“Americans, your calls and texts can be monitored by Chinese spies,” a Washington Post opinion piece recently headlined. China has “growing cyber-sophistication and relentless ambition to undermine U.S. infrastructure” another Post article reported. Some analyses trace the recent exploitation to a telecommunications network backdoor created early in the era of digital networks to allow for court-authorized wiretaps.
When the digital wiretap law was passed in 1994, no one foresaw the kind of sophisticated intrusions apparently developed by the Chinese. It is an experience that we must remember as the design of digital network technology continues to evolve.
I helped negotiate the 1994 Communications Assistance for Law Enforcement Act (CALEA) that, some fear, created the exploitable access for Chinese spies. The concern at the time was that the evolution from analog to digital telecommunications was hindering law enforcement. “Some of the problems encountered by law enforcement relate to the explosive growth of cellular and other wireless services,” the House committee report explained. “[T]he increasing amount of transactional data generated by the millions of users of on-line services” was an accompanying problem. Written 30 years ago, it is a description of today’s communications environment, in which wireless networks deliver online digital information.
At the time, I was the CEO of the Cellular Telecommunications and Internet Association (CTIA), the wireless industry’s trade association. Along with wired communications providers, our members were concerned about the way the FBI was proposing to monitor communications across the new digital technology. After detailed and lengthy negotiations, industry and law enforcement mutually agreed to a result that addressed the FBI’s concerns about access to the new technology, while also addressing industry concerns.
On August 11, 1994, I sat next to FBI Director Louis Freeh before a joint House and Senate hearing to announce that we had reached an agreement on the CALEA legislation and to urge its passage. That what we jointly endorsed that day could, decades later, be potentially hackable by Chinese spies was not part of that discussion.
Today—30 years after CALEA—a new digital wireless technology promoted by both the industry and government is raising new cyber risks. Called Open Radio Access Network (O-RAN), it is a new technical standard that seeks to copy for telecommunications infrastructure the scale and savings enjoyed by the computer industry’s interoperability of different pieces of network equipment from different vendors. In O-RAN, the network functions once performed by purpose-built hardware are instead virtualized in software. Based on input from the Federal Communications Commission (FCC) and Department of Commerce, the software is broken into multiple layers, thus expanding the number of vendors.
The O-RAN concept is an important step forward that will deliver increased capabilities at decreased costs. Accompanying these advantages, however, is the challenge to mitigate the increased risk of cyberattacks resulting from software that relies in part on open-source code running on commodity hardware.
Earlier networks ran on proprietary equipment utilizing proprietary software that offered focused protection against attacks. Moving more functions to hackable software that is disaggregated from a purpose-built network appliance creates new pathways to attack these new networks.
Another attractive aspect of O-RAN is how the shift to virtualize hardware breaks the chokehold of the traditional suppliers of network equipment. This advantages cybersecurity because it creates alternatives to Chinese hardware manufacturers, such as Huawei. Yet, this too comes with the countervailing paradox that such supplier diversity represents another increase in the number of attack trajectories in the networks.
As the European Union’s Report on the Cybersecurity of Open Radio Access Networks concluded, while there are security benefits to the diversification of suppliers, “by introducing a new approach, new interfaces and new types of RAN components potentially coming from multiple suppliers, Open RAN would exacerbate a number of the security risks of 5G networks and expand the attack surface.”
Network operators and law enforcement were reportedly blindsided by the ability of Chinese hackers to create advanced persistent threats (APTs) to exploit CALEA. This experience, however, is but the most current of many warnings that the networks on which our nation relies are vulnerable. Whatever the outcome of the ongoing investigation, the latest exploitation should send a message that we need cybersecurity as a forethought, rather than an afterthought, in the design of digital networks, accompanied by ongoing oversight of network security.
Looking back to go forward
Twenty years after CALEA passed, I was chairman of the FCC, the agency responsible for America’s networks. As chairman, I tried to work with network providers to develop cybersecurity standards that were flexible enough to evolve with the technology and the ever-evolving attack techniques of those seeking to exploit the networks. The irrefutable fact is that every single one of the cyberattacks that affect our nation traverse, at one point or another in their transmission, a private network regulated by the FCC.
What we proposed in 2014 was that the companies implement and report on their adherence to the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework. The NIST Framework is a collection of best-practice internal controls developed collaboratively with industry that is continually evolving to help companies protect against cyberattacks. Along with implementing the voluntary NIST Framework, we asked the industry to identify where they set their objective cyber-risk threshold, their progress toward implementation of the Framework, and the steps taken to cure internal control shortfalls.
It was a new approach to network oversight that stopped short of regulatory micromanagement in favor of standards-based expectations. “The communications sector is at a critical juncture,” I said in a June 14, 2014, speech laying out the new program. “We know those [cyber] threats are growing. And we have agreed that industry-based solutions are the right approach… We will implement this approach and measure results. It is those results that will tell us what, if any, next steps must be taken.”
Unfortunately, the effort fell apart when the companies resisted a plan for reporting to the FCC. The industry argued the Department of Homeland Security (DHS) was a better place for such oversight. DHS, of course, had no regulatory authority over the networks. The Trump FCC then followed the industry’s preference and ceased the FCC initiative.
DHS subsequently established the Cybersecurity and Infrastructure Security Agency (CISA), which is doing great work to advance best practices across the economy. Absent regulatory authority, however, such efforts can only go so far. Cyber risk is a business risk; at the end of the day, how much a company invests in risk reduction is a bottom-line decision. The appropriate role for a regulator such as the FCC should be to establish expectations for such decisions to stimulate sufficient cyber protection by the nation’s networks—and then to inspect the results.
Today, the FCC’s minimal cybersecurity reporting obligations are constrained to cyber incidents that lead to outages, with no reporting requirements for compromises to confidentiality or network integrity. Amazingly, through its detailed reporting requirements on cyber issues, the Securities and Exchange Commission (SEC) has more information on cyber shortfalls than the regulator charged with protecting America’s networks.
Thirty years ago, government and industry worked together to protect public safety and national security in a rapidly evolving digital environment. Ten years ago, industry and government could not come to terms with ongoing cybersecurity oversight at the FCC. The current cyberattacks are a clarion call that network security must be both a forethought in network design and an ongoing regulatory responsibility for the agency entrusted with oversight of the nation’s networks.
Commentary
Chinese spies and the security of America’s networks
November 20, 2024