated as CTI. These cost-heavy compliances would be especially burdensome on smaller and newer players in the telecom industry.

This post was drafted with the assistance of Kumar Utsav, Policy Intern at Internet Freedom Foundation.