Fifth Generation Wireless Network and Device Security, 7825-7830 [2017-01325]

Download as PDF Federal Register / Vol. 82, No. 13 / Monday, January 23, 2017 / Notices ACTION: Notice. The Environmental Protection Agency is planning to submit an information collection request (ICR), ‘‘National Estuary Program (Renewal)’’ (EPA ICR No. 1500.08, OMB Control No. 2040–0138) to the Office of Management and Budget (OMB) for review and approval in accordance with the Paperwork Reduction Act. Before doing so, EPA is soliciting public comments on specific aspects of the proposed information collection as described below. This is a proposed extension of the ICR, which is currently approved through June 30, 2017. An Agency may not conduct or sponsor and a person is not required to respond to a collection of information unless it displays a currently valid OMB control number. DATES: Comments must be submitted on or before March 24, 2017. ADDRESSES: Submit your comments, referencing Docket ID No. EPA–HQ– OW–2006–0369, online using www.regulations.gov (our preferred method), by email to OW-Docket@ epa.gov, or by mail to: EPA Docket Center, Environmental Protection Agency, Mail Code 28221T, 1200 Pennsylvania Ave. NW., Washington, DC 20460. EPA’s policy is that all comments received will be included in the public docket without change including any personal information provided, unless the comment includes profanity, threats, information claimed to be Confidential Business Information (CBI) or other information whose disclosure is restricted by statute. FOR FURTHER INFORMATION CONTACT: Vince Bacalan, Oceans and Coastal Protection Division, Office of Wetlands, Oceans, and Watersheds, (Mail Code 4504T), Environmental Protection Agency, 1200 Pennsylvania Ave. NW., Washington, DC 20460; telephone number: 202–566–0930; fax number: 202–566–1336; email address: bacalan.vince@epa.gov. SUPPLEMENTARY INFORMATION: Supporting documents which explain in detail the information that the EPA will be collecting are available in the public docket for this ICR. The docket can be viewed online at www.regulations.gov or in person at the EPA Docket Center, WJC West, Room 3334, 1301 Constitution Ave. NW., Washington, DC. The telephone number for the Docket Center is 202–566–1744. For additional information about EPA’s public docket, visit https://www.epa.gov/ dockets. Pursuant to section 3506(c)(2)(A) of the PRA, EPA is soliciting comments mstockstill on DSK3G9T082PROD with NOTICES SUMMARY: VerDate Sep<11>2014 19:02 Jan 19, 2017 Jkt 241001 and information to enable it to: (i) Evaluate whether the proposed collection of information is necessary for the proper performance of the functions of the Agency, including whether the information will have practical utility; (ii) evaluate the accuracy of the Agency’s estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used; (iii) enhance the quality, utility, and clarity of the information to be collected; and (iv) minimize the burden of the collection of information on those who are to respond, including through the use of appropriate automated electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submission of responses. EPA will consider the comments received and amend the ICR as appropriate. The final ICR package will then be submitted to OMB for review and approval. At that time, EPA will issue another Federal Register notice to announce the submission of the ICR to OMB and the opportunity to submit additional comments to OMB. Abstract: The National Estuary Program (NEP) involves collecting information from the state or local agency or nongovernmental organizations that receive funds under Sec. 320 of the Clean Water Act (CWA). The regulation requiring this information is found at 40 CFR part 35. Prospective grant recipients seek funding to develop or oversee and coordinate implementation of Comprehensive Conservation Management Plans (CCMPs) for estuaries of national significance. In order to receive funds, grantees must submit an annual workplan to EPA which are used to track performance of each of the 28 estuary programs currently in the NEP. EPA provides funding to NEPs to support long-term implementation of CCMPs if such programs pass a program evaluation process. The primary purpose of the program evaluation process is to help EPA determine whether the 28 programs included in the National Estuary Program (NEP) are making adequate progress implementing their CCMPs and therefore merit continued funding under Sec. 320 of the Clean Water Act. EPA also requests that each of the 28 NEPs receiving Sec. 320 funds report information that can be used in the GPRA reporting process. This reporting is done on an annual basis and is used to show environmental results that are being achieved within the overall National Estuary Program. This information is ultimately submitted to PO 00000 Frm 00043 Fmt 4703 Sfmt 4703 7825 Congress along with GPRA information from other EPA programs. Form Numbers: None. Respondents/affected entities: Entities potentially affected by this action are those state or local agencies or nongovernmental organizations in the National Estuary Program (NEP) who receive grants under Section 320 of the Clean Water Act. Respondent’s obligation to respond: Required to obtain or retain a benefit (Section 320 of the Clean Water Act). Estimated number of respondents: 28 (total). Frequency of response: Annual. Total estimated burden: 5,460 hours (per year). Burden is defined at 5 CFR 1320.03(b). Total estimated cost: $247,338 (per year), includes $0 annualized capital or operation & maintenance costs. Changes in Estimates: There will likely be an increase in the total estimated respondent burden compared with the ICR currently approved by OMB. This increase is due to program evaluations taking place in the next three years, compared to only two years in the currently approved ICR. Note that these numbers will be updated in the final FR Notice. Dated: January 12, 2017. Marcus Zobrist, Acting Director, Oceans and Coastal Protection Division. [FR Doc. 2017–01422 Filed 1–19–17; 8:45 am] BILLING CODE 6560–50–P FEDERAL COMMUNICATIONS COMMISSION [PS Docket No. 16–353; DA16–1282] Fifth Generation Wireless Network and Device Security Federal Communications Commission. ACTION: Notice. AGENCY: In this document, the Commission seeks comment on new security issues that implementation of the fifth generation (5G) wireless network and device security presents to the general public, and on the current state of planning to address these issues. The inquiry, focusing on cybersecurity for 5G, raises fundamental questions about scope and responsibilities for such security. The goal of this proceeding is to begin a conversation on the state of 5G wireless network and device security and to foster a dialogue on the best methods for ensuring that the 5G wireless networks and devices used by service providers in their SUMMARY: E:\FR\FM\23JAN1.SGM 23JAN1 7826 Federal Register / Vol. 82, No. 13 / Monday, January 23, 2017 / Notices operations are secure from the beginning. Comments are due on or before April 24, 2017; reply comments are due on or before May 23, 2017. ADDRESSES: You may submit comments, identified by PS Docket No. 16–353, by any of the following methods: • Federal eRulemaking Portal: https:// www.regulations.gov. Follow the instructions comments. • Federal Communications Commission’s Web site: https:// fjallfoss.fcc.gov/ecfs2/. Follow the instructions for submitting comments. • Mail: Filings can be sent by hand or messenger delivery, by commercial overnight courier, or by first-class or overnight U.S. Postal Service mail. All filings must be addressed to the Commission’s Secretary, Office of the Secretary, Federal Communications Commission. • People with Disabilities: Contact the FCC to request reasonable accommodations (accessible format documents, sign language interpreters, CART, etc.) by email: FCC504@fcc.gov or phone: (202) 418–0530 or TTY: (202) 418–0432. For detailed instructions for submitting comments and additional information on the rulemaking process, see the SUPPLEMENTARY INFORMATION section of this document. FOR FURTHER INFORMATION CONTACT: For further information, contact Gregory Intoccia of the Public Safety and Homeland Security Bureau, Communications Cybersecurity and Reliability Division, at (202) 418–1470 or at Gregory.Intoccia@fcc.gov. SUPPLEMENTARY INFORMATION: This is a summary of the Commission’s Notice of Inquiry, DA 16–1282, adopted and released on December 16, 2016. The full text is available for public inspection and copying during regular business hours in the FCC Reference Center, Federal Communications Commission, 445 12th Street SW., Room CY–A257, Washington, DC 20554. This document will also be available via ECFS at https:// transition.fcc.gov/Daily_Releases/ Daily_Business/2016/db1216/DA-161282A1.pdf. Documents will be available electronically in ASCII, Microsoft Word, and/or Adobe Acrobat. The complete text may be purchased from the Commission’s copy contractor, 445 12th Street SW., Roomy CY–B402, Washington, DC 20554. Alternative formats are available for people with disabilities (Braille, large print, electronic files, audio format), by sending an email to fcc504@fcc.gov or calling the Commission’s Consumer and mstockstill on DSK3G9T082PROD with NOTICES DATES: VerDate Sep<11>2014 19:02 Jan 19, 2017 Jkt 241001 Governmental Affairs Bureau at (202) 418–0530 (voice), (202) 481–0432 (TTY). Synopsis I. Introduction and Background 1. Fifth generation (5G) wireless technologies represent the next evolutionary step in wireless communications. These networks promise to enable or support a diverse range of new applications, and will provide for a vast array of user requirements, traffic types, and connected devices. 5G communications technology could be particularly useful in enabling the growing number of highcapacity networks necessary for transformative business and consumer services, as well as backhaul, and communications related to the ‘‘Internet of Things’’ (IoT) technology. 2. 5G has the potential to be an enormous driver of economic activity. It is a national priority to foster an environment in which 5G can be developed and deployed across the country. That means both ensuring that networks are secure and that the regulatory obligations are measured. The Federal Communications Commission (FCC) has an opportunity at this stage to ensure that these new technologies and networks are secure by design. Therefore, while the FCC is moving quickly to make the spectrum needed for 5G available in the near term, it is also seeking to accelerate the dialogue around the critical importance of the early incorporation of cybersecurity protections in 5G networks, services, and devices. 