On September 27, 2019, the Subcommittee on Communications and Technology of the U.S. House of Representatives Committee on Energy and Commerce convened a hearing on "Legislating to Secure America's Wireless Future." The hearing focused on how the telecommunications industry can use cutting-edge technology to improve the power of our airwaves while securing our nation's networks. Doing this, said Energy and Commerce Chairman Frank Pallone, Jr., and Communications and Technology Subcommittee Chairman Mike Doyle, means "pushing ahead with legislation to root-out suspect network equipment nationwide and explore ways to improve coordination and management of spectrum resources to better serve the American people." The subcommittee asked experts from industry and the public sector to provide testimony on these challenges. It also asked me to represent the Carnegie Mellon University Software Engineering Institute (SEI), a nonprofit Federally Funded Research and Development Center that conducts research for the U.S. government, to draw on our years of research on this topic to testify before members of the subcommittee. This blog post presents a summary of that testimony.

Role of Telecommunication Companies in Security

The telecommunications sector is a global system--made up of companies, suppliers, and users--that makes communication possible. The infrastructure created by the telecoms touches all of us and allows the transmission of data, whether it is video through the airwaves or cables, audio through the phone or Internet, or voice through wires or wireless transmission. But these connections also have vulnerabilities that create attack surfaces in connected hardware, firmware, and software that must be secured and monitored.

Moreover, the explosion of edge devices, such as mobile phones, within the telecom infrastructure has only increased the attack surface and therefore the responsibility of the telecoms to protect their users. The role that telecoms play in buffering risks from devices they do not control or purchase makes it all the more important for them to ensure the security of those parts they do buy. Ultimately, securing the supply chain for the telecommunications industry is vital to achieving security at scale.

What Is Supply Chain Security?

The rapid growth of the Internet and its role in the transfer of data between telecoms has blurred and blended the boundary between telecom equipment and information technology (IT) hardware. This blending is now defined as information and communications technology (ICT), which emphasizes the integration of telecommunications (telephone lines and wireless signals), computers, enterprise software, middleware, storage, and audiovisual systems that allows users to access, store, transmit, and manipulate information.

As John Haller wrote in a 2015 SEI Blog post, when an organization invests in a third-party component or service, safeguards, such as licenses, warranties, and regulations, have typically insured against defects or failures. Unfortunately, traditional safeguards are insufficient to protect the global supply chains and complex ICT of today's telecommunications industry. The telecoms must now concern themselves with the possibility that third-party suppliers might provide hardware or software maliciously tainted with malware that would harm the acquiring organization or its customers and stakeholders.

All organizations have dependencies on others and receive goods and services not directly under their control. The challenge is how they can have confidence in the security practices and processes of their suppliers. In our rapidly evolving ICT domain, "the capabilities of today's software technology environment, the need to outsource, and the interaction between off-the-shelf and open source software products have far outpaced our ability to effectively monitor and manage the risk using traditional methods."

What Happens Without Supply Chain Security?

Our ICT assets are under constant attack, yet thwarting the active attacker is not something most designers, engineers, developers, or project managers have been trained to address. Moreover, most fail to acknowledge the dangers of integrating third-party supplies that may already contain malicious software or hardware. No matter how secure you think your systems might be, if your suppliers are not secure, your systems are at risk. Failing to consider the security of your supply chain endangers the daily communications of millions of people, organizations, agencies, corporations, and communities.

Any variety of malicious actors who intend to disrupt services, damage equipment and facilities, steal trade secrets or other sensitive corporate data, or alter sensitive information can target the telecom infrastructure, either from the outside in an attack or from within as a supplier. Maintaining good supply chain security is therefore paramount to preserving integrity and trust in the systems.

We must recognize the telecom infrastructure as the backbone of essential services that depend on connectivity, such as emergency response, utility, transportation, and financial services. Moreover, telecoms provide "vital infrastructure for national security. From natural disaster recovery, to homeland security, to communication of crucial intelligence, to continued military superiority, telecommunications play a pivotal role." The ramifications of an attack anywhere on the telecom infrastructure could spread well beyond the point of origin and affect private citizens, businesses, and entire nations.

Future Recommendations: How Should Telecoms Secure the Supply Chain?

Recognizing the potential risks from supply chain vulnerabilities is an important first step. Thinking about an ICT enterprise as a combination of equipment, software, services, and support infrastructure helps us understand how to approach supply chain concerns. As technology comes into an ICT enterprise, it isn't enough to work through the security controls that are traditionally used to understand security risks. Encouraging resilience as a criterion in every stage of development and supply of ICT must be the forward-leaning focus of the software and supply chain assurance efforts within government and industry. Attacks against our supply chains unite acquirers and suppliers in search of scalable means for sharing information about ICT risks that arise through malice or negligence. Suppliers and acquirers need standardized means for conveying information about common issues related to both the hardware and software components of ICT, especially regarding nonconforming products that contain counterfeit, tainted, or defective components that can cause harm.

Fundamentally, the outcomes and risk factors we seek to manage are simple, even if the methods to accomplish them are not:

1. Suppliers follow practices that reduce supply chain risks.
2. Products provided by suppliers are acceptably secure.
3. The methods of product distribution or transmission to the purchaser guard against tampering.
4. The product or service is used and sustained with acceptable security.
   

