The Secure 5G and Beyond Act – U.S. Credibility and Legal Requirements at Stake
The Secure 5G and Beyond Act of 2020 has been submitted by the U.S. Congress to the White House for signing into law. It has been sitting there for several days now, but there are obviously more important developments demanding attention than a law compelling the Executive Branch to develop a 5G security strategy within 180 days through public and Federal agency consultations that will be implemented by the NTIA.
Given that the implementation would occur by a new Administration rather than the present one, it is possible that the Act may never be signed. It may actually be a good option. Given the abysmal lack of understanding of even 5G basics anywhere in Washington and lack of expertise, it may be a long time before a minimally rational 5G strategy is possible. Another embarrassing 5G pronouncement out of Washington is not helpful for the nation. The actions are also arguably irrelevant for most of the world because the huge public-private collaborative activities like 3GPP and constellation of related bodies which have the expertise, continue to go about their work effectively every day.
What Does the Act Attempt to Accomplish?
Specifically, the Act calls for the development of a “strategy to ensure the security of next-generation wireless communications systems and infrastructure” by the President. That it requires the impossible, i.e., “ensure security,” gives pause. You can lower risks, but not “ensure security.” Additionally, the repeated focus on “wireless” throughout the Bill suggests a lack of understanding of 5G itself — especially given the omission of any definitions in the Act. The most significant if not revolutionary change about 5G is not that it employs more wireless bandwidth, but that all network architectures and services are virtualized, and its new low-latency protocols enable innovative applications. Indeed, seamless non-wireless 5G access known as 5th Generation Fixed (F5G) and Multi-access Edge Computing are core features of the infrastructure. This breadth of scope is underscored by the CableLabs standards organization’s significant involvement in the 5G work for its constituent cable providers from the outset.
The Act is fairly simple — as it is divided into just two sections. The first section articulates three somewhat nationalistic objectives, followed by four “whole-of-government” “elements” that seem reasonable: 1) what’s happening, 2) what are the risks and measures, 3) mitigation of risks and 4) ongoing activities. The last element includes a long-overdue emphasis on facilitating greater public-private sector engagement in ongoing global standards forums. The Act’s second section articulates eighteen “national and economic security interests” Congress wants to be addressed in the strategy. Although somewhat US-centric, those 18 interests are not unreasonable.
Somewhat amusingly, the Act explicitly excludes the nationalization of 5G networks as part of the strategy.
5G Obliviousness by Design?
What the Act conveniently ignores is the massive and intense activity of highly knowledgeable experts in industry and government agencies around the globe devoted to achieving those interests over more than eight years. That public-private activity was perfected through significant U.S. “whole-of-government” initiative for decades and been highly successful. It also proceeds through highly transparent activities by broad consensus and establishes capability requirements that are followed by the development of implementation specifications incrementally for each new 5G release. Anyone can readily see over a period of many years, exactly who is (or is not) engaging in the work through submitted contributions and collective decisions. Even passive participants are part of the records.
The assumption seems to be that the thousands of people and hundreds of organizations involved in that work over those years have insufficiencies or missed something and depreciates the value of global 5G collaboration work. The mode of that work is also highly collegial. That is, if any government agency, company, or institute has a better idea on how to proceed among the many hundreds of studies and resulting specifications, they are free to contribute and even stop work and adoption of outputs. These groups also typically engage is substantial, constant pro-active outreach to dozens of other industry and intergovernmental bodies.
The only ones really missing here over the past two decades are the U.S. government agencies — almost all of them except to a limited extent, the national security community which has gone from active to passive participation.
A major deficiency in the 5G Act
The Act itself misses some fundamentals relating to the U.S. legal system — namely how the U.S. 5G infrastructure is going to meet all of the twelve security-related compliance requirements of every public communications infrastructure that are well-established in law. Security is a vague construct that encompasses all of these requirements in complex ways and consists of much more than just supply chain management. The order of these requirements, compiled by a legal-technical team in the Cyber Security Technical Committee to guide 5G work, suggests a relative level of importance.
