CSRIC Approves Reports on Network Virtualization, Supply Chain Security
The FCC’s Communications Security, Reliability and Interoperability Council approved three reports Monday, during a final, hybrid meeting under the current iteration, including on the use of virtualization technology to promote more reliable and secure 5Gm supply chain security and the use of hypertext transfer protocol (HTTP) in 5G. Officials said the group approved 10 reports during its tenure.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
A report from the Leveraging Virtualization Technology to Promote Secure, Reliable 5G Networks Working Group, and a previous report adopted by CSRIC, show “the FCC's world is getting more complex. It is diversifying,” said co-Chair John Roese, Dell Technologies global chief technology officer-products and operations. The reports “maybe exposed the comfort issues of working outside pure telecom, but the future of the FCC is likely to be interdisciplinary and multi-domain,” he said.
The report looks at how to encourage the use of virtualization in 5G networks, addressing questions posed by the FCC, Roese said. The agency asked about how to encourage standardization, but the area is “heavily fragmented, overlapping and complex with respect to the jurisdictions of various entities within even the U.S. government,” he said. The FCC could play a role in “disentangling some of that complexity,” he said.
Among the recommendations is the need to use memorandums of understanding and other tools to formalize coordination, Roese said. The FCC should also “enhance” collaboration with industry, he said. The FCC has “the moral authority to convene the industry,” he said. The standards supporting virtualized 5G “are much bigger” than the 3rd Generation Partnership Project, he said. In the absence of anyone else providing a broader view, “FCC policy has to be based on a comprehensive understanding of all stakeholders contributing to the standardization of a modern virtualized 5G environment, he said.
Roese said U.S. policy also discourages U.S. participation in international standards work. “Our tax policy does not allow R&D tax credits for work done outside” the U.S., he said. The report also encourages the FCC to “consider the overall health of the virtualized 5G solutions ecosystem, including diversity, productivity, security, resilience, when making regulatory decisions,” Roese said. The current ecosystem is “by no means secure,” he said. Especially with open radio access networks “we have a relatively nascent industry that’s highly fragmented, somewhat immature,” he said.
Telecom industry problems are “no longer exclusive to the industry,” and “the FCC can really play a unique and vital role in the broader ecosystem challenges,” said WG co-Chair Micaela Giuhat, Microsoft director-5G policy. Groups like the CSRIC are increasingly important in finding “the best path forward,” she said.
A report by the Managing Software & Cloud Services Supply Chain Security for Communications Infrastructure WG lays out best practices for making networks more secure. The WG was surprised by the lack of information available online on the kinds of attacks being studied, said co-Chair Todd Gibson, a member of the technical team at T-Mobile. “We had to improvise our approach a bit,” he said.
The WG created a list of “emerging threat vectors” and the kinds of challenges expected in the future, Gibson said. Among the incidents studied was an alleged Chinese attack on vulnerable open source component in the Boa web server, which hadn’t been updated since 2005. “Even though the software hasn’t been updated in 18 years, which should set off all of our cybersecurity red flags,” some of its components are still being used in software development kits, he said.
Among the findings was that “the continuing evolution of the disaggregated supply chain will continue to present new challenges that are not easy to solve,” Gibson said: “This is a very complicated topic and discussion.” The focus should be on software, which is embedded in hardware, he said. Network management is “a collection of software,” he said. The report urges adoption of “zero trust” principles “in not only the supply chain but also in operational networks … to limit the blast of a supply chain exploit,” he said.
Memory-unsafe programming languages must be phased out of networks, Gibson said: “It's a significant challenge. You can’t replace all of your code for your applications or your network function or your network radio… overnight. It’s going to take a lot of time to do that.” The report also backs more focus on making use of AI and machine learning safer with “industry collaboration to define proper security specifications and/or best practice guidelines” for vendors, he said.
The HTTP report recommends use of 2.0 or later versions of the 3GPP standard for 5G signaling and U.S. deployments because of known vulnerabilities in HTTP 1.0, said Brian Daly, AT&T assistant vice president and co-chair of the 5G Signaling Protocols Security WG. HTTP and 5G core networks should use encryption and provide “integrity protection,” he said.
The report also recommends operation administration systems rely on dedicated consoles and not general purpose computers to access administrative and operation systems, Daly said. Any computer used to access email should never be used to access the 5G system, he said. The report provides other technical recommendations for preventing attacks and keeping 5G systems safe.
CSRIC’s current charter expires Thursday. None of the reports was immediately available.