INSIGHT: Telecom Industry Must Develop Trustworthy 5G Equipment Supply Chains
The telecom industry must do all it can to safeguard the nation’s telecommunications systems in light of coming 5G changes and pending federal rules, David Stehlin, CEO of the Telecommunications Industry Association says. Industry has an opportunity to address supply chain security through industry-driven standards and programs.
I may be new to Washington, but I know it’s rare to find a topic where the administration, Congress, industry, and experts can all agree. As we build out 5G infrastructure and applications, with more connected devices and data than ever before, we must all do everything we can to build and operate trusted, reliable networks that minimize our exposure to cyberattacks and espionage.
The question, as ever, is how.
Last week the FCC put forward rules to ban recipients of their funds from using untrusted vendors and set a process for replacing existing equipment that could be compromised. And the Department of Commerce is expected to release rules shortly that will implement President Trump’s executive order prohibiting potentially risky private sector transactions with foreign adversaries. These are necessary and important policies. But we will need to do much more to truly protect our telecommunications infrastructure.
Reliable, Safe Telecommunications Network Critical to National Security
Right now, it may seem impossible to create systems to verify the safety and security of all information communication technology (ICT) equipment and the vast and complicated network of U.S. telecommunications supply chains. However, the information technology community already has model programs that we must quickly adapt to address this challenge.
A secure and trusted telecommunications network is critical to our national security and our economic growth. This is particularly true as we build and implement new wireless access, fiber-deep and compute-rich 5G networks and technologies.
The benefits of applications enabled by this technology are significant, and so are the risks. The opportunities for malicious actors to attack deployed networks to disrupt critical economic and transportation infrastructure will increase rapidly.
These threats can come both from potentially compromised hardware that creates unsafe infrastructure and from the threat of malicious software that could do harm over even the “cleanest” network. And their potential risk for damage increases as the number of devices connected to the network grows exponentially.
5G isn’t years away. It’s happening now. And the devices for 5G are being manufactured now.
One of the biggest threats to network integrity comes from the use of equipment manufactured by foreign adversaries, which could allow malicious actors to introduce ‘back doors’ that could be used to monitor communications and disrupt service. This is not a technical challenge but rather an issue of trust, as these vendors could be obligated by their governments to aid in espionage or other hostile acts.
Fast tracked policy proposals from the Trump administration and Congress are laying the foundations for a federal regulatory regime to address this emerging threat.
The FCC is expected to vote on further rulemaking to exclude carriers that use equipment from potentially dangerous suppliers from receiving funds from the Universal Service Fund (USF). And, the Department of Commerce is expected to release rules that put into effect President Trump’s Executive Order that prohibits transactions with foreign adversaries, including purchasing equipment.
The Department of Defense has put forward a framework for Cybersecurity Maturity Model Certification that, when finalized, will set supply chain and security standards for its contractors. Government-wide contracting oversight agencies are expected to issue guidance in January to implement bans on any procurement from certain risky companies or contractors that use their equipment, in accordance with the 2019 National Defense Authorization Act (NDAA).
At the same time, Congress is advancing 5G supply chain security legislation in both the House and Senate that would create reporting requirements and provide funding for carriers who need to replace their potentially compromised infrastructure with equipment from entities not related to a foreign adversary.
Federal task forces including the Federal Acquisition Supply Chain Security Council, the Department of Homeland Security’s Supply Chain Risk Management Task Force and the NTIA Software Transparency Initiative are also bringing forward recommendations.
These are all positive steps forward and demonstrate to our allies that the U.S, leads by example and lives up to the 5G security principles outlined in the Prague Proposals, which we agreed to earlier this year.
But focusing on secure and trusted products will not be enough. Reviewing equipment source code will never provide the level of security that end users demand.
Government regulations will never be able to reach the level of detail needed to ensure a completely safe supply chain while leaving room for innovation and growth. At the same time, a federal enforcement program could never keep up with industry demands for verification.
We need to match secure network equipment with secure network deployment, configuration and operational procedures. We need clear, industry-driven standards that verify the integrity of the ICT supply chain and challenge companies to continually innovate and improve their supply chain processes.
Industry-Driven Standards and Programs Needed
Industry-driven standards and programs provide an avenue for verifying compliance in a timely manner with the level of nuance that government regulations are not able to achieve. Moreover, industry-standards can be adjusted quickly as new threats are identified and new technologies come online, ensuring standards can be continually improved to raise the bar on security throughout the supply chain. While this is a huge undertaking, we have a strong track record to build from and a commitment to excellence.
In telecom, we have worked together for years to address common industry challenges through global industry standards and practices that help provide safe, reliable networks for consumers, businesses, and governments.
More than 2,500 industry leaders representing equipment manufacturers, service providers, developers and more help create and update over 3,600 telecommunications industry standards covering a broad range of technologies including private radio equipment, cellular towers, structured cabling, satellites, and smart device communications. Additionally, the TL 9000 system is in place to meet global communications industry supply chain quality requirements.
We are leading the way to successfully launch new and emerging technologies like vehicular telematics, smart buildings, smart device communications, smart utility mesh networks and edge data centers.
As an industry, we have an obligation to do everything possible to safeguard the integrity of telecom devices, equipment and networks. The quality and security bar needs to be continually raised and all should be expected to meet the standard. Ensuring integrity of the supply chain requires accountability, and we must start with ourselves. The ICT industry must lead the way on supply chain security, and TIA is prepared to lead the ICT industry.
We need to create and adhere to supply chain standards to give companies, the government, and consumers alike, the confidence that our vast telecommunications network is reliable and secure.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
David Stehlin is CEO of the Telecommunications Industry Association, the leading association representing the manufacturers and suppliers of high-tech communications networks.
Telecommunications Industry Association