3. In its July 2016 Spectrum Frontiers Report and Order, the FCC reiterated its view that communications providers are generally in the best position to evaluate and address security risks to network operations. Toward this end, the FCC adopted a rule requiring Upper Microwave Flexible Use Service licensees to submit general statements of their network security plans. The statements are designed to encourage licensees to consider security in their new 5G networks. The Public Safety and Homeland Security Bureau (PSHSB) issues this Notice of Inquiry (NOI) to seek input on the new issues raised by 5G security in order to foster dialogue between relevant standards bodies and prospective 5G providers on the best methods for ensuring that networks and devices are secure from the beginning. 4. PSHSB intends this inquiry to complement the important work on cybersecurity that is already taking place within the government and private sector. The FCC, these other PO 00000 Frm 00044 Fmt 4703 Sfmt 4703 groups, and the wireless industry all have a significant interest in ensuring that these new networks consider security risk and mitigation techniques from the outset. This NOI, and the record it seeks to develop, will help in that effort. 5. PSHSB recognizes that the inquiry, focusing on cybersecurity for 5G, raises fundamental questions relative to scope and responsibilities. Security of network infrastructure, such as protecting software and hardware that are essential to signaling and control of Radio Access Networks and to ensure the proper operation of the network, creates one perspective. Another perspective, however, is the end-to-end security of both the network and the devices that connect to commercial network services. Devices and other network elements may be furnished by the service provider, third parties, and consumers themselves. Who should be responsible for cyber protections for a device, or should responsibility be shared in some recognizable manner across the 5G ecosystem? PSHSB also appreciates that 5G is not apt to be a separate network, but rather will be integrated with existing previous generation networks, perhaps indefinitely. Do questions about the cyber protections of 5G networks inherently implicate the other networks associated with them? Where should the lines between networks be drawn relative to responsibility for 5G cybersecurity? II. Inquiry 6. This NOI looks holistically at the security implications arising through the provision of a wide variety of services to various market sectors and users in the future 5G network environment. The NOI also explores 5G security threats, solutions, and best practices. As used in this NOI, ‘‘security’’ and ‘‘information security’’ refer to protecting data, networks, and systems from unauthorized access, use, disclosure, disruption, modification, or destruction, in order to protect confidentiality, integrity, and availability with respect to such networks, systems, and defined user communities. The terms ‘‘confidentiality,’’ ‘‘integrity,’’ and ‘‘availability,’’ or ‘‘CIA,’’ are meant to refer to those three interrelated, and dynamic principles (‘‘that collectively guide security practices and illustrate the various considerations that must be applied when developing a security posture for communications technologies and services. Confidentiality’’ refers to protecting data from unauthorized access and E:\FR\FM\23JAN1.SGM 23JAN1 Federal Register / Vol. 82, No. 13 / Monday, January 23, 2017 / Notices mstockstill on DSK3G9T082PROD with NOTICES disclosure. ‘‘Integrity’’ refers to protecting data from unauthorized modification or destruction, both at rest and in transit. Finally, ‘‘availability’’ refers to whether a network provides timely, reliable access to data and information services for authorized users. All three of these principles are fundamental to any security framework and are dynamically interrelated, and thus no particular principle should be addressed in isolation if 5G security is to be achieved. 7. As an initial matter, the NOI seeks to understand the current state of security planning for 5G networks. Please comment on the current efforts across industry to study 5G security, develop security protocols and solutions, and triage 5G security issues when they arise. How are equipment developers considering security in the design of 5G equipment? How are service providers considering security in the planning of 5G networks and ensuring end-to-end security where 5G technology is integrated with prior generation technology in heterogeneous networks? How can the FCC support and enhance this work? What known vulnerabilities require increased study? How should 5G differ in terms of cybersecurity needs from its widelydeployed predecessor generation, 4G LTE? What cybersecurity lessons can be learned from 4G deployment and operational experience that are applicable to the 5G security environment? What should be different, if anything, between LTE pre-5G deployment and post-5G deployment? 8. The Commission encourages commenters to consider this common thread throughout the NOI: how can the FCC, working together with other stakeholders, ensure the rapid deployment of secure 5G networks, services, and technologies? A. Protecting Confidentiality, Integrity, and Availability 9. The FCC seeks to promote 5G security through a ‘‘security-by-design’’ approach to 5G development. The NOI seeks comment on the premise that, by utilizing the ‘‘confidentiality,’’ ‘‘integrity,’’ and ‘‘availability’’ (CIA) principles, a firm may avoid or mitigate 5G network and device data security risk through strong, adaptive, protections against unauthorized use, disclosure, and access. What are the benefits and limitation of a security-bydesign approach and of employing CIA principles? 10. Please comment on how the CIA principles are being considered for 5G networks, systems, and devices. In particular, the NOI examines below how VerDate Sep<11>2014 19:02 Jan 19, 2017 Jkt 241001 CIA principles are being taken into consideration with respect to authentication, encryption, physical security, device security, protecting 5G networks from cyber attacks, patch management, and risk segmentation of networks. This is a non-exclusive list, and comment is requested on other areas that are potential vulnerabilities for 5G. 1. Authentication 11. Preserving the confidentiality and integrity of networks, systems, and data depends on limiting access to authorized users. This is typically accomplished through effective, and sometimes mutual, authentication. Mutual authentication generally requires that both entities involved in a transaction verify each other’s identity at the same time. The NOI seeks comment on the use of authentication in networks today and whether existing authentication practices will be applicable to the 5G environment. The NOI further seeks comment on the effective use of mutual authentication, in particular, for protecting 5G networks against unauthorized access and enduser devices against attaching to malicious network components, as well as the perceived limitations and drawbacks of those uses. Are there specific considerations that would apply to 5G devices? Under what circumstances would mutual authentication be considered essential to ensure or bolster security? Are there any circumstances where mutual authentication would not be beneficial? If a communications provider did not invest in mutual authentication, how would that likely affect its relative overall security risk? What other authentications methodologies might be effective for 5G security? Would the mass deployment of high-volume, lowcost 5G devices in IoT networks present particular authentication challenges? How can providers effectively authenticate the communications of high-volume, low-cost 5G devices— device to device, device to network, and network to device? How can providers effectively address these challenges? Would it be appropriate for 5G architects to consider identity credentialing and access management, in addition to authentication? 2. Encryption 12. Encryption can be an important aspect of protecting confidentiality, integrity and availability in communications environments. The NOI seeks comment on the planned deployment and use of encryption to promote 5G security, as well as on the PO 00000 Frm 00045 Fmt 4703 Sfmt 4703 7827 perceived challenges, costs, and benefits of encryption at both the network and device levels. 13. Please comment on whether currently available encryption protocols are effective in securing devices and are likely to be effective in a 5G environment in which innumerable, low-cost devices are expected to operate, as well as ways that 5G participants can address encryption key management and distribution mechanism challenges. Additionally comment is requested on stakeholder responsibilities with respect to objective encryption key management for 5G. 14. Please also comment on whether encryption is necessary for all 5G communications, and whether the decisions made by the 3rd Generation Partnership Project (3GPP) standards body that resulted in non-encryption for such systems are rooted in increased latency, degraded performance due to added signaling or computational requirements, an interest in minimizing changes to LTE standards as 5G is standardized, or other factors. Please comment on what lessons, if any, can be learned from the underlying rationale of these decisions as they pertain to encryption for 5G communications. 15. Finally, the NOI seeks comment on whether 5G service providers should distinguish between the application of encryption to products that would operate primarily on the 5G control plane and those that would be part of the user plane. If such a distinction is desirable, how should such a distinction be made? 3. Physical Security 16. Physical security aims to protect networks and critical components of end-user devices, even where those devices are in the possession of unauthorized users. Please comment on physical security objectives and needs in the 5G environment, and on any other considerations the FCC should take into account in its examination of physical security of 5G networks and devices. 17. What device- and network-based physical security methods would be most effective if applied to 5G devices? To what extent does lack of physical security pose a threat to, or introduce risk from unsupervised 5G devices? To what extent does lack of physical security pose a threat to, or introduce risk from unsupervised 5G devices? Will the 5G environment present any new or unique challenges? What other issues and factors should the FCC consider on the question of preserving confidentiality, integrity and availability through physical security? E:\FR\FM\23JAN1.SGM 23JAN1 7828 Federal Register / Vol. 82, No. 13 / Monday, January 23, 2017 / Notices 18. What aspects or uses of 5G networks should be considered ‘‘mission critical’’ and, as such, do they warrant special consideration with respect to physical security? What ‘‘mission critical’’ activities distinguish these networks and how can they be physically secured in the 5G environment? Should certain 5G networks be physically diverse at the network level as a result of the ‘‘mission-critical’’ aspects they support or enable? If so, how should that diversity be achieved? 