3rd Party Risk Management , Governance & Risk Management , IT Risk Management
Congress Considers Measures to Improve Telecom Security
House Committee Debates 9 Bills Focused on Securing NetworksA House subcommittee is considering a slate of nine bills designed to improve cybersecurity practices in the telecommunications supply chains that support wireless networks.
See Also: OnDemand | Demonstrating the Value of Your Cybersecurity Program
This week, the House Committee on Energy and Commerce's Subcommittee on Communications and Technology heard testimony from industry experts and telecom vendors about the bills.
While each bill looks to address separate aspects of security within the U.S. telecommunications industry and the supply chain, five of the nine measures would give additional responsibility for cybersecurity to the National Telecommunications and Information Administration to make recommendations regarding security in existing wireless networks as well as rollouts of 5G and, eventually, 6G networks.
The NTIA is a unit of the U.S. Department of Commerce that's responsible for advising the White House about telecommunications and information policy issues. Some of the bills under consideration would give the agency additional authority to make recommendations on cybersecurity and national security issues.
For example, the TEAM TELECOM Act would put NTIA in charge of coordinating efforts with federal agencies - known as Team Telecom - to review contracts when a business with foreign ownership is applying to construct or extend transmission lines. This would help ensure that these projects do not pose a national security risk, said Rep. Bill Johnson, R-Ohio, who is one of the bill's co-sponsors.
"Having NTIA in charge of the coordinating efforts will also build on their interagency coordination role while preserving the subject matter expertise of appropriate national security and intelligence agencies that [advise on] telecom," Johnson said at the hearing.
Another proposed bill, the Understanding Cybersecurity of Mobile Networks Act, would require the NTIA to examine and report on the cybersecurity of mobile service networks as well as identify vulnerabilities in these networks and mobile devices that could be exploited by attackers.
A third bill, the NTIA Policy and Cybersecurity Coordination Act, would rename one of the agency's departments as the Office of Policy Development and Cybersecurity and change part of its mission to "coordinate and develop policy regarding the cybersecurity of communications networks."
"The bipartisan work of this committee has laid the foundation for the nation’s telecommunications networks to flourish," said Rep. Mike Doyle, D-Pa., the chairman of the committee. "And to ensure that this continues, we look to foster innovation and competition, protect our networks and supply chains from threats by non-trusted actors, and provide the marketplace with a predictable, stable government - a government that is a partner as well as a regulator."
Added Responsibilities
While lawmakers from both parties are looking to add cybersecurity and other responsibilities to NTIA, committee members were told that this would require additional resources and support.
"The members of this subcommittee must ensure that NTIA has the capacity to execute on these additional functions," Dileep Srihari, senior policy counsel for the technology consultancy Access Partnership, testified. "The relevant staffing within NTIA is actually quite small, although the president is currently proposing some increase. The administrator position was vacant during the previous administration for far too long. You should urge the president to fill this vacancy."
The agency is now headed by an acting director, Evelyn Remaley.
The Biden administration is proposing an overall budget of $89.5 million for NTIA for fiscal 2022, which includes an additional $4 million to enable the agency to ramp up work on securing the information and communications technology and services supply chain.
Srihari pointed out that NTIA’s domestic and international programs division only has about 30 employees, so adding more responsibilities would require hiring more personnel.
"Right now, I am working with them on a number of different issues, and I see the same staffers' email being cc'd on three very different topics because they just don't have the people right now - that's the reality," Srihari testified.
Dean Brenner, senior vice president of spectrum strategy and tech policy at Qualcomm, told lawmakers that the White House needs to appoint a permanent leader for NTIA before making additional changes.
"It's going to require … a permanent administrator to roll it out and it would be good to get that person's views … before legislation like that is signed into law," Brenner said.
The NTIA is also helping to develop criteria for a software bill of materials requirement that is outlined in President Joe Biden's executive order related to cybersecurity. This software bill of materials is effectively a nested inventory - a list of ingredients that make up software components (see: Biden's Cybersecurity Executive Order: 4 Key Takeaways).
Chinese Companies
At the committee hearing, lawmakers also debated a bill backed by Reps. Steve Scalise, R-La., and Anna Eshoo, D-Calif. The Secure Equipment Act of 2021 would instruct the Federal Communications Commission to prohibit the use of telecom equipment from certain Chinese companies, such as Huawei and ZTE, in U.S. telecom networks.
The FCC has ruled that federal funds cannot be used to buy Huawei and ZTE equipment because both companies are considered national security threats (see: FCC Upholds Ruling That Huawei Poses National Security Threat).
During the hearing, Eshoo noted that under current law, companies can still purchase Huawei and ZTE equipment using private funds, but the new legislation would prohibit this. Clete Johnson, a senior fellow with the strategic technologies program at the Center for Strategic and International Studies, testified that while technological advances in 5G networks can isolate certain threats, "that does not sufficiently mitigate the risk of untrusted equipment [from] Huawei and ZTE."