On December 16, 2016, the Federal Communications Commission’s (“FCC”) Public Safety and Homeland Security Bureau (“PSHSB”) issued a Notice of Inquiry (“NOI”), seeking comment on critical issues concerning cybersecurity protections for fifth generation (“5G”) networks, services, and devices. PSHSB is soliciting comments from all concerned stakeholders about the best methods to ensure the security of the 5G ecosystem.
The comment and reply comment dates have recently been set by virtue of the NOI’s publication in the Federal Register. Comments are due by April 24, 2017. Reply comments are due by May 23, 2017.
Last month The CommLaw Group published a summary of the NOI and the issues raised for comment. That summary is repeated below for ease of reference and consideration.
Roles and Responsibilities of 5G Stakeholders
While the NOI contains a wide range of cybersecurity inquiries, PSHSB is fundamentally concerned about the roles and responsibilities each stakeholder should have. For example, noting that 5G devices and other network elements may be furnished by service providers, third parties, and even consumers, PSHSB asks which of these parties should be responsible for protecting a given device, or should responsibility be shared across the 5G ecosystem? PSHSB also inquires as to whether, and to what extent, other networks associated with 5G should bear cybersecurity responsibilities? Further, PSHSB wants to know specifically how manufacturers and service providers should work together to manage cybersecurity risks?
Protecting Confidentiality, Integrity, and Availability
PSHSB puts forth three guiding principles to promote a “security by design” approach to 5G development: (a) Confidentiality (protecting data from unauthorized access and disclosure); (b) Integrity(protecting data from unauthorized modification or destruction); and (c) Availability (whether a network provides timely and reliable access to data for authorized users). PSHSB seeks comment on how these “CIA” principals are being taken into consideration by stakeholders concerning certain topics. A non-exhaustive summary of PSHSB’s inquiries on various topics is presented below:
1. Authentication
- Will existing authentication practices will suffice in a 5G network?
- Would mutual authentication be helpful?
- What specific authentication considerations would apply to 5G devices?
- How can providers authenticate high-volume, low-cost 5G devices?
2. Encryption
- What are the perceived challenges, costs, and benefits of encryption at network and device levels?
- Are currently available encryption protocols effective in a 5G environment?
- Is encryption necessary for all 5G communications?
- Should 5G providers distinguish between encryption of products that operate on the control plane and the user plane?
3. Physical Security
- What physical security needs exist in the 5G environment?
- What device and network based physical security methods would be most effective if applied to 5G devices?
- To what extent does lack of security introduce risk from unsupervised 5G devices?
- What aspects of 5G networks are related to public safety, and do they warrant more stringent physical security requirements?
4. Device Security
- What methodologies should be used to protect devices connected to 5G networks?
- Is current SIM technology robust enough to ensure security in the future?
- Are there any non-SIM methods that should be considered for high-volume, low- cost 5G devices?
5. Protecting Against Denial-of-Service Attacks
- What mechanisms are most effective at mitigating denial-of-service (“DoS”) attacks?
- Are additional standards needed to mitigate DoS attacks?
- What anti-spoofing technologies are most efficient in the 5G environment?
6. Patch Management
- Should service providers be required to implement patch management as part of their security risk management plans in the 5G environment?
- Which 5G elements can be successfully maintained through patch management?
- How can 5G service providers and equipment manufacturers ensure that critical software updates are installed on their devices in a timely fashion?
7. Risk Segmentation
- Should network elements be split into separate components to isolate security breaches and minimize overall risk?
- How could risk segmentation be throughout the 5G ecosystem to ensure that service providers have greater situation awareness and ability to respond to security threats?
- Should risk segmentation be based on geography, region, type of device, or community of interest?
- Do certain elements or activities merit special risk segmentation consideration?
Security Concerns for the Internet of Things
Because 5G networks will be used to connect devices, sensors, and other elements that make up the Internet of Things, (“IoT”), PSHSB seeks comments on certain aspects of managing cyber threats in the IoT environment, including:
- Do IoT devices place 5G networks at risk?
- Will some IoT devices have limited security features?
- What roles should equipment providers, Internet service providers, and manufacturers play, by themselves, or in coordination, to mitigate the risks?
- Do security needs for 5G IoT devices differ from other infrastructures?
- Does the government have a role to play when residual risk threatens infrastructure or national security?
- How are service providers and equipment manufacturers assessing supply chain risks?
- What roles should 5G-specific third-party security entities play?
- What are the costs of adding security features to 5G network hardware, firmware, software, and applications?
5G Considerations for Public Safety
Due to the changes that public safety entities are undergoing as they change from legacy to IP-based modes (e.g., change from the current 911 system to the Next Generation 911 (“NG911”) and evolution from land mobile radio to Long Term Evolution (“LTE”)), PSHSB poses some inquiries on security implications for public safety in the 5G world:
- Will any new categories of public safety sensors or other tools be included as part of the 5G public safety communications infrastructure?
- What are the security implications of linking 5G networks with IP-based public safety communications platforms?
- What responsibilities should service providers have for managing the risks?
- Are there special considerations for standards development for public safety services and technologies for 5G, and if so are standards bodies addressing these issues?
Conclusion
This is a very important proceeding in that comments received will be made part of a rulemaking in which cybersecurity rules will be implemented. The CommLaw Group has helped numerous clients prepare and submit comments on proposed FCC rules. Our firm has experts in privacy and cybersecurity that can assist with any questions you may have concerning this NOI and related matters. and To learn more, please contact Ron Quirk at req@commlawgroup.com, or 703-714-1305; Linda McReynolds, CIPP/US, at lgm@commlawgroup.com, or 703-714-1318; or Alexander Schneider, at ais@commlawgroup.com, or 703-714-1328.