4. Device Security 19. Ensuring the provision of confidentiality, integrity, and availability requires that devices are secure and capable of authenticating on the network. What methodologies will be used to protect the variety of devices connected to 5G networks? Is current SIM technology robust enough to ensure security without posing threats to consumers, service providers, or the underlying infrastructure? Will SIM technology be leveraged for 5G? Do standards for next generation SIM cards effectively address security and integrity concerns? What new security benefits or challenges are created by the use of eSIMs? Are there non-SIM methods that should be considered for high-volume, low-cost devices, and if so, are standards bodies currently developing standards for such methods? What other issues and factors should the FCC consider on the question of preserving CIA through device security? mstockstill on DSK3G9T082PROD with NOTICES 5. Protecting 5G Networks From DoS and DDoS Attacks 20. A security exploit that targets network resources, such as a Denial-ofService (DoS) or Distributed Denial of Service (DDoS) attack, could have an impact on availability of service by causing a total or partial disruption of service. The NOI seeks comment and supporting data on the mechanisms most likely to be effective at preserving confidentiality, integrity and availability through mitigation of DoS and DDoS attack risks in the planned 5G environment, including techniques for protecting both the network control and data planes. Which methods of defense against DoS and DDoS attacks are the most cost-effective? 21. Please comment on whether additional standards are needed to assist in mitigating DoS and DDoS attacks. What anti-spoofing technologies are most likely to be effective in the 5G environment, and what are the challenges to their deployment? VerDate Sep<11>2014 19:02 Jan 19, 2017 Jkt 241001 6. Patch Management 22. For more than a decade, communications security authorities and expert bodies, such as the FCC’s Federal Advisory Committee for communications security policy development The FCC seeks comment and supporting data on patch management’s role as part of a service provider’s overall security risk management strategy in the 5G environment. 23. Please also comment on which 5G network elements can be successfully maintained by service providers through patch management. There are generally four types of patches that are pushed to devices with service provider involvement: (1) Patches from service providers to their own infrastructure; (2) patches service providers require and push on to subscriber devices; (3) patches to third-party infrastructure that are leased by service providers but owned by a third party; (4) patches to subscriber devices that are sent by device manufactures under the direction of service providers. For each type of patch, please comment on processes that service providers and mobile device manufacturers should adopt to sustain an effective patch management program in the 5G environment. How do service providers and mobile device manufacturers routinely make themselves aware of new vulnerabilities that need to be patched? How soon after a vulnerability is discovered is the corresponding patch pushed to devices? What other mechanisms might preclude unauthenticated code from running on 5G devices that are connected to their networks? 24. Please comment on how 5G service providers and equipment manufacturers can ensure that critical security software updates are installed on their subscriber devices in a timely fashion. How can 5G service providers effectively ensure firmware and software patch management related to security through their customer relationships? How common is it for manufacturers or service providers to rely on consumers to become aware of and install patches to their software and/or hardware? What do 5G service providers plan to do to help ensure that a subscriber’s devices remain ‘‘patchable’’ and/or ‘‘discoverable’’ for purposes of device updates? How can consumers determine whether an older device or service, no longer being sold at retail, is still receiving securityrelated patches and whether it is still safe to use? 25. Finally, please comment on whether relevant standards have been PO 00000 Frm 00046 Fmt 4703 Sfmt 4703 produced that present a common approach, or describe a best practice, to facilitate patch management procedures that can be applied regardless of the underlying device operating system in a 5G ecosystem. In the absence of any deployed standard, should this effort be explored, and if so, which standards body or forum would be the best candidate to address this issue? What other issues and factors should the FCC consider on the question of preserving CIA through patch management? 7. Risk Segmentation 26. Risk segmentation involves splitting network elements into separate components to help isolate security breaches and minimize overall risk. Risk segmentation or network slicing might allow greater resiliency, more effective cyber threat monitoring and analysis and stronger security for network service supporting critical infrastructure communications (to include ICS and SCADA). Please comment on the use of segmentation in 5G networks and how segmentation can reduce risk in such networks. 27. Please provide comments and supporting data on ways that segmentation could be achieved throughout the 5G ecosystem to ensure service providers have greater situational awareness and ability to respond to, and contain, security threats. What lessons have service providers and other enterprises learned about the application of segmentation in older networks that can be applied to 5G networks? To what extent can service providers use network segmentation technologies, such as a virtual private network (VPN) or other cryptographic separation, to help ensure that no device operating on their network’s control plane is directly and immediately accessible via the Internet? Could VPNs or a similar mechanism be scaled in such a way that 5G providers could implement segmentation across their entire ecosystem? Please comment on the technologies used for network segmentation, and on how to ensure that future networks employing these new architectures use security-by-design principles to minimize security risk. 28. Should segmentation in the 5G environment be based on geography or region, on type of function or device, or by community of interest? To what extent are service providers segmenting physical, logical and virtual risks? Please comment on what 5G service providers plan to do to establish logical and physical separation of different bands and/or receive antennas in order to improve integrated device security. E:\FR\FM\23JAN1.SGM 23JAN1 Federal Register / Vol. 82, No. 13 / Monday, January 23, 2017 / Notices 29. Please comment on whether certain network elements or activities merit special consideration with respect to risk segmentation. To what extent are such segmentation strategies effective in reducing security risk? 30. Risk segmentation can also be applied to devices in terms of firmware, software, and data. In some cases, configuration data may be set as readonly by the device, but can only be changed by the service provider. Please comment on whether privacy features and requirements have been standardized in organizations like 3GPP (and to what extent they will be standardized for 5G) to support confidentiality and integrity of information. What other issues and factors should the FCC consider on the question of preserving CIA through segmentation? 31. Finally, with respect to each of the topics discussed above, the FCC seeks information regarding which standards bodies are involved and the state of standards development to protect CIA in the 5G environment. Is there a need for additional standards body involvement? mstockstill on DSK3G9T082PROD with NOTICES B. Additional 5G Security Considerations 1. Overview 32. It is widely expected that 5G networks will be used to connect the myriad devices, sensors and other elements that will form the Internet of Things (IoT). The anticipated diversity and complexity of these networks, how they interconnect, and the sheer number of discrete elements they will comprise raise concerns about the effective management of cyber threats. How can holistic security objectives for 5G be established? What roles can service providers and device manufacturers play to reduce security risk for various communities of interest? How should service providers, device manufacturers, standards bodies and the FCC coordinate their efforts? Are there particular standards being developed for 5G IoT applications? Finally, please comment on benefits and costs associated with effective hardware, firmware, software, and application security for 5G. 33. Please provide comments on the extent to which IoT devices could place 5G networks at unique risk. For example, are there particular vulnerabilities that arise from, or are increased by, the fact that 5G communications have relatively short range and rely on multiple access points? It is possible that some of IoT devices will have limited security features. Could this have a negative VerDate Sep<11>2014 19:02 Jan 19, 2017 Jkt 241001 effect on overall 5G network security? If so, what roles can network equipment providers, ISPs and device manufacturers play, by themselves and in coordination, to mitigate the risks? Are any lessons being learned from the October 2016 DDoS attacks relevant to 5G? Where risk externalities exist? How will the 5G marketplace address cybersecurity risk in the commons? 34. Please comment on whether and how security needs for 5G IoT devices might differ from other infrastructures, including, in particular, each of the critical infrastructure sectors. What expectations would various critical infrastructure sectors likely have for the security capabilities and features of 5G services? Does the government have a role where residual risk unduly threatens critical infrastructure or national security, and if so, what should it be? 35. Given the likely unprecedented diversity of connected devices and their manufacturers, comment is sought on whether 5G security could be challenged by hardware issues, including threats from a compromised supply chain. How are service providers and equipment manufacturers currently assessing supply chain risks? Are they assessing risks consistent with NIST guidelines? The FCC seeks comment on whether, and if so, how 5G service providers should ensure the provenance of the hardware, firmware, software, and applications operating in their environments. What special considerations, if any, should be applied relative to 5G supply chain risks? 