The FCC’s Foray Into 5G, IoT Device Cybersecurity
Public Safety Bureau asks wide-ranging questions in NOI The Commission's Public Safety and Homeland Security Bureau has put out a Notice of Inquiry (NOI) seeking information about the security of communications in 5G networks and devices. The Bureau raises these questions especially in light of the expected Internet-of-Things-related proliferation of wireless devices that have the potential to collect personal information and also more readily bring cyberattacks against our devices and into our homes. Well known examples are hackers opening cars and garage doors, and taking control of Jeeps and other vehicles. Cybersecurity is an issue already being raised by consumer advocates, as well as manufacturers; the NOI shows that the FCC has been listening.
The NOI's key focus is "CIA" (gotta love government acronyms!), meaning the principles of confidentiality, integrity, and availability of security practices used by networks, service providers, and equipment developers. (As an aside, broadband providers already are expected to take CIA principles into account in protecting the privacy of users.) The Bureau tees up numerous questions about current practices, concerns about vulnerabilities, lessons learned from past deployment, and best methods for handling risks:
- CIA-related questions focus on authentication, encryption, physical security, device security, protecting 5G networks, patch management and risk segmentation. Questions range from whether current mutual authentication and encryption methods are effective to whether additional standards are needed to mitigate against Denial of Service and Distributed Denial of Service attacks.
- Additional 5G security issues. The Bureau asks about the holistic use of devices in 5G IoT, and how much additional vulnerabilities may arise or increase from that, and who should be responsible for risk management.
- Public safety use of 5G technologies. Given the many ongoing transitions of public safety-related communications, including the move to FirstNet (the unified first responder network) and Next Generation 911, the Bureau seeks comment on potential vulnerabilities and how to address those.
Whether this NOI will bring about new rules or recommendations may depend upon who becomes the next FCC Chair. The Obama administration has spent the last six years wrangling multiple federal agencies and industry into one room to begin to develop a coherent national policy on cybersecurity. While the president-elect has proposed a Cyber Review Team, is far too early at this juncture to understand what role the FCC will have with this group and whether the new FCC Chair will act on whatever findings come out of the NOI. But for those itching to have their say in the conversation, comments will be due 90 days after publication of the item in the Federal Register, in PS Docket No. 16-353. Let us know if you need assistance.