The Acquisition Security Framework and the External Dependencies Management element of the CERT Resilience Management Model developed and validated through research at the SEI's CERT Division demonstrate that the following four practice areas are elements of a mature supply chain risk management effort: relationships, engineering, secure product operations and sustainment, and supply chain technology and infrastructure.

Supply chain risks are not just managed through technical means; they rely on establishing and sustaining a relationship between members of the supply chain. We have moved beyond the days when we were concerned mostly with identifying and integrating "black-box" parts to a concern with more integrated systems with similarly integrated supply chains and dependencies. The ability to maintain production schedules also requires this same relationship management. Through these efforts, companies in the telecommunications sector will have more insight into the risks and benefits provided by the suppliers.

Engineering comprises practices to build appropriate cybersecurity controls into systems, operational technologies, and components and minimize the chance of accidentally inserting vulnerabilities. Quality products and services are the result of effective engineering practices and sound test processes. But they also must include distribution and release mechanisms that ensure the released products meet defined requirements, design, and security controls.

An element of this practice area includes understanding the entities within the supply chain. At a basic level this might be a bill of materials--a familiar concept in physical-world manufacturing, such as cars and aviation--which lists all the ingredients of a product. The bill of materials enables understanding about a product and provides the ability to track defects and changes through the supply chain. Such an inventory can be done with not only hardware components, but also software and service components.

The National Telecommunications and Information Administration (NTIA) is over a year into a multistakeholder process for software bills of materials (SBOMs), nearing the end of Phase 1. The CERT Division's Art Manion co-chairs the Framing Working Group, which is developing an approach for how manufacturers and vendors can communicate useful and actionable information about third-party software components and how enterprises can use this data to inform better security decisions and practices. The NTIA group is examining existing formats, such as the software package data exchange (SPDX) and software identification (SWID) tags. The goal of this initiative is to foster a market that offers greater transparency to organizations, which can then integrate this data into their risk management approaches.

SBOMs are already being used for license compliance, mainly when commercial vendors include open source components. Just as in the physical world, the supplier of the component, part, or software must define it and provide the SBOM. The SBOM has to support nesting, recursion, and relationships (the physical world calls this the multi-level BOM). Last, telecom dependencies can be complex, and often key dependencies like public services (e.g., law enforcement and shared infrastructure) can be overlooked without a proper accounting.

Supply chain concerns do not end when the product or service reaches deployment. The telecoms and their suppliers must maintain products and services in their most secure configuration and with the most recent updates. This maintenance requires not only patching what the telecoms own but also ensuring that fielded capabilities are operating with the securest versions. This need demonstrates an important use case for SBOMs. Telecommunications systems have multi-vendor vulnerabilities and no definitive knowledge about who or what is affected. SBOMs can provide this knowledge.

With the integration of development and supply chains, it is also important to secure the technology and infrastructure used to operate the supply chain itself. These efforts range from securing the tools used to develop, integrate, and test software to sustaining situational awareness requirements for suppliers themselves. Telecoms must address a range of risk factors as a part of a mature effort to manage their external dependencies.

Supply chains can be complex. Communication provider supply chains are often global and support software, hardware, and services that provide vital capabilities for public safety and national security. As private and public functions grow ever more inseparable from the IT systems that support them, healthy public-private partnerships become even more necessary. Protecting this infrastructure against cyber threats requires a layered approach. The government's role in this effort is to share information and encourage advanced security and resilience practices, while identifying and addressing gaps not filled by the marketplace.

Information pertinent to the supply chain, such as vulnerabilities, attack vectors, and supplier security practices, should be shared along with mitigation plans whenever possible. Information sharing collaborations are best built on a shared objective that enables all members to recognize value in the collaboration. Using common languages for sharing helps increase the efficiency of sharing groups.

For example, the Common Vulnerabilities and Exposures (CVE) list serves as a means to communicate about vulnerabilities. The CVE is an extensive listing of publicly known vulnerabilities found after ICT components have been deployed, and it has enabled operations groups to prioritize, patch, and remediate over 60,000 openly reported vulnerabilities. Remediation is a crucial part of the security process, and while our work with the Defense Industrial Base highlights the benefits of information sharing, it also emphasizes the need to ensure that everyone at the table--big or small--can take appropriate action to mitigate threats.

Last, we should guard against the false choice between security and innovation. It is common to hear that regulations hinder or prevent innovation. Yet regulated industries, such as health care and finance, still practice innovation. Although it is hard to predict the future impact of telecommunications technologies, services, and applications not yet invented, the technology must continue to evolve quickly, and the industry must prevent security technology and concepts from becoming pacing factors in this evolution. Both innovation and security are necessary, and it is possible to have both.

The full written testimony is available on the web page of the House Committee on Energy and Commerce website.

Read an article, published in CrossTalk, about cyber risks in the defense supply chain.

Read a blog post that focuses on best practices to mitigate insider threat in a supply chain.

Browse presentations from our September 2019 Software and Cyber Solutions Symposium, which focused on acquisition, security, and the supply chain.