36. Please comment on benefits and costs associated with effective hardware, firmware, software, and application security for 5G. What are the costs associated with updating existing hardware, firmware, software, and applications versus the costs of adding entirely new elements for a totally new security posture? Is there a role for 5Gspecific third party security entities? Do benefits and costs vary depending on the use of open-source software compared to proprietary software? What are the costs of adding security-specific features to 5G network hardware, firmware, software and applications? Are there scale economies observed across local, regional, and nationwide 5G networks? Finally, what other issues or factors should the FCC consider with respect to the preservation of confidentiality, integrity and availability in the 5G environment? 2. Roles and Responsibilities 37. Because of the anticipated proliferation of 5G networks and the PO 00000 Frm 00047 Fmt 4703 Sfmt 4703 7829 devices that will be deployed on them, there is a chance that the cyber integrity of the network as a whole could be overlooked on the assumption that another network participant would be responsible. Is this a valid concern? Please provide comments on who should be responsible for assuring cyber security across the 5G ecosystem, what principles should guide the management of cyber risk, and how cyber risk should be managed within companies. How should providers work together across the 5G ecosystem to achieve desirable outcomes in cyber risk management? 38. Relatedly, please provide information on how the 5G ecosystem will share information about cyber threats and concerns. Please comment on whether an Information Sharing and Analysis Organization (ISAO) construct could be or should be applied to the 5G ecosystem. Would it be appropriate to develop a 5G-specific ISAO? Should 5G networks be instrumented to support automated cybersecurity threat indicators and network anomaly information sharing and analysis? Is an ISAO or multiple ISAOs the right focal point for automated cyber information sharing and analysis? Should it address IoT concerns more broadly or focus on network-based considerations? Who should be involved? Should work of ISAOs dealing with related topics be formally coordinated? If so, how? What are the proper roles of standards bodies, advisory committees such as the North American Numbering Council (NANC), industry authorities, numbering and data services and the FCC? 39. The NIST Framework for Improving Critical Infrastructure Cybersecurity Framework (NIST CSF) has been voluntarily used by members of the critical infrastructure community, including the communications sector, for several years to help manage cybersecurity risk. Please comment on whether, and if so how, the NIST CSF can be used to manage risk for 5G service providers and networks. The NIST CSF includes several top level organizational functions that can be performed concurrently and continuously to form an operational culture that addresses dynamic security risk, namely, Identify, Detect, Protect, Respond, and Recover (IPDRR). Please comment on unique factors with respect to these functions that should guide 5G design, standards development and operations. 3. Other Considerations 40. Are there additional functions that should be considered in the 5G environment? How should addressing E:\FR\FM\23JAN1.SGM 23JAN1 7830 Federal Register / Vol. 82, No. 13 / Monday, January 23, 2017 / Notices mstockstill on DSK3G9T082PROD with NOTICES and naming be accommodated for 5G? Are stakeholders working to evolve any of today’s numbering schemas to encompass 5G? What practical steps should 5G planners take in order to ensure that the functions discussed in this NOI, and any other relevant functions, are properly considered and implemented within their respective organizations? 4. Benefits and Costs 41. Please comment on the public harm expected to result from failure to integrate confidentiality, integrity and availability into 5G networks through authentication, encryption, physical and device security, protecting against DoS attacks, patch management and risk segmentation. Could failure to implement these measures decrease broadband adoption and detract from its productive economic use? Could it reduce the risk of loss of competitively sensitive information for businesses? Could it prevent the loss of consumers’ personally identifiable information? Could it play a role in preventing the unnecessary loss of life or property by, for example, preventing malicious intrusion into critical infrastructure? How should the FCC quantify these benefits in terms of their economic impact? What other benefits would likely stem from an appropriately secure 5G network? 42. Please comment on the costs associated with the implementation of the measures discussed above as investments early in the design and build plans of networks, as opposed to ‘‘bolt-on’’ security after deployment. Are there opportunities for 5G implementation that would only be realized if networks are perceived to be secure? Are there some security elements that, by plan, should be ‘‘just in time’’ or reactive investments, based on realized threats, after 5G implementation? Would these costs include those associated with updating existing hardware, firmware, software, and applications? How would the costs of system updates compare to the costs of adding entirely new elements for a totally new security posture? Do benefits and costs vary depending on the use of open-source software compared to proprietary software? If so, to what extent are open-source solutions available that could reduce costs? Are there scale economies observed across local, regional and nationwide 5G networks? Please comment on specific costs associated with authentication, encryption, physical and device security, protecting against DDoS attacks, patch management and risk segmentation in the 5G environment. VerDate Sep<11>2014 19:02 Jan 19, 2017 Jkt 241001 C. 5G Implications for Public Safety 43. Many public safety services and technologies are undergoing radical change as underlying networks transition from legacy to IP-based modes. Will any new categories of public safety sensors or other machinebased tools become an included part of 5G public safety communications architecture? The development of 5G networks will potentially contribute new capabilities to these IP-based public safety platforms while also creating new challenges, including security challenges, for public safety entities. 44. Please comment on the security implications of linking or integrating 5G networks with IP-based public safety communications platforms. Could this create new security risks or vulnerabilities for NG911, first responder communications, or emergency alerting? What responsibility should 5G service providers have for mitigating and managing these risks? Conversely, could 5G networks help reduce security risks that public safety faces in migrating from legacy to IPbased technologies? Could 5G services support ICAM in a manner that reduces these security risks? Should public safety anticipate a need for unmanned, unattended device ICAM? Are there special considerations for standards development for public safety services and technologies for 5G, and if so, are standards bodies addressing these issues? Is there a need for additional standards body involvement? III. Procedural Matters A. Ex Parte Rules 45. This proceeding shall be treated as a ‘‘permit-but-disclose’’ proceeding in accordance with the Commission’s ex parte rules. Persons making ex parte presentations must file a copy of any written presentation or a memorandum summarizing any oral presentation within two business days after the presentation (unless a different deadline applicable to the Sunshine period applies). Persons making oral ex parte presentations are reminded that memoranda summarizing the presentation must (1) list all persons attending or otherwise participating in the meeting at which the ex parte presentation was made, and (2) summarize all data presented and arguments made during the presentation. If the presentation consisted in whole or in part of the presentation of data or arguments already reflected in the presenter’s written comments, memoranda or other filings in the proceeding, the presenter PO 00000 Frm 00048 Fmt 4703 Sfmt 4703 may provide citations to such data or arguments in his or her prior comments, memoranda, or other filings (specifying the relevant page and/or paragraph numbers where such data or arguments can be found) in lieu of summarizing them in the memorandum. Documents shown or given to Commission staff during ex parte meetings are deemed to be written ex parte presentations and must be filed consistent with rule 1.1206(b). In proceedings governed by rule 1.49(f) or for which the Commission has made available a method of electronic filing, written ex parte presentations and memoranda summarizing oral ex parte presentations, and all attachments thereto, must be filed through the electronic comment filing system available for that proceeding, and must be filed in their native format (e.g., .doc, .xml, .ppt, searchable .pdf). Participants in this proceeding should familiarize themselves with the Commission’s ex parte rules. Federal Communications Commission. David Grey Simpson, Chief, Public Safety & Homeland Security Bureau. [FR Doc. 2017–01325 Filed 1–19–17; 8:45 am] BILLING CODE 6712–01–P FEDERAL DEPOSIT INSURANCE CORPORATION Sunshine Act Meeting Pursuant to the provisions of the ‘‘Government in the Sunshine Act’’ (5 U.S.C. 552b), notice is hereby given that at 10:01 a.m. on Wednesday, January 18, 2017, the Board of Directors of the Federal Deposit Insurance Corporation met in closed session to consider matters related to the Corporation’s supervision, corporate, and resolution activities. In calling the meeting, the Board determined, on motion of Vice Chairman Thomas M. Hoenig, seconded by Director Thomas J. Curry (Comptroller of the Currency), concurred in by Director Richard Cordray (Director, Consumer Financial Protection Bureau), and Chairman Martin J. Gruenberg, that Corporation business required its consideration of the matters which were to be the subject of this meeting on less than seven days’ notice to the public; that no earlier notice of the meeting was practicable; that the public interest did not require consideration of the matters in a meeting open to public observation; and that the matters could be considered in a closed meeting by authority of E:\FR\FM\23JAN1.SGM 23JAN1

