A new report by Darkhorse Global, a geo-economic and national security consultancy, makes some good points about the convergence of national security and industrial policy frameworks for telecommunications infrastructure. It outlines three “wicked problems” confronting today’s global ICT ecosystem.
First, vulnerabilities exist in all networks, hardware and software. Second, it’s easy to confuse national security issues with concerns about economic competitiveness. Third, the intent of actors is often largely unknown, even if their capabilities are clear.
Today’s telecommunications ecosystem is beset by what political scientists call wicked problems — those that are difficult to define due to incomplete, inconsistent or changing criteria, and rely on judgment and advocacy for resolution.
Although these wicked problems may seem intractable, they can be ameliorated by “wicked solutions” — necessarily imperfect measures that are less a cure and more like medicine that helps manage a chronic condition.
A handful of solutions could improve overall ICT and network security in a more holistic way than some of the approaches being used now.
Solution #1: Apply universal standards to the telecommunications industry. The key word here is universal. We already have standards for 5G and standards and related conformance programs geared toward risk stemming from telecom equipment. These standards, together with recommended risk-mitigative measures, can be used to evaluate equipment (and software updates) before they are deployed, and to guide operators in risk management.
The Cybersecurity Framework, developed by the National Institute of Standards and Technology (NIST), part of the U.S. Department of Commerce, in collaboration with the private sector and other government experts, provides what is essentially a risk-analytic tool for organizations that can be customized to align with an organization’s mission and risk posture.
Unfortunately, there is not yet widespread support for universal, independent testing of critical components from all telecom equipment suppliers. Given the capability of today’s malicious cyber actors, such independent testing is essential.
Solution #2: Implement technical risk assessments and risk mitigation. As with standards, models for mitigating telecom-related national security risk already exist. For example, the Foreign Investment Risk Review Modernization Act (FIRRMA) modernized and strengthened CFIUS, a U.S. government body that reviews (and can block) foreign investments in U.S. companies and prescribe specific technical risk-mitigative measures set forth in a customized national security agreement that can be a condition precedent for a transaction to proceed.
We can also build on the foundation provided by NESAS, an industry-driven set of standard and risk-management criteria for telecom equipment. Although it still has room to provide even higher assurance levels, NESAS is a globally recognized system that tests not only products, but also how they are developed and maintained (including the installation of firmware updates). NESAS also features a dispute resolution mechanism to deal with grievances from companies that believe their products, or those of competitors, were not fairly evaluated.
In addition, last year the Federal Communications Commission (FCC) standardized its interagency review process for the consideration of national security, foreign policy and trade policy issues. This is being done under the new Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (formerly known as “Team Telecom”).
Using these and other existing measures as a guide, technical risk mitigation could be expanded into a comprehensive framework to address threats to hardware, software and supply chain security facing the telecommunications industry.
Risk can be assessed and mitigated with various models. For example, security by design is a well-known practice that incorporates security features into software throughout the development process, rather than at the end (often referred to disparagingly as having security “bolted on”). It includes regular testing of maintenance procedures to ensure that nothing malicious gets inserted into software solutions, either at the point of initial delivery or in subsequent software updates or operations and maintenance.
Another example is trusted delivery mechanisms. These can support the reliability of independent third-party reviews of hardware, software and firmware. Such reviews can give mobile network operators a reasonable guarantee that software and hardware delivered by a vendor matches what was checked by the third-party evaluator. They can also prevent vendors from delivering software updates directly to wireless carriers without also going through the independent review and testing process. Taking such steps can reduce supply chain risk.
Solution #3: Participation in global standards-setting organizations. The U.S. can, and should, get more involved in 5G standards-setting, as well as the technical standards governing network performance and network security.
As the U.S. Commerce Department has noted, international standards help ensure the interoperability and security of products used in 5G networks, autonomous vehicles, artificial intelligence and other cutting-edge technologies. Greater participation by U.S government and private experts in telecom standards-setting organizations would be a step in the right direction.
More fundamentally, the U.S. — and indeed, governments around the world — must fully commit to a “zero-trust” strategy. A zero-trust approach recognizes that, given the capabilities of malicious cyber actors, trusted suppliers should be scrutinized just as closely as untrusted ones. As the cyber security company, Domain5, wrote in a paper for the Rural Broadband Association:“To assume that the threat is limited to Chinese vendors creates a framework wherein all other vendors are to some extent more trusted, leaving unabated a wide array of potentially dangerous risks.”
At what cost?
Intelligent policies weigh risks against benefits. To meet the goals of 5G specific to security, reliability and resilience, it is important to use a risk-benefit analysis that considers both the risk environment and the cost of government or private intervention to adequately manage risk.
Policymakers should employ both collaborative and competitive methods to ensure security, reliability, resilience and cost effectiveness in telecommunications infrastructure, while recognizing the potential negative externalities of regulatory barriers. Building the foundation for a secure future requires an understanding of the interconnectedness of the telecommunications industry, the market-driven realities and the geopolitical considerations that underpin national security in a multipolar world.
*Note: The Darkhorse report was funded by Huawei Technologies U.S.A. to explore ways of assessing and mitigating national security risk in telecom. Based on interviews with two dozen experts in the US, the EU and China, it was written independently by DarkHorse CEO John Lash, Ph.D., who retained editorial control over the content.