FCC CSRIC Sees Many Vulnerabilities in Wireless Networks
The FCC’s Communications Security, Reliability and Interoperability Council approved a report Wednesday on the “Best Practices and Recommendations to Mitigate Security Risks to Wireless Protocols,” which looks at the vulnerabilities of networks as industry starts to deploy 5G. The report was the first to be completed by the current iteration of CSRIC. The FCC also is focusing on threats from foreign actors, in an NPRM set for a vote at commissioners’ April 17 meeting (see 1803260037).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The biggest vulnerabilities come at the interconnection point between two networks, said Travis Russell of Oracle, chair of CSRIC’s Network Reliability and Security Risk Reduction Working Group. People should assume any network can be accessed without authorization, Russell said. The immediate reaction of some is that problems can be solved through encryption, he said. “The reality is because of the nature of the attacks encryption actually does you no good."
“Mobile networks are extremely complex,” Russell said. “There’s a lot of moving parts. ... There's a lot of differences from one network to the next. There’s no cookie-cutter approach. Every network is different.”
There's a clear market for attacking wireless networks, Russell said. The location data from smartphones has “become a very rich source of personal data,” he said. Anyone can go to the dark web and order services to do a text message interception -- all you need is a telephone number, he said. “We see services. We see products.” A common mistake companies make is taking a critical network function and attaching it to a public facing internet “to make it easier … to do remote diagnostics, remote provisioning and so on,” Russell said. “They don’t understanding that they have just exposed the entire core network to the world.”
Among the recommendations in the report is more information sharing among the FCC, the Department of Homeland Security and industry, Russell said. “The only way that we can make recommendations is if we see what the threats are, if we get that threat intelligence back,” he said. The report also recommends the government follow best practices developed by industry, he said. GSMA and other industry groups tend to get early information on new threats, he said.
The report said monitoring and analytics have never been more important for all networks, at least for incoming and outgoing traffic, Russell said. Companies need to do regular security checks and audits on their networks and look for misconfigurations, he said. Put in as many of layers of security as possible, he advised. “Hackers are lazy,” Russell said. “If they get too many barriers they’re going to go away and they’re going to go look for an easier network.” Spoofing, in which a bad actor uses a false identity is a big problem, Russell said. “I can declare that I’m anybody from a laptop and send a command into a network,” he said. “As an industry we don’t have any way of defining how to fix this yet.”
CSRIC also got updates from its other working groups. The Next Generation 911 Working Group is focused on the NG-911 transition, with a first report due to get a CSRIC vote in June, said Chair Mary Boyd of West Safety Services.
Budge Currier, from the California Governor's Office of Emergency Services, said the working group is starting by documenting the differences between 911 today and NG-911. Each state is doing the transition slightly differently, Currier said. “I’m in California; we have a slightly different approach than some other states do,” he said. “We’re researching some of the best practices” and looking at transitional risks and possible disruptions to the network, he said. Boyd said a second report will look at the NG-911 transition for small carriers. “We’re supposed to provide advice to the small carriers,” she said. A report will examine “economic disadvantages” small carriers face and whether they face unique barriers, she said. The working group also is developing a readiness checklist, she said.