In Telecom Cybersecurity, Wicked Problems Require Wicked Solutions (Reader Forum)
A new report from Darkhorse Global, a geo-economics and national security consultancy, makes some good points about the convergence of national security and industrial policy frameworks for telecommunications infrastructure. He describes three “tricky issues” facing today’s global ICT ecosystem.
First, vulnerabilities exist in all networks, hardware and software. Second, it is easy to confuse national security issues with concerns about economic competitiveness. Third, the intent of the actors is often largely unknown, even if their capabilities are clear.
Today’s telecommunications ecosystem is beset by what political scientists call thorny issues – those that are difficult to define due to incomplete, inconsistent, or changing criteria, and that rely on judgment and advocacy for resolution. .
Although these pernicious problems may seem intractable, they can be ameliorated by “perverse solutions” – necessarily imperfect measures that are less of a cure and more like a medicine that helps manage a chronic disease.
A few solutions could improve overall ICT and network security in a more holistic way than some of the approaches currently in use.
Solution #1: Apply universal standards to the telecommunications industry. The key word here is universal. We already have standards for 5G and related standards and compliance programs focused on telecommunications equipment risks. These standards, along with recommended risk mitigation measures, can be used to assess equipment (and software updates) before deployment and to guide operators in managing risk.
The Cybersecurity Framework, developed by the National Institute of Standards and Technology (NIST), part of the U.S. Department of Commerce, in conjunction with private industry and other government experts, provides what is essentially an analytical tool risks for organizations that can be customized to align with an organization’s mission and risk posture.
Unfortunately, there is not yet widespread support for universal, independent testing of critical components from all telecommunications equipment vendors. Given the capability of today’s malicious cyber actors, such independent testing is essential.
Solution #2: Implement technical risk assessments and risk mitigation. As with standards, models for mitigating telecommunications national security risks already exist. For example, the Foreign Investment Risk Review Modernization Act (FIRRMA) modernized and strengthened CFIUS, a US government agency that reviews (and can block) foreign investment in US companies and prescribes specific technical risk mitigation measures set forth in a personalized national security agreement. this may be a prerequisite for proceeding with a transaction.
We can also build on the foundation provided by NESAS, an industry-focused set of standards and risk management criteria for telecommunications equipment. While it can still provide even higher levels of assurance, NESAS is a globally recognized system that not only tests products, but also how they are developed and maintained (including the installation of software updates). firmware). NESAS also offers a dispute resolution mechanism to address complaints from companies who feel that their products, or those of their competitors, have not been evaluated fairly.
In addition, last year the Federal Communications Commission (FCC) standardized its interagency review process for reviewing national security, foreign policy, and trade policy issues. This is done through the new Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Industry (formerly known as “Team Telecom”).
Using these and other existing measures as a guide, technical risk mitigation could be expanded into a comprehensive framework to address the hardware, software and supply chain security threats facing the industry. telecommunications industry.
Risk can be assessed and mitigated using various models. For example, security by design is a well-known practice that builds security features into software throughout the development process, rather than at the end (often disparagingly referred to as having security “bolted on”) . It includes regular testing of maintenance procedures to ensure that nothing malicious is inserted into software solutions, either at the time of initial delivery or in subsequent software updates or operations and maintenance.
Another example is reliable delivery mechanisms. These can support the reliability of independent third-party reviews of hardware, software, and firmware. These reviews can give mobile network operators reasonable assurance that the software and hardware provided by a vendor matches what has been verified by the third-party evaluator. They can also prevent vendors from providing software updates directly to wireless carriers without going through the independent review and testing process. Taking such measures can reduce supply chain risks.
Solution #3: Join Global Standards Organizations. The United States can and should become more involved in setting 5G standards, as well as technical standards governing network performance and security.
As noted by the US Department of Commerce, international standards help ensure the interoperability and safety of products used in 5G networks, autonomous vehicles, artificial intelligence and other advanced technologies. Greater participation by US government and private experts in telecommunications standards organizations would be a step in the right direction.
More fundamentally, the United States – and indeed, governments around the world – must fully commit to a “zero trust” strategy. A zero-trust approach recognizes that, given the capabilities of malicious cyber actors, trusted vendors should be scrutinized in the same way as untrusted ones. As a cybersecurity company, Domain5wrote in an article for the Rural Broadband Association:“Assuming the threat is limited to Chinese vendors creates a framework in which all other vendors are to some extent more reliable, leaving a wide range of potentially dangerous risks unabated.
At what price ?
Smart policies weigh the risks against the benefits. To achieve the specific 5G goals of security, reliability and resiliency, it is important to use a risk-benefit analysis that considers both the risk environment and the cost of government intervention or privacy to adequately manage risk.
Policymakers should use both collaborative and competitive methods to ensure the security, reliability, resilience and cost-effectiveness of telecommunications infrastructure, while recognizing the potential negative externalities of regulatory barriers. Laying the foundation for a secure future requires understanding the interconnectedness of the telecommunications industry, market-driven realities, and geopolitical considerations that underpin national security in a multipolar world.
*Note: The Darkhorse report was funded by Huawei Technologies USA to explore ways to assess and mitigate national security risks in telecommunications. Based on interviews with two dozen experts in the US, EU and China, it was independently written by DarkHorse CEO John Lash, Ph.D., who retained editorial control over the contents.