The Government of India has released a new set of rules governing the closed-circuit television cameras (CCTV) system that can be manufactured or sold within India. Analysts believe that the new rules will make it very difficult for Chinese CCTV makers to flood the Indian market with products that can be a threat to India’s security. This is because of the close ties several of these companies have with agencies of the CCP.
The impact of this order is likely to come as a positive development for the Chinese companies, provided they are able to fulfil the tough new rules. Till now they have been treated as a pariah as far as competing in the ever growing market of security cameras in India is concerned.
The new sets of rules, introduced on 9 March made it mandatory for manufacturers to get their product tested for “essential security parameters” at Bureau of Indian Standard (BIS) recognized labs, for obtaining licence to use “Standard Mark”.
As per the said notification, the manufacturers and sellers have been given six months to meet the necessary requirements, with the order coming into effect from 9 October.
A perusal of the said government order makes it clear that the new amendments in “Electronics and Information Technology Goods (Requirements for Compulsory Registration) Order, 2021” which stipulates that no person shall manufacture or store for sale, import, sell or distribute goods which do not conform to the Indian Standard, have been brought to ensure that all CCTV cameras deployed in India are safe from national security issues.
This will also allow local companies and foreign manufacturers from countries like China to sell their products in India, both to government and private entities after meeting the requirements of the new rules.
India is a huge and lucrative market for CCTV related products and for a long time Chinese companies were the dominant players due to their reasonable price and advanced technology. As per market experts, the Indian CCTV camera market size was estimated at USD 4.38 billion in 2022. It is expected to grow at 17% in the coming years to reach a value of USD 13.08 billion by 2029.
However, due to privacy concerns, growing strategic ties between Pakistan-China and the recent border disputes with China, Government of India, which is amongst the biggest buyers of CCTV camera systems, has ensured that Chinese manufacturers are not allowed to compete in government contracts, which was also discouraging Indian private players from engaging with the Chinese companies.
As per the amended rules, the vendors, who want to operate in India and need the “Standard mark” shall provide details like date sheet of the chipset being used in their device and the process flow of the manufacturing/provisioning of the device.
It also has to verify that cryptographic keys and certificates are unique to each individual device. The issue with Chinese products is that the manufacturers are at the mercy of the CCP and need to do its bidding. Data secrecy may in effect be compromised by such a situation.
Of course, safeguards have been laid out in the new policy. Manufacturers will have to ensure that devices debugging interfaces are disabled or protected by a complex password so that they cannot be accused remotely.
The vendor will have to submit a list of all keys and certificates being used in the device ecosystem and the list of all the sensitive data with their intended usage and secure storage mechanism(s) in the device.
Furthermore, measures available in the device to prevent software tampering and hardware tampering also need to be clearly mentioned and demonstrated.
The vendor will need to reveal whether it is using any intellectual property protection technologies or not.
Most importantly, the vendor needs to submit a document mentioning the situation when the device will establish server connections with the outside environment, with detailed information about the security measures in place while validating the digital signatures of the server connections. This will ensure that the feeds from the CCTV are not being accessed from any third country or from an unintended place. The assumption is that Chinese companies will play by the rules set by the government rather than those set by the CCP.
A company will also have to ensure that security controls are in place to hinder firmware reverse engineering. Lastly, the vendors have to show a supply chain risk/business continuity planning policy that will demonstrate how they intend to handle supply chain disruptions.