December 16, 2016–The FCC’s Public Safety and Homeland Security Bureau is seeking input on cybersecurity issues related to 5G wireless services and Internet of things services. The notice of inquiry adopted today in Public Safety docket 16-353 “looks holistically at the security implications (e.g., as to IoT) that arise through the provision of a wide variety of services to various market sectors and users in the future 5G network environment,” and will explore “5G security threats, solutions, and best practices,” the bureau said.
“As an initial matter, we seek to understand the current state of security planning for 5G networks,” the bureau said. “We must first build a solid foundation of facts about 5G security in order to further identify potential issue areas and solutions.”
“We seek comment on the current efforts across industry to study 5G security, develop security protocols and solutions, and triage 5G security issues when they arise. How are equipment developers considering security in the design of 5G equipment? How are service providers considering security in the planning of 5G networks and ensuring end-to-end security where 5G technology is integrated with prior generation technology in heterogeneous networks? How can the Commission support and enhance this work? What known vulnerabilities require increased study? How should 5G differ in terms of cybersecurity needs from its widely-deployed predecessor generation, 4G LTE? What cybersecurity lessons can be learned from 4G deployment and operational experience that are applicable to the 5G security environment? What should be different, if anything, between LTE pre-5G deployment and post-5G deployment?
“In this NOI, we seek information on a variety of specific security-related issues,” the bureau said. “We do not, however, limit our inquiry to these narrow topics. Instead, we encourage commenters to consider this common thread throughout the NOI: how can we, working together with other stakeholders, ensure the rapid deployment of secure 5G networks, services, and technologies?”
The bureau noted that the FCC, in its July 2016 Spectrum Frontiers Report and Order reiterated its view “that communications providers are generally in the best position to evaluate and address security risks to network operations. Toward this end, the Commission adopted a rule requiring Upper Microwave Flexible Use Service licensees to submit general statements of their network security plans. The statements are designed to encourage licensees to consider security in their new 5G networks. The statements will also keep the Commission informed of ongoing progress in 5G cybersecurity.
The bureau said it is issuing the NOI “to seek input on the new issues raised by 5G security in order to foster dialogue between relevant standards bodies and prospective 5G providers on the best methods for ensuring that networks and devices are secure from the beginning.”
“We are not conducting this NOI in a vacuum,” the bureau said. “We intend this inquiry to complement the important work on cybersecurity that is already taking place within the government and private sector. The Commission, these other groups, and the wireless industry all have a significant interest in ensuring that these new networks consider security risk and mitigation techniques from the outset. This NOI, and the record it seeks to develop, will help in that effort.”
“We recognize that our inquiry, focusing on cybersecurity for 5G, raises fundamental questions relative to scope and responsibilities,” it said. “Security of network infrastructure, such as protecting software and hardware that are essential to signaling and control of Radio Access Networks and to ensure the proper operation of the network, creates one perspective.”
“Another perspective, however, just as relevant to the consumer, is the end-to-end security of both the network and the devices that connect to commercial network services,” it said. “Devices and other network elements may be furnished by the service provider, third parties, and consumers themselves.”
The bureau continued, “Who should be responsible for cyber protections for a device, or should responsibility be shared in some recognizable manner across the 5G ecosystem? We also appreciate that 5G is not apt to be a separate network, but rather will be integrated with existing previous generation networks, perhaps indefinitely. Do questions about the cyber protections of 5G networks inherently implicate the other networks associated with them? Where should the lines between networks be drawn relative to responsibility for 5G cybersecurity?
The comment deadline for the NOI will be 90 days after “Federal Register” publication, and the reply comment deadline will be 120 days after publication. – John Curran, firstname.lastname@example.org