- Emergency and public safety communication
- Lawful interception
- Retained data
- Cyber Security
- Identity management
- Network management
- Operations control
- Support for persons with disabilities
- Lawful content control
- Personally Identifiable Information protection
- End-user content control
Each of these requirements — which are essential for any credible national security strategy — has been addressed in the enormous work ensuing in multiple global standards bodies and can be found in the requirement, studies, and technical specifications adopted for the various 5G releases.
Washington Ignored the Global Industry 5G Supply Chain Initiative
In the narrow area of 5G supply chain security, the U.S. government has been largely absent from the past eight years of extensive work in multiple global standards forums. In late 2012, a major initiative was launched — that included multiple bodies, especially the Common Criteria Control Board, 3GPP, and GSMA to tackle 5G supply chain management requirements. Shortly afterward, major implement initiatives ensued both in 3GPP SA3 and GSMA — known respectively as SECAM & SCAS (Security Assurance Methodology & Security Assurance Specification) and NESAS (Network Equipment Security Assurance Scheme). The world’s principal equipment vendors were involved, and testing laboratory certification arrangements were put in place. Several U.S. government agencies were aware of these initiatives but chose to ignore them, notwithstanding repeated attempts to gain their involvement.
Now, years later, there is a realization in the U.S. government that 5G supply chain security is necessary, and collective flailing in Washington is underway. While Washington has been sleeping, the global public-private industry initiative produced ten SCAS work items for specifications covering different network equipment and service classes that have been completed or underway. The latest four were just adopted at last week’s SA3 (Security) meeting, including 5G SCAS Enhancement for Rel. 17 and blessed at this week’s 3GPP SA Plenary.
The FCC’s recent banning order and White House enactments are shameful foolishness in light of the reality of what has ensued. They completely ignore extensive, well-designed global mechanisms for supply chain security in favor of nonsensical bans, and then wonder why the rest of the world has not followed.
U.S. Credibility Is at Stake
Some U.S. companies and organizations have been significantly engaged in the large-scale 5G security standards activities to varying degrees. Indeed, as one of the 3GPP partners, North American companies have been hosting a third of all the 5G meetings at different locations around the U.S. Some specialized 5G standards activities have been taken up by U.S. based standards bodies like OASIS and CableLabs. Many U.S. companies have been obviously absent — a trend over the past two decades caused by several factors — especially the lack of government leadership and encouragement. The Trump Administration’s assault on 5G standards bodies last year just further impeded U.S. engagement as it was the exact opposite of what should have occurred.
Except for some specialized compliance requirement areas, the U.S. government’s national security assets have been completely absent. At the same time, both European and Asian entities have consistently devoted significant assets in openly collaborating on requirements and implementation specifications and reaching consensus decisions.
What the Act also misses utterly is that the ongoing global collaboration is not a zero-sum game, and nations benefit enormously from their companies and experts collaborating on new technologies, concepts, and services, including security. One sees this almost every day in the many hundreds of contributed inputs to the 5G international standards development processes that result in new studies and specifications. However, it is usually European and Asian countries that are the 5G innovators, and you can see it in the new work items brought into multiple activities, such as those of ETSI and recent ITU-T SG 13 and SG17 meetings. The substantially diminished U.S. government engagement in any international 5G activities, combined with absurd statements, show Washington summits, and product banning, ultimately severely harms the nation’s leadership stature as well as its enterprises and end-users.
Although the hope is slim, the U.S. has a new chance here to gain 5G credibility. If the White House does sign the 5G strategy Act, but it emerges as yet another narrow, myopic, nationalistic construct devoid of any understanding what 5G even is and the benefits of international collaboration; or fails to treat the full panoply of security requirements essential for national and extraterritorial deployment, the goals of the Act will not be achieved, and U.S. credibility will be further reduced.
Additional damage to our legal system will also occur if the report does not recognize and support the entire ecosystem of law that underpins a comprehensive “network security” construct. Failure to recognize and seek its implementation going forward would also render U.S. 5G infrastructure at risk. The rest of the world will be using 5G equipment and services subject to the globally adopted 5G supply chain security specifications and certifications, as well as regulatory requirements for meeting the entire ecosystem of security and system specifications. U.S. consumers and businesses are left holding the bag and bearing the costs with nothing but a ban on two vendors because of their corporate headquarters.