Agencies

[Federal Register Volume 82, Number 13 (Monday, January 23, 2017)]
[Notices]
[Pages 7825-7830]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-01325]


=======================================================================
-----------------------------------------------------------------------

FEDERAL COMMUNICATIONS COMMISSION

[PS Docket No. 16-353; DA16-1282]


Fifth Generation Wireless Network and Device Security

AGENCY: Federal Communications Commission.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: In this document, the Commission seeks comment on new security 
issues that implementation of the fifth generation (5G) wireless 
network and device security presents to the general public, and on the 
current state of planning to address these issues. The inquiry, 
focusing on cybersecurity for 5G, raises fundamental questions about 
scope and responsibilities for such security. The goal of this 
proceeding is to begin a conversation on the state of 5G wireless 
network and device security and to foster a dialogue on the best 
methods for ensuring that the 5G wireless networks and devices used by 
service providers in their

[[Page 7826]]

operations are secure from the beginning.

DATES: Comments are due on or before April 24, 2017; reply comments are 
due on or before May 23, 2017.

ADDRESSES: You may submit comments, identified by PS Docket No. 16-353, 
by any of the following methods:
     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions comments.
     Federal Communications Commission's Web site: https://fjallfoss.fcc.gov/ecfs2/. Follow the instructions for submitting 
comments.
     Mail: Filings can be sent by hand or messenger delivery, 
by commercial overnight courier, or by first-class or overnight U.S. 
Postal Service mail. All filings must be addressed to the Commission's 
Secretary, Office of the Secretary, Federal Communications Commission.
     People with Disabilities: Contact the FCC to request 
reasonable accommodations (accessible format documents, sign language 
interpreters, CART, etc.) by email: FCC504@fcc.gov or phone: (202) 418-
0530 or TTY: (202) 418-0432.

For detailed instructions for submitting comments and additional 
information on the rulemaking process, see the SUPPLEMENTARY 
INFORMATION section of this document.

FOR FURTHER INFORMATION CONTACT: For further information, contact 
Gregory Intoccia of the Public Safety and Homeland Security Bureau, 
Communications Cybersecurity and Reliability Division, at (202) 418-
1470 or at Gregory.Intoccia@fcc.gov.

SUPPLEMENTARY INFORMATION: This is a summary of the Commission's Notice 
of Inquiry, DA 16-1282, adopted and released on December 16, 2016. The 
full text is available for public inspection and copying during regular 
business hours in the FCC Reference Center, Federal Communications 
Commission, 445 12th Street SW., Room CY-A257, Washington, DC 20554. 
This document will also be available via ECFS at https://transition.fcc.gov/Daily_Releases/Daily_Business/2016/db1216/DA-16-1282A1.pdf. Documents will be available electronically in ASCII, 
Microsoft Word, and/or Adobe Acrobat. The complete text may be 
purchased from the Commission's copy contractor, 445 12th Street SW., 
Roomy CY-B402, Washington, DC 20554. Alternative formats are available 
for people with disabilities (Braille, large print, electronic files, 
audio format), by sending an email to fcc504@fcc.gov or calling the 
Commission's Consumer and Governmental Affairs Bureau at (202) 418-0530 
(voice), (202) 481-0432 (TTY).

Synopsis

I. Introduction and Background

    1. Fifth generation (5G) wireless technologies represent the next 
evolutionary step in wireless communications. These networks promise to 
enable or support a diverse range of new applications, and will provide 
for a vast array of user requirements, traffic types, and connected 
devices. 5G communications technology could be particularly useful in 
enabling the growing number of high-capacity networks necessary for 
transformative business and consumer services, as well as backhaul, and 
communications related to the ``Internet of Things'' (IoT) technology.
    2. 5G has the potential to be an enormous driver of economic 
activity. It is a national priority to foster an environment in which 
5G can be developed and deployed across the country. That means both 
ensuring that networks are secure and that the regulatory obligations 
are measured. The Federal Communications Commission (FCC) has an 
opportunity at this stage to ensure that these new technologies and 
networks are secure by design. Therefore, while the FCC is moving 
quickly to make the spectrum needed for 5G available in the near term, 
it is also seeking to accelerate the dialogue around the critical 
importance of the early incorporation of cybersecurity protections in 
5G networks, services, and devices.
    3. In its July 2016 Spectrum Frontiers Report and Order, the FCC 
reiterated its view that communications providers are generally in the 
best position to evaluate and address security risks to network 
operations. Toward this end, the FCC adopted a rule requiring Upper 
Microwave Flexible Use Service licensees to submit general statements 
of their network security plans. The statements are designed to 
encourage licensees to consider security in their new 5G networks. The 
Public Safety and Homeland Security Bureau (PSHSB) issues this Notice 
of Inquiry (NOI) to seek input on the new issues raised by 5G security 
in order to foster dialogue between relevant standards bodies and 
prospective 5G providers on the best methods for ensuring that networks 
and devices are secure from the beginning.
    4. PSHSB intends this inquiry to complement the important work on 
cybersecurity that is already taking place within the government and 
private sector. The FCC, these other groups, and the wireless industry 
all have a significant interest in ensuring that these new networks 
consider security risk and mitigation techniques from the outset. This 
NOI, and the record it seeks to develop, will help in that effort.
    5. PSHSB recognizes that the inquiry, focusing on cybersecurity for 
5G, raises fundamental questions relative to scope and 
responsibilities. Security of network infrastructure, such as 
protecting software and hardware that are essential to signaling and 
control of Radio Access Networks and to ensure the proper operation of 
the network, creates one perspective. Another perspective, however, is 
the end-to-end security of both the network and the devices that 
connect to commercial network services. Devices and other network 
elements may be furnished by the service provider, third parties, and 
consumers themselves. Who should be responsible for cyber protections 
for a device, or should responsibility be shared in some recognizable 
manner across the 5G ecosystem? PSHSB also appreciates that 5G is not 
apt to be a separate network, but rather will be integrated with 
existing previous generation networks, perhaps indefinitely. Do 
questions about the cyber protections of 5G networks inherently 
implicate the other networks associated with them? Where should the 
lines between networks be drawn relative to responsibility for 5G 
cybersecurity?

