FCC Proposes 5G Cybersecurity Requirements, Asks For Industry Advice (fedscoop.com) 29
Presto Vivace quotes a report from FedScoop: "Cybersecurity issues must be addressed during the design phase for the entire 5G ecosystem, including devices. This will place a premium on collaboration among all stakeholders," said FCC chairman Tom Wheeler during a National Press Club event on June 20. "We continue to prefer an approach that emphasizes that industry develop cybersecurity standards just as we have done in wired networks." The FCC published a request Wednesday for comment on a new set of proposed 5G rules to the Federal Register focused on adding specific "performance requirements" for developers of example internet-connected devices. If a company hopes to secure a license to access higher-frequency 5G spectrum in the future then they will need to adhere to these specific requirements -- in other words, compliance is non-negotiable. Notably, these FCC "performance requirements" now include the submission of a network security plan. The report adds: "A quick review of the FCC's proposed 5G cybersecurity plan shows a six category split, organized by a companies' security approach, coordination efforts, standards and best practices, participation with standards bodies, other security approaches and plans with information sharing organizations. Security plans must be submitted to the commission at least six months before a 5G-ready product enters the market, according to the notice."
The best security! (Score:1)
is NO SECURITY at a!!
I know! I know! (Score:2)
According to the content industries, the only security they need is shutting down access to the internet for the user if they're found to be downloading pirated material.
Something must be wrong... (Score:1)
This seems to be well thought out and beneficial to consumers.
Congress must step in and stop this!
What are they talking about? (Score:5, Informative)
The summary mentions security a bunch of times, but it says nothing about any specific security measures or requirements. So I clicked through to the article. The article is similar to the summary: no specifics. It links to a long "requirements" document.
What does the document "require" regarding security? Answer: a written plan. 5G networks should write down their plan and send it to the FCC. It should have some specific list of headings and sub-parts.
So the result of this is ... paperwork. Yay...?
Re: What are they talking about? (Score:2)
It's a process. They've said they want industry to drive the standards. That requires consultation and review of responses. The document outlines a bunch of high level requirements where those are clear, and poses questions to respondents where it clearly hasn't formed a firm view.
Basically they have thrown up parts of a straw man and are seeking input.
Re: (Score:2)
Yeah, I'm just not sure why this is interesting.
Re: What are they talking about? (Score:2)
:-)
At least it's not dog whistle click bait.
And I found the thinking around how the spectrum might be divided and re-prioritised dynamically to be mildly interesting.
Relevant section (Score:5, Informative)
From the relevant Fed page:
"Ââ30.8 5G Provider Cybersecurity Statement Requirements.
(a) Statement. Each Upper Microwave Flexible Use Service licensee is required to submit to the Commission a Statement describing its network security plans and related information, which shall be signed by a senior executive within the licensee's organization with personal knowledge of the security plans and practices within the licensee's organization. The Statement must contain, at a minimum, the following elements:
(1) Security Approach. A high-level, general description of the licensee's approach designed to safeguard the planned network's confidentiality, integrity, and availability, with respect to communications from:
(i) A device to the licensee's network;
(ii) One element of the licensee's network to another element on the licensee's network;
(iii) The licensee's network to another network; and
(iv) Device to device (with respect to telephone voice and messaging services).
(2) Cybersecurity Coordination. A high-level, general description of the licensee's anticipated approach to assessing and mitigating cyber risk induced by the presence of multiple participants in the band. This should include the high level approach taken toward ensuring consumer network confidentiality, integrity, and availability security principles, are to be protected in each of the following use cases:
(i) Communications between a wireless device and the licensee's network;
(ii) Communications within and between each licensee's network;
(iii) Communications between mobile devices that are under end-to-end control of the licensee; and
(iv) Communications between mobile devices that are not under the end-to-end control of the licensee;
(3) Cybersecurity Standards and Best Practices. A high-level description of relevant cybersecurity standards and practices to be employed, whether industry-recognized or related to some other identifiable approach;
(4) Participation With Standards Bodies, Industry-Led Organizations. A description of the extent to which the licensee participates with standards bodies or industry-led organizations pursuing the development or maintenance of emerging security standards and/or best practices;
(5) Other Security Approaches. The high-level identification of any other approaches to security, unique to the services and devices the licensee intends to offer and deploy; and
(6) Plans With Information Sharing and Analysis Organizations. Plans to incorporate relevant outputs from Information Sharing and Analysis Organizations (ISAOs) as elements of the licensee's security architecture. Plans should include comment on machine-to-machine threat information sharing, and any use of anticipated standards for ISAO-based information sharing.
(b) Timing. Each Upper Microwave Flexible Use Service licensee shall submit this Statement to the Commission within three years after grant of the license, but no later than six months prior to deployment.
(c) Definitions. The following definitions apply to this section:
(i) Confidentiality. The protection of data from unauthorized access and disclosure, both while at rest and in transit.
(ii) Integrity. The protection against the unauthorized modification or destruction of information.
(iii) Availability. The accessibility and usability of a network upon demand."
So you have to disclose it to the government (Score:2)
30.8 5G Provider Cybersecurity Statement Requirements.
(a) Statement. Each Upper Microwave Flexible Use Service licensee is required to submit to the Commission a Statement describing its network security plans and related information, ...
So the applicant has to publish his whole security architecture in order to get a license.
On one hand this conforms to the best practices recommendations of the security community: Expose the algorithm to analysis and keep the security in the keying secrets.
On the other ha
Re: (Score:2)
It says "a high level general description" a bunch of times. It's not enough information to do anything with.
Advice?! (Score:3)
That "advice" will be "Make FCC STFU" scribbled on the memo line on big fat checks to friends of the telcos in scattered about in Congress.
as long as it's user-focused, fine (Score:2)
no sneaky little back doors or all-1s keys opening things up.
why bother? (Score:2)
Securing the core/network is a fools errand (Score:2)
Plans With Information Sharing and Analysis Organizations. Plans to incorporate relevant outputs from Information Sharing and Analysis Organizations (ISAOs) as elements of the licensee's security architecture. Plans should include comment on machine-to-machine threat information sharing, and any use of anticipated standards for ISAO-based information sharing.
Oh look CISA slipped into an omnibus and now the empty rhetoric about sharing being "voluntary" are revealed for what they are.
Instant gratification ? (Score:2)
Our society has promoted the concept of instant gratification. Fast food, fast browsers, overnight Amazon delivery. Fast, fast, fast.
I have the minimum cable internet service from Cox. I often get 2MB/s or more down, unknown up. I do transfer large files on occasion. I either transfer them in the background where they have no effect on my other activities or I move them overnight. Why would I pay for faster service?
I understand the mantra, promoted by those who offer speed as a feature, and I appreciate hav
Information Sharing & Analysis Organization?! (Score:1)
The actual FCC noticel [federalregister.gov] [FCC notice] has:
(6) Plans With Information Sharing and Analysis Organizations.
Plans to incorporate relevant outputs from Information Sharing and Analysis Organizations (ISAOs) as elements of the licensee's security architecture. Plans should include comment on machine-to-machine threat information sharing, and any use of anticipated standards for ISAO-based information sharing.
What's an ISAO? Here's what the DHS has to say [dhs.gov]. Short summary: Big Brother.
Terrible track record (Score:2)