What Is Critical Telecom Infrastructure (CTI) and Why Is India Introducing It?
India is introducing Critical Telecom Infrastructure (CTI) to better protect its telecom ecosystem against state-backed cyber threats and espionage, similar to the 2023 “Salt Typhoon” breach in the US involving Chinese hackers targeting AT&T, Verizon, and T-Mobile.
Under the Telecom Act, 2023, the government will define and notify CTI elements including:
- Routing systems
- Customer Relationship Management (CRM) tools
- Submarine cable equipment
- Satellite operations software
- Mobile subscriber databases like HLR and UDM
The CTI Rules, 2024, will require telcos to conduct security audits, file network architecture disclosures, and submit cyber crisis plans to the government.
CTI Notification: What’s Changing for Telecom Operators?
Once the CTI elements are officially notified, telecom companies like Reliance Jio, Bharti Airtel, and BSNL will be required to:
- Declare and document network architecture and components
- Submit cybersecurity risk assessments and audit reports
- Maintain traceability of equipment origins
- Appoint a Chief Telecommunication Security Officer (CTSO)
- Report threats and breaches via a dedicated TCSIRT portal
A new Telecom Computer Security Incident Response Team (TCSIRT)—similar to CERT-In—will handle telecom-specific cyber incident analysis and response, and will be based out of the National Communication Academy in Ghaziabad.
Examples of Systems to Be Tagged as CTI
The government will begin by tagging telecom services and components such as:
- Home Location Register (HLR) in legacy mobile networks (2G, 3G, 4G)
- Unified Data Management (UDM) in 5G networks
- Operations and Management Control (OMC) for satellite systems
- Domain Name Servers (DNS) and IP addresses
These systems are critical to the functioning and security of the entire telecom and digital ecosystem.
Why Is This Move Critical for India’s Cybersecurity Strategy?
India’s approach reflects a growing urgency to prevent foreign control or backdoor access to programmable telecom software and infrastructure. According to Rakesh Bhatnagar, Director General of VOICE, these programmable systems should be secured by Indian entities, and eventually replaced by locally manufactured alternatives to reduce dependency on foreign vendors.
The government’s ₹3 lakh crore telecom revival and digital infrastructure upgrade plan further reinforces the need for secure, self-reliant telecom infrastructure.
Next Steps for Compliance
Under the Critical Telecommunication Infrastructure Rules, 2024, telecom operators must:
- Upload CTI compliance data to a dedicated government portal
- Follow reporting guidelines set by the upcoming TCSIRT framework
- Prepare for regular reviews every six months by an expert committee