II. Inquiry

    6. This NOI looks holistically at the security implications arising 
through the provision of a wide variety of services to various market 
sectors and users in the future 5G network environment. The NOI also 
explores 5G security threats, solutions, and best practices. As used in 
this NOI, ``security'' and ``information security'' refer to protecting 
data, networks, and systems from unauthorized access, use, disclosure, 
disruption, modification, or destruction, in order to protect 
confidentiality, integrity, and availability with respect to such 
networks, systems, and defined user communities. The terms 
``confidentiality,'' ``integrity,'' and ``availability,'' or ``CIA,'' 
are meant to refer to those three interrelated, and dynamic principles 
(``that collectively guide security practices and illustrate the 
various considerations that must be applied when developing a security 
posture for communications technologies and services. Confidentiality'' 
refers to protecting data from unauthorized access and

[[Page 7827]]

disclosure. ``Integrity'' refers to protecting data from unauthorized 
modification or destruction, both at rest and in transit. Finally, 
``availability'' refers to whether a network provides timely, reliable 
access to data and information services for authorized users. All three 
of these principles are fundamental to any security framework and are 
dynamically interrelated, and thus no particular principle should be 
addressed in isolation if 5G security is to be achieved.
    7. As an initial matter, the NOI seeks to understand the current 
state of security planning for 5G networks. Please comment on the 
current efforts across industry to study 5G security, develop security 
protocols and solutions, and triage 5G security issues when they arise. 
How are equipment developers considering security in the design of 5G 
equipment? How are service providers considering security in the 
planning of 5G networks and ensuring end-to-end security where 5G 
technology is integrated with prior generation technology in 
heterogeneous networks? How can the FCC support and enhance this work? 
What known vulnerabilities require increased study? How should 5G 
differ in terms of cybersecurity needs from its widely-deployed 
predecessor generation, 4G LTE? What cybersecurity lessons can be 
learned from 4G deployment and operational experience that are 
applicable to the 5G security environment? What should be different, if 
anything, between LTE pre-5G deployment and post-5G deployment?
    8. The Commission encourages commenters to consider this common 
thread throughout the NOI: how can the FCC, working together with other 
stakeholders, ensure the rapid deployment of secure 5G networks, 
services, and technologies?

A. Protecting Confidentiality, Integrity, and Availability

    9. The FCC seeks to promote 5G security through a ``security-by-
design'' approach to 5G development. The NOI seeks comment on the 
premise that, by utilizing the ``confidentiality,'' ``integrity,'' and 
``availability'' (CIA) principles, a firm may avoid or mitigate 5G 
network and device data security risk through strong, adaptive, 
protections against unauthorized use, disclosure, and access. What are 
the benefits and limitation of a security-by-design approach and of 
employing CIA principles?
    10. Please comment on how the CIA principles are being considered 
for 5G networks, systems, and devices. In particular, the NOI examines 
below how CIA principles are being taken into consideration with 
respect to authentication, encryption, physical security, device 
security, protecting 5G networks from cyber attacks, patch management, 
and risk segmentation of networks. This is a non-exclusive list, and 
comment is requested on other areas that are potential vulnerabilities 
for 5G.
1. Authentication
    11. Preserving the confidentiality and integrity of networks, 
systems, and data depends on limiting access to authorized users. This 
is typically accomplished through effective, and sometimes mutual, 
authentication. Mutual authentication generally requires that both 
entities involved in a transaction verify each other's identity at the 
same time. The NOI seeks comment on the use of authentication in 
networks today and whether existing authentication practices will be 
applicable to the 5G environment. The NOI further seeks comment on the 
effective use of mutual authentication, in particular, for protecting 
5G networks against unauthorized access and end-user devices against 
attaching to malicious network components, as well as the perceived 
limitations and drawbacks of those uses. Are there specific 
considerations that would apply to 5G devices? Under what circumstances 
would mutual authentication be considered essential to ensure or 
bolster security? Are there any circumstances where mutual 
authentication would not be beneficial? If a communications provider 
did not invest in mutual authentication, how would that likely affect 
its relative overall security risk? What other authentications 
methodologies might be effective for 5G security? Would the mass 
deployment of high-volume, low-cost 5G devices in IoT networks present 
particular authentication challenges? How can providers effectively 
authenticate the communications of high-volume, low-cost 5G devices--
device to device, device to network, and network to device? How can 
providers effectively address these challenges? Would it be appropriate 
for 5G architects to consider identity credentialing and access 
management, in addition to authentication?
2. Encryption
    12. Encryption can be an important aspect of protecting 
confidentiality, integrity and availability in communications 
environments. The NOI seeks comment on the planned deployment and use 
of encryption to promote 5G security, as well as on the perceived 
challenges, costs, and benefits of encryption at both the network and 
device levels.
    13. Please comment on whether currently available encryption 
protocols are effective in securing devices and are likely to be 
effective in a 5G environment in which innumerable, low-cost devices 
are expected to operate, as well as ways that 5G participants can 
address encryption key management and distribution mechanism 
challenges. Additionally comment is requested on stakeholder 
responsibilities with respect to objective encryption key management 
for 5G.
    14. Please also comment on whether encryption is necessary for all 
5G communications, and whether the decisions made by the 3rd Generation 
Partnership Project (3GPP) standards body that resulted in non-
encryption for such systems are rooted in increased latency, degraded 
performance due to added signaling or computational requirements, an 
interest in minimizing changes to LTE standards as 5G is standardized, 
or other factors. Please comment on what lessons, if any, can be 
learned from the underlying rationale of these decisions as they 
pertain to encryption for 5G communications.
    15. Finally, the NOI seeks comment on whether 5G service providers 
should distinguish between the application of encryption to products 
that would operate primarily on the 5G control plane and those that 
would be part of the user plane. If such a distinction is desirable, 
how should such a distinction be made?
3. Physical Security
    16. Physical security aims to protect networks and critical 
components of end-user devices, even where those devices are in the 
possession of unauthorized users. Please comment on physical security 
objectives and needs in the 5G environment, and on any other 
considerations the FCC should take into account in its examination of 
physical security of 5G networks and devices.
    17. What device- and network-based physical security methods would 
be most effective if applied to 5G devices? To what extent does lack of 
physical security pose a threat to, or introduce risk from unsupervised 
5G devices? To what extent does lack of physical security pose a threat 
to, or introduce risk from unsupervised 5G devices? Will the 5G 
environment present any new or unique challenges? What other issues and 
factors should the FCC consider on the question of preserving 
confidentiality, integrity and availability through physical security?

