I have focused time on the specific threat posed by insecure equipment, primarily equipment manufactured and supported by Chinese companies, in U.S. communications networks. I have been talking about this issue and specifically about the need to find insecure equipment in our networks, to work with other policymakers to fix the security problems and to fund a solution for affected carriers: Find it, Fix it, Fund it. I first set this concept out in on an op-ed in The Hill in late May of this year, just weeks after the president issued his executive order barring U.S. companies from buying foreign-made telecommunications equipment deemed a national security risk.
In June, I held a workshop at the FCC to bring together carriers, equipment manufacturers, national security experts, academics and other stakeholders to consider the issue of insecure equipment in U.S. telecommunications networks and my proposed “Find it, Fix it, Fund it” approach. This was the largest gathering of its kind ever held, and it drove home several key points including that one of the most important questions to ask when evaluating whether a piece of communications equipment is trustworthy is whether the manufacturer is trustworthy. If they are not, the consensus at the June workshop was that, due to the myriad paths to exploit networking equipment, it’s unlikely that any equipment from a supplier that is not trusted could ever be trusted.
Between my June workshop and a second meeting with rural carriers with Chinese equipment in their networks at the CCA Conference in September, I am proud to say that I have met with nearly two dozen carriers with Chinese equipment in their network. Many communications networks in the United States and around the world have components manufactured and serviced by Huawei and ZTE. Security experts around the world agree that use of this equipment presents significant security risks due to inconsistencies in the equipment’s software code and, more broadly, due to these manufacturers managing the networks, including creating and distributing software updates and patches, from China. An additional concern that amplifies remote management worries is that Chinese manufacturers are obligated, under Chinese law, to cooperate with Chinese government direction or requests to use networks assets for espionage or for other harmful purposes potentially including disrupting critical services or conducting cyber-attacks.
The risk that network equipment could be used for surveillance and other malicious purposes tips these concerns from narrow considerations about attacks on a single service provider or network into much broader national security concerns. Unfortunately, concerns about these kinds of attacks are now the realities of the connected and dangerous world we live in. Network security is national security.
The nature of 5G networks also gives rise to new concerns. In earlier networks, edge elements could be separated from the core network, and lower security at the edge of networks was potentially tolerable as long as the core was protected. But 5G architecture, with significant network intelligence distributed throughout network components, makes such distinctions impossible. Unlike earlier generations of wireless technology, the core and edge, and all elements of 5G networks must be secure.
Accordingly, though 5G networks are capable of supporting more sophisticated security measures, they also present a larger attack surface. To put a finer point on this, equipment manufactured and supported by Chinese companies has a wide open front door through which it receives updates from China in order to stay secure and to continue working. It may also have back doors, either intentionally created or discovered due to software inconsistencies. But with the front door wide open, the secrecy of a stealthy back door becomes less important. With that in mind, I believe that U.S. service providers need to take these serious threats into account when considering whether to replace existing insecure equipment and on what timeline to do so.
Some service providers I have heard from have been interested in exploring monitoring their Chinese-manufactured equipment as a means to mitigate threats. The theory is that constant monitoring will allow service providers to know immediately if bad or unexpected data is entering or leaving their network equipment.
A monitoring approach raises several issues. First, densified 5G networks will have many, many antennas and radios. This means that monitoring would likely be an impossibly huge task. But second, and more importantly, a monitoring solution assumes that network equipment can be trusted, given proper monitoring, even if you don’t trust the equipment manufacturer.
However, if an equipment manufacturer is not trusted, then every single aspect of the network that manufacturer produced, every piece of equipment it touches, and every software update and patch it designs could contain malicious code or present exploitable vulnerabilities. While the ability to trust the equipment is important, the ability to trust the supplier is critical. And, I have come to think of monitoring in the absence of trust of the manufacturer as unlikely to give an acceptable level of confidence that network equipment is secure.
So, with these threats identified, one might fairly wonder: What’s the U.S. government doing about it? The answer is: a lot. One example is this meeting here today. This gathering, and the significant government participation in it, is part of a serious and important “all-of-government” effort to ensure that our networks are secure.
Earlier this year, the president signed an executive order barring the purchase or use of equipment produced by an entity controlled by a foreign adversary, recognizing them as creating an undue risk of sabotage. This executive order assigned duties to various federal agencies, and work to implement it is underway across government agencies, including those in this room. Congress has also passed a defense appropriations bill in August 2018 that included a ban on government purchasing equipment from companies deemed insecure, including Huawei and ZTE. For its part, the FCC has proposed a ban on using the funds its universal access programs provide to purchase equipment from suppliers considered a security risk. Just this week, the FCC announced that it will vote, later this month, on this proposal.
Each of these efforts is important, and all share a common goal of securing U.S. networks from bad actors, but they are also each focused on what to do in the future about security threats in communications networks. I have consistently said that we can’t think of this issue asymmetrically, only focusing on keeping insecure equipment out going forward, and failing to address the insecure equipment located in U.S. communications networks today and that it represents a threat today.
My view is that we must find this equipment, figure out what must be done to fix the threats that it poses, and every indication points to a solution involving replacing the equipment, and we must look toward securing federal funding to help carriers who have this equipment replace it. Find It, Fix It, Fund It.
When you talk with and really listen to the small rural carriers with Huawei or ZTE in their network, you hear two points. First, at the time when these telecom providers bought Chinese equipment, they did nothing wrong and broke no laws for which they should be punished. I agree. Second, you hear from these providers that — given their budgets — they are going to need assistance in paying for any replacement costs. On this account as well, I agree. Just last month, bipartisan legislation was introduced in the U.S. House of Representatives that would establish a $1 billion fund for small and rural wireless providers to use in replacing suspect equipment. Similar legislation was approved by the U.S. Senate’s Commerce Committee earlier this year.
I know that ripping out Chinese equipment and replacing it with trusted equipment won’t be turnkey, but I also know that we are talking about national security and that this isn’t something we can afford to do on the cheap. And, I know there are multiple issues to consider, including availability of replacement equipment, availability of crews to install it, determinations about what equipment is considered insecure and what equipment is appropriate to replace it, and a host of other details. Creative solutions will also be called for, including customized financing and other steps to develop products and packages geared toward smaller providers, and on a longer term, the need to build American technology in software-enabled, virtualized 5G infrastructure where we can lead in safe offerings as I set out in an op-ed published in September in the San Jose Mercury News.
I have every confidence that service providers, working with the ongoing all-of-government approach, will find a path forward to ensure that threats in our networks are eliminated and that our remaining networks are secure. I consider network security to be one of my top priorities at the commission.
Geoffrey Starks is a commissioner at the Federal Communications Commission. Edited for length and style, this article comes from a keynote speech the commissioner delivered on Oct. 30 at the 5G Rural Engagement Initiative in Denver.