FCC Proposes 5G Cybersecurity Requirements, Asks For Industry Advice

Presto Vivace quotes a report from FedScoop: "Cybersecurity issues must be addressed during the design phase for the entire 5G ecosystem, including devices. This will place a premium on collaboration among all stakeholders," said FCC chairman Tom Wheeler during a National Press Club event on June 20. "We continue to prefer an approach that emphasizes that industry develop cybersecurity standards just as we have done in wired networks." The FCC published a request Wednesday for comment on a new set of proposed 5G rules to the Federal Register focused on adding specific "performance requirements" for developers of example internet-connected devices. If a company hopes to secure a license to access higher-frequency 5G spectrum in the future then they will need to adhere to these specific requirements -- in other words, compliance is non-negotiable. Notably, these FCC "performance requirements" now include the submission of a network security plan. The report adds: "A quick review of the FCC's proposed 5G cybersecurity plan shows a six category split, organized by a companies' security approach, coordination efforts, standards and best practices, participation with standards bodies, other security approaches and plans with information sharing organizations. Security plans must be submitted to the commission at least six months before a 5G-ready product enters the market, according to the notice."

What are they talking about?

[Kohath]

The summary mentions security a bunch of times, but it says nothing about any specific security measures or requirements. So I clicked through to the article. The article is similar to the summary: no specifics. It links to a long "requirements" document.

What does the document "require" regarding security? Answer: a written plan. 5G networks should write down their plan and send it to the FCC. It should have some specific list of headings and sub-parts.

So the result of this is ... paperwork. Yay...?

Relevant section

[BlackSabbath]

From the relevant Fed page:

"Ââ30.8 5G Provider Cybersecurity Statement Requirements.

(a) Statement. Each Upper Microwave Flexible Use Service licensee is required to submit to the Commission a Statement describing its network security plans and related information, which shall be signed by a senior executive within the licensee's organization with personal knowledge of the security plans and practices within the licensee's organization. The Statement must contain, at a minimum, the following elements:
(1) Security Approach. A high-level, general description of the licensee's approach designed to safeguard the planned network's confidentiality, integrity, and availability, with respect to communications from:
(i) A device to the licensee's network;
(ii) One element of the licensee's network to another element on the licensee's network;
(iii) The licensee's network to another network; and
(iv) Device to device (with respect to telephone voice and messaging services).
(2) Cybersecurity Coordination. A high-level, general description of the licensee's anticipated approach to assessing and mitigating cyber risk induced by the presence of multiple participants in the band. This should include the high level approach taken toward ensuring consumer network confidentiality, integrity, and availability security principles, are to be protected in each of the following use cases:
(i) Communications between a wireless device and the licensee's network;
(ii) Communications within and between each licensee's network;
(iii) Communications between mobile devices that are under end-to-end control of the licensee; and
(iv) Communications between mobile devices that are not under the end-to-end control of the licensee;
(3) Cybersecurity Standards and Best Practices. A high-level description of relevant cybersecurity standards and practices to be employed, whether industry-recognized or related to some other identifiable approach;
(4) Participation With Standards Bodies, Industry-Led Organizations. A description of the extent to which the licensee participates with standards bodies or industry-led organizations pursuing the development or maintenance of emerging security standards and/or best practices;
(5) Other Security Approaches. The high-level identification of any other approaches to security, unique to the services and devices the licensee intends to offer and deploy; and
(6) Plans With Information Sharing and Analysis Organizations. Plans to incorporate relevant outputs from Information Sharing and Analysis Organizations (ISAOs) as elements of the licensee's security architecture. Plans should include comment on machine-to-machine threat information sharing, and any use of anticipated standards for ISAO-based information sharing.
(b) Timing. Each Upper Microwave Flexible Use Service licensee shall submit this Statement to the Commission within three years after grant of the license, but no later than six months prior to deployment.
(c) Definitions. The following definitions apply to this section:
(i) Confidentiality. The protection of data from unauthorized access and disclosure, both while at rest and in transit.
(ii) Integrity. The protection against the unauthorized modification or destruction of information.
(iii) Availability. The accessibility and usability of a network upon demand."