[[Page 7828]]

    18. What aspects or uses of 5G networks should be considered 
``mission critical'' and, as such, do they warrant special 
consideration with respect to physical security? What ``mission 
critical'' activities distinguish these networks and how can they be 
physically secured in the 5G environment? Should certain 5G networks be 
physically diverse at the network level as a result of the ``mission-
critical'' aspects they support or enable? If so, how should that 
diversity be achieved?
4. Device Security
    19. Ensuring the provision of confidentiality, integrity, and 
availability requires that devices are secure and capable of 
authenticating on the network. What methodologies will be used to 
protect the variety of devices connected to 5G networks? Is current SIM 
technology robust enough to ensure security without posing threats to 
consumers, service providers, or the underlying infrastructure? Will 
SIM technology be leveraged for 5G? Do standards for next generation 
SIM cards effectively address security and integrity concerns? What new 
security benefits or challenges are created by the use of eSIMs? Are 
there non-SIM methods that should be considered for high-volume, low-
cost devices, and if so, are standards bodies currently developing 
standards for such methods? What other issues and factors should the 
FCC consider on the question of preserving CIA through device security?
5. Protecting 5G Networks From DoS and DDoS Attacks
    20. A security exploit that targets network resources, such as a 
Denial-of-Service (DoS) or Distributed Denial of Service (DDoS) attack, 
could have an impact on availability of service by causing a total or 
partial disruption of service. The NOI seeks comment and supporting 
data on the mechanisms most likely to be effective at preserving 
confidentiality, integrity and availability through mitigation of DoS 
and DDoS attack risks in the planned 5G environment, including 
techniques for protecting both the network control and data planes. 
Which methods of defense against DoS and DDoS attacks are the most 
cost-effective?
    21. Please comment on whether additional standards are needed to 
assist in mitigating DoS and DDoS attacks. What anti-spoofing 
technologies are most likely to be effective in the 5G environment, and 
what are the challenges to their deployment?
6. Patch Management
    22. For more than a decade, communications security authorities and 
expert bodies, such as the FCC's Federal Advisory Committee for 
communications security policy development The FCC seeks comment and 
supporting data on patch management's role as part of a service 
provider's overall security risk management strategy in the 5G 
environment.
    23. Please also comment on which 5G network elements can be 
successfully maintained by service providers through patch management. 
There are generally four types of patches that are pushed to devices 
with service provider involvement: (1) Patches from service providers 
to their own infrastructure; (2) patches service providers require and 
push on to subscriber devices; (3) patches to third-party 
infrastructure that are leased by service providers but owned by a 
third party; (4) patches to subscriber devices that are sent by device 
manufactures under the direction of service providers. For each type of 
patch, please comment on processes that service providers and mobile 
device manufacturers should adopt to sustain an effective patch 
management program in the 5G environment. How do service providers and 
mobile device manufacturers routinely make themselves aware of new 
vulnerabilities that need to be patched? How soon after a vulnerability 
is discovered is the corresponding patch pushed to devices? What other 
mechanisms might preclude unauthenticated code from running on 5G 
devices that are connected to their networks?
    24. Please comment on how 5G service providers and equipment 
manufacturers can ensure that critical security software updates are 
installed on their subscriber devices in a timely fashion. How can 5G 
service providers effectively ensure firmware and software patch 
management related to security through their customer relationships? 
How common is it for manufacturers or service providers to rely on 
consumers to become aware of and install patches to their software and/
or hardware? What do 5G service providers plan to do to help ensure 
that a subscriber's devices remain ``patchable'' and/or 
``discoverable'' for purposes of device updates? How can consumers 
determine whether an older device or service, no longer being sold at 
retail, is still receiving security-related patches and whether it is 
still safe to use?
    25. Finally, please comment on whether relevant standards have been 
produced that present a common approach, or describe a best practice, 
to facilitate patch management procedures that can be applied 
regardless of the underlying device operating system in a 5G ecosystem. 
In the absence of any deployed standard, should this effort be 
explored, and if so, which standards body or forum would be the best 
candidate to address this issue? What other issues and factors should 
the FCC consider on the question of preserving CIA through patch 
management?
7. Risk Segmentation
    26. Risk segmentation involves splitting network elements into 
separate components to help isolate security breaches and minimize 
overall risk. Risk segmentation or network slicing might allow greater 
resiliency, more effective cyber threat monitoring and analysis and 
stronger security for network service supporting critical 
infrastructure communications (to include ICS and SCADA). Please 
comment on the use of segmentation in 5G networks and how segmentation 
can reduce risk in such networks.
    27. Please provide comments and supporting data on ways that 
segmentation could be achieved throughout the 5G ecosystem to ensure 
service providers have greater situational awareness and ability to 
respond to, and contain, security threats. What lessons have service 
providers and other enterprises learned about the application of 
segmentation in older networks that can be applied to 5G networks? To 
what extent can service providers use network segmentation 
technologies, such as a virtual private network (VPN) or other 
cryptographic separation, to help ensure that no device operating on 
their network's control plane is directly and immediately accessible 
via the Internet? Could VPNs or a similar mechanism be scaled in such a 
way that 5G providers could implement segmentation across their entire 
ecosystem? Please comment on the technologies used for network 
segmentation, and on how to ensure that future networks employing these 
new architectures use security-by-design principles to minimize 
security risk.
    28. Should segmentation in the 5G environment be based on geography 
or region, on type of function or device, or by community of interest? 
To what extent are service providers segmenting physical, logical and 
virtual risks? Please comment on what 5G service providers plan to do 
to establish logical and physical separation of different bands and/or 
receive antennas in order to improve integrated device security.

[[Page 7829]]

    29. Please comment on whether certain network elements or 
activities merit special consideration with respect to risk 
segmentation. To what extent are such segmentation strategies effective 
in reducing security risk?
    30. Risk segmentation can also be applied to devices in terms of 
firmware, software, and data. In some cases, configuration data may be 
set as read-only by the device, but can only be changed by the service 
provider. Please comment on whether privacy features and requirements 
have been standardized in organizations like 3GPP (and to what extent 
they will be standardized for 5G) to support confidentiality and 
integrity of information. What other issues and factors should the FCC 
consider on the question of preserving CIA through segmentation?
    31. Finally, with respect to each of the topics discussed above, 
the FCC seeks information regarding which standards bodies are involved 
and the state of standards development to protect CIA in the 5G 
environment. Is there a need for additional standards body involvement?

