Telecommunications sits at the forefront on our Nation’s critical infrastructure. Internet connectivity and mobile broadband access are the key to functioning essential services that the country has all come to rely on. The rapid evolution of the industry has enabled digitalization of previously imagined services, as well as radically enhanced connectivity.
The evolution of fifth generation (5G) networks is the next big jump in the speed and ability of telecommunications. It must, however, be done securely. The implementation of 5G networks involves a sizeable overhaul to the hardware and operational software of our existing network systems. While providers have focused previously on securing existing networks, there is the need for additional cyber defenses of growing 5G networks – and we should expect to see increasing policy pressure around the vetting process for hardware and software that are crucial to these upgraded networks. This is raising the importance of supply chain risk management which has become a must for the telecommunications industry whether driven by Federal mandate or not.
Federal oversight is ongoing – but it is just the beginning
One of the first Federal pushes to protect telecommunications infrastructure supply chains has been the Federal Communications Commission (FCC) creating a “covered list” of companies and suppliers that are believed to be connected or unduly influenced by foreign adversarial countries. This list of companies is defined by those that pose a sizeable risk to national security; this is enabling a large push to reshore or “friendshore” various elements of the telecommunications manufacturing process in order to maintain national security across our telecoms network to protect sensitive data and functioning networks.
While the physical components that make up the growing national 5G networks have been recently examined through the FCC’s covered list, there is also a sizeable risk posed to national security in the software that cannot be ignored. Securing the software supply chain has become of utmost importance and it can no longer be a secondary concern in comparison to physical security. According to Gartner, 2022 saw a 7.2 percent increase in cybersecurity and risk management spending from 2021. This is incremental but not enough given the growing reliance of organizations on core informational technology systems.
Third-party software has become the norm as many organizations move away from proprietary services for ease and streamlined processes. This growing reliance on open source software increases the need to manage critical software vulnerabilities within an organization. This goes beyond just identifying potentially threatening companies included in a covered list, but also requires a deeper understanding of software bills of material and software development processes and implementing active vulnerability management. While this has yet to be required by regulatory bodies, the telecommunications industry should not wait for additional federal requirements and instead take a proactive approach to security its software supply chains.
Telecommunications broadens its scope internationally
In an effort to ensure an international approach to 5G evolutions, many nations, including the United States, have signed on to the Prague Proposals, which act as norms for governments to assess and mitigate risk while also ensuring competition in the marketplace. These proposals place the emphasis on “security-by-design” principles, meaning that all matters of security should be assessed and incorporated into the product from its design and development inception all the way down the chain to the end-user. The proposals go on to highlight that “governments should foster protection of both systems and end users from potential threats and vulnerabilities… considering security at all stages, beginning with design, will enhance a product’s resilience to future risks.”
While this framework outlined by the Prague Proposals are pertinent, governments need buy-in from and collaboration with industry to implement and prioritize the adoption that is necessary to fully secure the expanding 5G telecommunications network. One promising example of this is work that the Telecommunications Industry Association (TIA) has done to develop supply chain and cyber standards. TIA’s SCS 9001: The Cybersecurity and Supply Chain Standard addresses critical gaps in the telecommunications network and provides a roadmap to help organizations enhance their cyber supply chain risk management. What SCS 9001 offers is a proactive process for telecommunications companies to prioritize risk-based cybersecurity in supply chains as the development of 5G network capabilities continues apace.
For 5G to truly reach its potential, fortifying cyber defenses across the telecommunications industry must go beyond just sporadic compliance checks and adherence to “restrictions-only” governmental supplier lists. While this is a starting point, what is truly required is the ongoing and consistent rigorous vetting and monitoring of suppliers. Implementing effective cyber supply chain risk management and supplier visibility, which can be achieved today through expansive data driven and tech-enabled tools and processes, is critical to keep up with the rapidly advancing 5G capabilities of the national network.
Remaining one step ahead on cyber defenses is increasingly necessary to reduce the risk of compromise with both telecommunications software and component supply. 5G will launch telecommunications into the future, and protecting the infrastructure will be imperative to it reaching its potential.