The Nepal Telecommunications Authority is scouting for consultants to monitor and certify the implementation of the Mobile Device Management System, two months after it awarded a $7.66 million contract to a joint venture involving a tainted Malaysian firm.

“The objective of this consulting service is to monitor, evaluate and certify the implementation of the Mobile Device Management System,” said the authority. “The consultant shall design and, upon approval, implement an audit and certificate process that will verify the obligation of the service provider.”

In June, the telecom regulator had selected a joint venture of Malaysian firm Nuemera, OSI Consulting of India and Namaste Global Communication of Singapore as service providers to implement the system aimed at tracking and blocking grey market phones.

Nuemera landed in controversy in 2017 following revelations that a similar phone blocking system it developed under an outsourcing model for the Malaysian Communications and Multimedia Commission was found to be the source of a data leak that affected 46.2 million subscribers in Malaysia.

In Malaysia’s most significant data leak, personal details such as emails, billing addresses and mobile numbers of subscribers of at least 12 telcos, other virtual network operators and medical organisations were compromised from 2014-15.

The move by the telecom regulator comes a day after Chinese hackers breached the system used by banks to guide and secure Automatic Teller Machine transactions, exposing the vulnerability of Nepali banks.

The Mobile Device Management System being built by the telecom regulator involves setting up a data centre where the personal records of mobile phone owners registered on the network of Nepal's six telecom operators will be stored.

According to officials, hiring consultants to oversee the processes involving the development of hardware and software, dispatch and commissioning of the system will act as a precautionary measure against any possible data breach.

“In line with the telecommunication authority’s requirement, the consultant is expected to observe and report on the technical specifications of the system, hardware and software developed by the manufacturer,” said Purushottam Khanal, chairman of the Nepal Telecommunications Authority.

“As the system is being built for the first time in Nepal, the regulator has decided to involve international experts as team leaders, system analysts, software developers and auditors to ensure compliance by the contractor with our requirements.”

The consultants who will keep a check on the contractor and its work are required to undertake the task in three phases. In the first phase, the team will test verify and certify the hardware equipment and data centre before being dispatched to Nepal from the country of the manufacturer.

The second and third phases involve testing, verifying and certifying the system design based on the requirement and installation of the data centre and its commissioning.

When asked about the vulnerability of the system and possible breach in the future, Khanal said such systems were always under constant threat of cyber attack, but the regulator would stringently monitor the software and data centre and eliminate any security loopholes.

Mobile phone dealers have long complained of a drop in sales because of a widening grey market. The move to implement the Mobile Device Management System comes as a countermeasure aimed at bringing the devices under the registration net, which will make it easier for authorities to monitor them.

“The system is being established to minimise illegally imported (including counterfeit) mobile devices and deter theft of mobile phones,” said the telecom regulator. “The Mobile Device Management System will consist of white, grey and blacklists of IMEI codes and provide interfaces to importers, customs and law enforcement agencies, mobile operators, the general public and the Nepal Telecommunications Authority.”

The system will be synced to a database called Equipment Identity Register that contains records of legal and illegal mobile devices in the country. The device management system is also expected to identify cloned, low-cost copy versions of branded phones with fake registration numbers.

However, with the involvement of a firm who allegedly built a weak system which was compromised to leak personal data on the dark web, it remains to be seen how secure the Mobile Device Management System will be in Nepal, observers said.