B. Additional 5G Security Considerations

1. Overview
    32. It is widely expected that 5G networks will be used to connect 
the myriad devices, sensors and other elements that will form the 
Internet of Things (IoT). The anticipated diversity and complexity of 
these networks, how they interconnect, and the sheer number of discrete 
elements they will comprise raise concerns about the effective 
management of cyber threats. How can holistic security objectives for 
5G be established? What roles can service providers and device 
manufacturers play to reduce security risk for various communities of 
interest? How should service providers, device manufacturers, standards 
bodies and the FCC coordinate their efforts? Are there particular 
standards being developed for 5G IoT applications? Finally, please 
comment on benefits and costs associated with effective hardware, 
firmware, software, and application security for 5G.
    33. Please provide comments on the extent to which IoT devices 
could place 5G networks at unique risk. For example, are there 
particular vulnerabilities that arise from, or are increased by, the 
fact that 5G communications have relatively short range and rely on 
multiple access points? It is possible that some of IoT devices will 
have limited security features. Could this have a negative effect on 
overall 5G network security? If so, what roles can network equipment 
providers, ISPs and device manufacturers play, by themselves and in 
coordination, to mitigate the risks? Are any lessons being learned from 
the October 2016 DDoS attacks relevant to 5G? Where risk externalities 
exist? How will the 5G marketplace address cybersecurity risk in the 
commons?
    34. Please comment on whether and how security needs for 5G IoT 
devices might differ from other infrastructures, including, in 
particular, each of the critical infrastructure sectors. What 
expectations would various critical infrastructure sectors likely have 
for the security capabilities and features of 5G services? Does the 
government have a role where residual risk unduly threatens critical 
infrastructure or national security, and if so, what should it be?
    35. Given the likely unprecedented diversity of connected devices 
and their manufacturers, comment is sought on whether 5G security could 
be challenged by hardware issues, including threats from a compromised 
supply chain. How are service providers and equipment manufacturers 
currently assessing supply chain risks? Are they assessing risks 
consistent with NIST guidelines? The FCC seeks comment on whether, and 
if so, how 5G service providers should ensure the provenance of the 
hardware, firmware, software, and applications operating in their 
environments. What special considerations, if any, should be applied 
relative to 5G supply chain risks?
    36. Please comment on benefits and costs associated with effective 
hardware, firmware, software, and application security for 5G. What are 
the costs associated with updating existing hardware, firmware, 
software, and applications versus the costs of adding entirely new 
elements for a totally new security posture? Is there a role for 5G-
specific third party security entities? Do benefits and costs vary 
depending on the use of open-source software compared to proprietary 
software? What are the costs of adding security-specific features to 5G 
network hardware, firmware, software and applications? Are there scale 
economies observed across local, regional, and nationwide 5G networks? 
Finally, what other issues or factors should the FCC consider with 
respect to the preservation of confidentiality, integrity and 
availability in the 5G environment?
2. Roles and Responsibilities
    37. Because of the anticipated proliferation of 5G networks and the 
devices that will be deployed on them, there is a chance that the cyber 
integrity of the network as a whole could be overlooked on the 
assumption that another network participant would be responsible. Is 
this a valid concern? Please provide comments on who should be 
responsible for assuring cyber security across the 5G ecosystem, what 
principles should guide the management of cyber risk, and how cyber 
risk should be managed within companies. How should providers work 
together across the 5G ecosystem to achieve desirable outcomes in cyber 
risk management?
    38. Relatedly, please provide information on how the 5G ecosystem 
will share information about cyber threats and concerns. Please comment 
on whether an Information Sharing and Analysis Organization (ISAO) 
construct could be or should be applied to the 5G ecosystem. Would it 
be appropriate to develop a 5G-specific ISAO? Should 5G networks be 
instrumented to support automated cybersecurity threat indicators and 
network anomaly information sharing and analysis? Is an ISAO or 
multiple ISAOs the right focal point for automated cyber information 
sharing and analysis? Should it address IoT concerns more broadly or 
focus on network-based considerations? Who should be involved? Should 
work of ISAOs dealing with related topics be formally coordinated? If 
so, how? What are the proper roles of standards bodies, advisory 
committees such as the North American Numbering Council (NANC), 
industry authorities, numbering and data services and the FCC?
    39. The NIST Framework for Improving Critical Infrastructure 
Cybersecurity Framework (NIST CSF) has been voluntarily used by members 
of the critical infrastructure community, including the communications 
sector, for several years to help manage cybersecurity risk. Please 
comment on whether, and if so how, the NIST CSF can be used to manage 
risk for 5G service providers and networks. The NIST CSF includes 
several top level organizational functions that can be performed 
concurrently and continuously to form an operational culture that 
addresses dynamic security risk, namely, Identify, Detect, Protect, 
Respond, and Recover (IPDRR). Please comment on unique factors with 
respect to these functions that should guide 5G design, standards 
development and operations.
3. Other Considerations
    40. Are there additional functions that should be considered in the 
5G environment? How should addressing

[[Page 7830]]

and naming be accommodated for 5G? Are stakeholders working to evolve 
any of today's numbering schemas to encompass 5G? What practical steps 
should 5G planners take in order to ensure that the functions discussed 
in this NOI, and any other relevant functions, are properly considered 
and implemented within their respective organizations?
4. Benefits and Costs
    41. Please comment on the public harm expected to result from 
failure to integrate confidentiality, integrity and availability into 
5G networks through authentication, encryption, physical and device 
security, protecting against DoS attacks, patch management and risk 
segmentation. Could failure to implement these measures decrease 
broadband adoption and detract from its productive economic use? Could 
it reduce the risk of loss of competitively sensitive information for 
businesses? Could it prevent the loss of consumers' personally 
identifiable information? Could it play a role in preventing the 
unnecessary loss of life or property by, for example, preventing 
malicious intrusion into critical infrastructure? How should the FCC 
quantify these benefits in terms of their economic impact? What other 
benefits would likely stem from an appropriately secure 5G network?
    42. Please comment on the costs associated with the implementation 
of the measures discussed above as investments early in the design and 
build plans of networks, as opposed to ``bolt-on'' security after 
deployment. Are there opportunities for 5G implementation that would 
only be realized if networks are perceived to be secure? Are there some 
security elements that, by plan, should be ``just in time'' or reactive 
investments, based on realized threats, after 5G implementation? Would 
these costs include those associated with updating existing hardware, 
firmware, software, and applications? How would the costs of system 
updates compare to the costs of adding entirely new elements for a 
totally new security posture? Do benefits and costs vary depending on 
the use of open-source software compared to proprietary software? If 
so, to what extent are open-source solutions available that could 
reduce costs? Are there scale economies observed across local, regional 
and nationwide 5G networks? Please comment on specific costs associated 
with authentication, encryption, physical and device security, 
protecting against DDoS attacks, patch management and risk segmentation 
in the 5G environment.

C. 5G Implications for Public Safety

    43. Many public safety services and technologies are undergoing 
radical change as underlying networks transition from legacy to IP-
based modes. Will any new categories of public safety sensors or other 
machine-based tools become an included part of 5G public safety 
communications architecture? The development of 5G networks will 
potentially contribute new capabilities to these IP-based public safety 
platforms while also creating new challenges, including security 
challenges, for public safety entities.
    44. Please comment on the security implications of linking or 
integrating 5G networks with IP-based public safety communications 
platforms. Could this create new security risks or vulnerabilities for 
NG911, first responder communications, or emergency alerting? What 
responsibility should 5G service providers have for mitigating and 
managing these risks? Conversely, could 5G networks help reduce 
security risks that public safety faces in migrating from legacy to IP-
based technologies? Could 5G services support ICAM in a manner that 
reduces these security risks? Should public safety anticipate a need 
for unmanned, unattended device ICAM? Are there special considerations 
for standards development for public safety services and technologies 
for 5G, and if so, are standards bodies addressing these issues? Is 
there a need for additional standards body involvement?

III. Procedural Matters

A. Ex Parte Rules

    45. This proceeding shall be treated as a ``permit-but-disclose'' 
proceeding in accordance with the Commission's ex parte rules. Persons 
making ex parte presentations must file a copy of any written 
presentation or a memorandum summarizing any oral presentation within 
two business days after the presentation (unless a different deadline 
applicable to the Sunshine period applies). Persons making oral ex 
parte presentations are reminded that memoranda summarizing the 
presentation must (1) list all persons attending or otherwise 
participating in the meeting at which the ex parte presentation was 
made, and (2) summarize all data presented and arguments made during 
the presentation. If the presentation consisted in whole or in part of 
the presentation of data or arguments already reflected in the 
presenter's written comments, memoranda or other filings in the 
proceeding, the presenter may provide citations to such data or 
arguments in his or her prior comments, memoranda, or other filings 
(specifying the relevant page and/or paragraph numbers where such data 
or arguments can be found) in lieu of summarizing them in the 
memorandum. Documents shown or given to Commission staff during ex 
parte meetings are deemed to be written ex parte presentations and must 
be filed consistent with rule 1.1206(b). In proceedings governed by 
rule 1.49(f) or for which the Commission has made available a method of 
electronic filing, written ex parte presentations and memoranda 
summarizing oral ex parte presentations, and all attachments thereto, 
must be filed through the electronic comment filing system available 
for that proceeding, and must be filed in their native format (e.g., 
.doc, .xml, .ppt, searchable .pdf). Participants in this proceeding 
should familiarize themselves with the Commission's ex parte rules.

Federal Communications Commission.
David Grey Simpson,
Chief, Public Safety & Homeland Security Bureau.
[FR Doc. 2017-01325 Filed 1-19-17; 8:45 am]
 BILLING CODE 6712-01-P
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.