The Federal Communications Commission’s (FCC or Commission) Public Safety and Homeland Security Bureau (PSHSB) issued a Notice of Inquiry (NOI) on Fifth Generation Wireless Network and Device Security, PS Docket No. 16-353, which the Commission had previewed in its July Spectrum Frontiers Report and Order. The NOI will have a 90-day comment period after Federal Register publication.
The PSHSB NOI poses over 130 questions about 5G security—from encryption and software upgrades to DDoS attacks and device security. It aims to “accelerate the dialogue around the critical importance of the early incorporation of cybersecurity protections in 5G networks, services, and devices.” NOI ¶ 2. This inquiry comes amid ongoing activity at National Institute of Standards and Technologies, the U.S. Department of Homeland Security, and in the FCC’s Communications Security, Reliability, and Interoperability Council and the Technical Advisory Council. ¶ 4.
Its questions include conceptual issues, like “[w]ho should be responsible for cyber protections for a device, or should responsibility be shared in some recognizable manner across the 5G ecosystem?” ¶ 5. And it poses detailed questions about technology and operation of wireless systems, devices and innovation, as well as threats and defenses. Though the 5G ecosystem is still nascent, the NOI seeks to build “a solid foundation of facts about 5G security in order to further identify potential issue areas and solutions.” ¶ 7.
The NOI asks about authentication, encryption, physical security, device security, protecting 5G networks from cyber attacks (specifically DoS and DDoS), patch management, and risk segmentation of networks.”Id. Each topic has many questions, some touching on issues already under consideration. For example, the NOI asks about software updates, which the FCC and Federal Trade Commission (FTC) are currently examining. See Letter from Jon Wilkins, Chief, Wireless Telecommunications Bureau, to Carriers (May 9, 2016).
Beyond these many issues, the PSHSB identifies additional wide ranging 5G security considerations, including:
- Assignment of responsibility. The PSHSB asks “[w]hat roles can service providers and device manufacturers play to reduce security risk for various communities of interest? How should service providers, device manufacturers, standards bodies, and the Commission coordinate their efforts?” ¶ 32.
- Critical Infrastructure and Supply Chain. The NOI asks about how the Internet of Things (IoT) affects critical infrastructure, and about supply chain issues. ¶ 34-35. The PSHSB asks again about responsibilities: “who should be responsible for assuring cyber security across the 5G ecosystem, what principles should guide the management of cyber risk, and how cyber risk should be managed within companies?” ¶ 37.
- Information-sharing. The PSHSB seeks input on “how the 5G ecosystem will share information about cyber threats and concerns” including whether the FCC should pursue an Information Sharing and Analysis Organization (ISAO) for 5G. ¶ 38
- Costs and Benefits; DDoS Attacks. It asks about the “public harm expected to result from failure to integrate confidentiality, integrity, and availability into 5G networks through authentication, encryption, physical and device security, protecting against DoS attacks, patch management, and risk segmentation. Could failure to implement these measures decrease broadband adoption and detract from its productive economic use?” ¶ 41.
- Public Safety Impacts. The PSHSB asks about “the security implications of linking or integrating 5G networks with IP-based public safety communications platforms.” ¶ 44. It posts numerous questions about next-generation services for first responders.
From the NOI: Applicable section regarding public safety:
- 5G Implications for Public Safety
- Many public safety services and technologies are undergoing radical change as underlying networks transition from legacy to IP-based modes. Examples include the transition of the nation’s 911 system to Next Generation 911 (NG911); the evolution of first responder communications from land mobile radio (LMR) to LTE, including the development of FirstNet; and the emergence of enhanced emergency alerting services that rely on IP-based technologies to communicate with the public. Will any new categories of public safety sensors or other machine-based tools become an included part of 5G public safety communications architecture? We anticipate that the development of 5G networks will contribute new capabilities to these IP-based public safety platforms while also creating new challenges, including security challenges, for public safety entities.
- We seek comment on the security implications of linking or integrating 5G networks with IP-based public safety communications platforms. Could this create new security risks or vulnerabilities for NG911, first responder communications, or emergency alerting? What responsibility should 5G service providers have for mitigating and managing these risks? Conversely, could 5G networks help reduce security risks that public safety faces in migrating from legacy to IP-based technologies? For example, first responders are planning to make use of Identity Credential, and Access Management (ICAM) services to enable fast and reliable access to various emergency networks, applications, and databases during times of crisis.33 Effective implementation of ICAM will be especially important for responding to large-scale emergencies that span jurisdictional boundaries because without a secure access management protocol, inter-jurisdictional communication and access to critical information and applications may be compromised. Could 5G services support ICAM in a manner that reduces these security risks? Should public safety anticipate a need for unmanned, unattended device ICAM? Are there special considerations for standards development for public safety services and technologies for 5G, and if so, are standards bodies addressing these issues? Is there a need for additional standards body involvement?
33: Public safety professionals need immediate access to critical information from the wide variety of systems technology available (e.g., portable computers, tablets and smartphones) to make the best possible decisions and protect themselves and the public. Work continues to be done with the purpose of resolving these access and security issues, often referred to as Identity, Credential, and Access Management (ICAM). See First Responder Network Authority, http://www.firstnet.gov/newsroom/blog/psac-completes-icam-and-local-control-task-teams (last visited Oct. 19, 2016). Several public safety network initiatives, such as FirstNet and NENA’s NG911 project, continue to work towards an interoperable ICAM solution for next generation public safety networks. See generally Identity, Credential, and Access Management, Recommended Principles and Actions Report (2015), https://www.ise.gov/sites/default/files/ICAM_Summit_Report.pdf.