Ahead of the upcoming administration change, the Federal Communications Commission (FCC or Commission) has continued its efforts focused on security and privacy. On December 16, 2016, the FCC’s Public Safety and Homeland Security Bureau (PSHSB or Bureau) released a Notice of Inquiry (NOI) intended to facilitate dialogue and initiate action on the part of the communications industry to consider and integrate cybersecurity at the start of development of new 5G networks and technologies. Comments are due 90 days after publication in the Federal Register and reply comments are due 120 days after publication.
The PSHSB was tasked with issuing the NOI in the July 2016 Spectrum Frontiers Report and Order (Order), which included a requirement that any entity that is granted a millimeter-wave (mmW) license must submit a statement to the Commission discussing how they intend to incorporate the guiding security principles of confidentiality, integrity, and availability (CIA principles) into their network security design plans before beginning operations on the spectrum band. The mmW bands are expected to play a critical role in the development of 5G networks and in supporting IoT device connections. Recently, some entities have pushed back on the rule with petitions for reconsideration challenging, among other things, the Order’s security statement obligation.
In the NOI, the Bureau seeks comment on the following aspects of ensuring CIA principles:
- current use of authentication in networks and whether those practices can be applied in the 5G environment;
- planned deployment and use of encryption to promote 5G security, for networks and devices;
- physical security objectives and needs in the 5G environment;
- methodologies that will be used to ensure security of devices connected to 5G networks;
- mechanisms to effectively mitigate risks from denial-of-service (DoS) and distributed DoS (DDoS) attacks;
- the role of security patch management in service providers’ 5G risk management strategy; and
- the use of risk segmentation techniques in 5G networks.
In addition, the NOI explores the costs and benefits associated with effectively managing cyber threats in the 5G environment given its expected role in the Internet of Things (IoT), where a myriad of devices, sensors and other items will be connected to communications networks. The PSHSB seeks comment on which network participant (e.g., service providers, software developers, and device manufacturers) should be responsible for assuring cybersecurity across the 5G ecosystem and what principles should guide their efforts. The NOI also raises questions about the implications of 5G network development for public safety organizations and the way they communicate.
The release of this NOI suggests that due to the growth in the number of IoT connected devices, issues of network cybersecurity will continue to be of interest at the FCC. However, based on the industry pushback and Republican reluctance to expand the FCC’s role into the realm of cybersecurity, it is unclear how the NOI and the new Spectrum Frontiers security statement requirement will play out under the new administration.