The Federal Communications Commission is taking a look at virtual radio access networks as part of its work on the security environment around telecom systems – especially related to supply chains – while a Pentagon proposal for access to certain contractors’ networks raises questions, and private-sector groups are trying to take info-sharing to the next level.
It's been another busy week in the cybersecurity regulatory space, with the FCC looking at ways to leverage technology for cost-effective security solutions, as well as taking steps to sort out its own regulatory posture amid the demands of a recent executive order on telecom security.
Chairman Ajit Pai on Tuesday told members of a House Energy and Commerce subcommittee that while the commission isn’t requiring telecoms to use vRAN, it has been “looking very actively” at the potential for more cost-effective solutions to supply chain challenges. This comes in the context of the 5G buildout and an unfolding effort to replace suspect foreign equipment from networks, which will carry a hefty price tag.
“We do want to open a conversation with the private sector and other public sector agencies on encouraging companies to think more broadly on the universal solutions for network architecture,” he said.
Paid said the FCC seeks “to ensure that not only will our networks be compromised of more cost-effective solutions, particularly software which is less expensive than hardware and can be more secure in many ways but also that we are enabling some of these American based companies to thrive.”
Separately, the FCC is seeking feedback on how the interagency committee established by a recent executive order to review telecom licenses and applications will affect the FCC’s oversight activities.
The FCC wants to update a 2016 Notice of Proposed Rulemaking “to improve the timeliness and transparency of the process involving referral of certain applications with reportable foreign ownership to Executive Branch agencies, including the Team Telecom agencies, for feedback on any national security, law enforcement, foreign policy, or trade policy concerns.” Pai said he wants to leverage the EO to “conclude our own pending rulemaking on reform of the foreign ownership review process.”
The Commerce Department was active as well on supply-chain rules, announcing new restrictions to block Chinese firm Huawei’s use of U.S. software and technology in manufacturing semiconductors in third countries. Commerce also issued what could be the final 90-day extension of the Temporary General License for U.S. companies to do business with Huawei.
And the National Institute of Standards and Technology is requesting proposals from industry on how organizations can protect their telecom systems when upgrading to 5G networks.
At the Pentagon
The Defense Department is proposing legislative language that would require "operationally critical" contractors to let Defense Department investigators access their unclassified information systems in the wake of a cyber incident.
The language, proposed for inclusion in the fiscal 2021 National Defense Authorization Act, would let DOD and the Coast Guard "react immediately to reports of intrusions that may affect critical data of the armed forces," according to DOD's analysis of the proposal.
The analysis describes how "a number of commercial transportation service providers" are considered operationally critical due to the logistics functions they perform on behalf of DOD and the Coast Guard. "They are key conduits of logistics-related data, including the personally identifiable information relating to the transportation of members of the armed forces and their belongings," DOD's analysis states.
Yet the data is "usually unclassified," even though "its security and integrity is absolutely critical to the effective management of the worldwide logistics enterprise, especially during wartime or a contingency," the analysis continues. "The purpose of this legislative proposal is to facilitate the same level of proactive support by the armed forces in responding to a cyber incident as that authorized for cleared defense contractors," the document states.
Some cybersecurity leaders are citing a misalignment in the proposal with the goal of industry-led cyber risk management, while others suggest it’s a “prudent” expansion of authority to cover a specific group of contractors.
Retired Rear Adm. David Simpson, the FCC’s former cyber leader, said of the proposed legislative language, “It’s headed down a slippery slope.” One potential impact, he said, is the language on liability relief could inadvertently disincentivize private-sector risk management efforts.
But Robert Metzger, co-author of the “Deliver Uncompromised” report on security in the defense supply chain, said it was “prudent that DOD and the Coast Guard elevate the importance of breach impact and seek expedited access to information that will inform them of operational consequences and assist them in acting to mitigate and recover.”
Best practices and sharing
The National Association of Regulatory Utility Commissioners has released a guide to help state officials and international partners craft rules that enhance the cybersecurity of electric power systems. “These guidelines are intended to assist regulators in defining tariffs by establishing a regulatory approach to enhance the cybersecurity stance of their power systems, and are based on literature and current practices,” NARUC said.
In the information-sharing space, the Cyber Threat Alliance and the IT-Information Sharing and Analysis Center today announced a new partnership to “cooperate on threat intelligence and coordinate during cybersecurity incidents and emergencies.”
According to the announcement, the groups “will engage in analytical exchanges on specific threats, trends, cyber incidents, reports, and research of mutual interest. They will coordinate and share threat intelligence when appropriate and relevant.”
CTA is led by former White House cyber coordinator Michael Daniel and IT-ISAC by long-time cybersecurity vet Scott Algeier. Both have been at the forefront of efforts to bolster the private sector’s info-sharing capacities within and across sectors, and in creating structures around the exchange and assessment of advanced threat intelligence. – Charlie Mitchell (firstname.lastname@example.org)