At a glance.
- NIST's advice on remote work.
- US publishes National Strategy to Secure 5G.
- US voting may now be as secure as it will be before November.
NIST offers advice on telework.
Companies and other organizations that can do so have turned to remote work under the current state of pandemic emergency. NIST has used its March ITL Bulletin to offer some timely advice about secure teleworking. The advice is pitched to enterprise IT organizations, not individual users, but enterprises of many sizes will find it useful. As is NIST's way, the advice and standards it offers are determinedly non-coercive.
Four "Lines of Effort" in US 5G security strategy.
The White House yesterday released the US National Strategy to Secure 5G. Apparently the document was ready to go Monday, when the Secure 5G and Beyond Act, which included provisions requiring the President to develop such a strategy, was signed into law. The Strategy also refers, in its introduction, to the National Cyber Strategy, and specifically to that document's charge to establish policy for emerging telecommunications networks. "The Administration will facilitate the accelerated development and rollout of next-generation telecommunications and information communications infrastructure here in the United States, while using the buying power of the Federal Government to incentivize the move towards more secure supply chains. The United States Government will work with the private sector to facilitate the evolution and security of 5G, examine technological and spectrum-based solutions, and lay the groundwork for innovation beyond next-generation advancements."
The National Strategy to Secure 5G defines four “lines of effort”:
- First, “Facilitate Domestic 5G Rollout.
- Second, “Assess Risks to and Identify Core Security Principles of 5G Infrastructure.” This line of effort has two tasks. The Government will "assess the risks posed by cyber threats to and vulnerabilities in 5G infrastructure" in partnership with state, local, and tribal governments, and with the private sector. The risk assessment will include economic as well as national security risks, and it will entail maintaining "an understanding of the global 5G market and 5G capabilities and infrastructure." The second task is to "develop security principles for 5G infrastructure in the United States." This would involve working with the private sector to develop and apply "core security principles" that would include promulgation of best practices in "cybersecurity, supply chain risk management, and public safety." There's particular mention made of the Prague Proposals issued in May 1919.
- Third, “Address Risks to United States Economic and National Security During Development and Deployment of 5G Infrastructure Worldwide.” This line also includes two tasks. The first is to "manage the supply chain risks in United States Government infrastructure, including 5G." This would involve pursuing a "whole-of-government" approach to supply chain risk that would be consistent with the Federal Acquisition Supply Chain Security Act of 2018, and that would work through the Federal Acquisition Security Council that law established. The second task is to "address the risk of 'high-risk' vendors in United States 5G infrastructure." (The classic but in this document unnamed example of a high-risk vendor is the Chinese firm Huawei.) Executive Order (E.O.) 13873, issued May 15, 2019, “Securing the Information and Communications Technology and Services Supply Chain” establishes authorities "to prohibit transactions that involve information and communications technology or services designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary that pose an undue or unacceptable risk to the national security of the United States." (that is, companies like Huawei.)
- And, fourth, “Promote Responsible Global Development and Deployment of 5G.” The three tasks in this line of effort commit the US to working with "like-minded states" to develop international norms appropriate to the risks and opportunities 5G technology presents. The first task, to "develop and promote implementation of international 5G security principles," again commits the US to working with foreign partners to promote the Prague Proposals. The second task is to "promote United States leadership in international standards development and adoption." This work will proceed in cooperation with international partners, but also with domestic commercial and academic partners. It will require expanded US Federal interagency coordination, and it is intended to emphasize "open and transparent processes to develop timely, technically robust, and appropriate standards." The final task is to "incentivize market competitiveness and diversity of secure 5G infrastructure options." The strategy wants to foster the kind of competition that will avoid having the market dominated by a single, low-cost vendor.
The Strategy recognizes the importance of economic risk. Untangling the 5G infrastructure market from low-cost but risky Chinese vendors will not be easy, but it's noteworthy that the Strategy does envision market solutions as opposed to straight-up prohibitions. Lawfare suggests some historical examples that might inform such a relatively nuanced approach.
You go to war with the army you have, and you vote on the machines the precinct's got.
The Washington Post offers a generally pessimistic view of the likelihood (the very small likelihood, in the Post's view) that much more can be done on election security before this November's US voting begins.