FCC advisory group reports on measures to improve communications supply chain security

A recent report by the Federal Communications Commission (FCC) identified that new vulnerabilities are emerging and the surface area of attacks is growing, thereby affecting the current software supply chain security. Technological advancements have created a plethora of complications and challenges, particularly to end-to-end interoperability in a multi-vendor environment. 

Recent breaches have exposed risks in segments of the supply chain that have resulted in previously trusted systems becoming compromised, highlighting that the threat is pervasive and extends well beyond the telecommunications network itself. These threats broaden into software components and cloud-based services that service providers rely on to manage and operate their networks.

The report released by the FCC’s Communications Security, Reliability, and Interoperability Council (CSRIC VIII) recommended, among other things, that the FCC engage with the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) to support an effort to create universal standards and specifications for software supply chain security. These should be applicable regardless of the contextual view of the industry segment. 

It also suggested that the FCC could foster collaboration amongst the various federal agencies and the industry. Additionally, the FCC could engage with CISA and NIST on the standardization of the SBOM (Software Bill of Material) formats, uses, and deployments since these are critical to addressing the software supply chain security vulnerabilities globally. The software and hardware vendors develop and sell products and services to a global community and thus these need to be addressed very broadly in the industry. 

The CSRIC VIII group reports that service providers source software from different vendors and cloud service providers, as they transform and evolve into the next generation of service offerings. The SBOM guidance and oversight by governmental and industry hackers should consider the broad set of software vendors and cloud service providers that have important roles in the supply chain.

Speaking to the advisory group, acting chairwoman Jessica Rosenworcel said that the “CSRIC VIII will be co-chaired by the Cybersecurity and Infrastructure Security Agency—or as most of us know it—CISA. This is really important. CISA leads the coordinated national effort to enhance the security, resiliency, and reliability of our cybersecurity and communications infrastructure.”

The CSRIC VIII group was tasked with producing two reports focused on supply chain security in the context of telecommunications. The current report focuses on software supply chain security in the new ecosystem with service providers, cloud service providers, and software vendors to identify recommended best practices to improve communications software supply chain security. The second report, expected in May next year, will focus on infrastructure (hardware) and network management systems supply chain security.

Recent breaches of trusted software vendors have exposed risks in segments of the supply chain that have resulted in previously trusted systems becoming compromised. These intrusions highlight that the threat is pervasive and extends well beyond the telecommunications network itself and into software components and cloud-based services that service providers rely on to manage and operate their networks. Attacks on these operational networks could have a significant impact on emergency 911 calls and national security communications. 

Early on, Working Group 5 realized that the discovery effort for the report would be broad and extensive for two reasons. Firstly, the service provider industry is transitioning from traditional proprietary bare metal platforms from a single vendor to a virtualized compute environment consisting of software from multiple software vendors and possibly cloud service providers. The transformation brings in multiple vendors with the potential of introducing new vulnerabilities by vertical and horizontal disaggregation in the service provider’s network. Secondly, as the U.S. emerges from the COVID-19 pandemic and recovers from major cyberattacks on various widely used software products, it fully realizes the potential impacts of supply chain security issues. 

The key objective of WG5 has been to identify recommended best practices, rank order them based on the participants’ experience and corporate backgrounds, and subdivide the ranking into those most applicable to large and small service providers, software vendors, and cloud service providers across the industry. The report covers recent software supply chain attacks or vulnerabilities, including SolarWinds, Kaseya, and Apache Log4j. 

The basic research plan for the report has been to solicit real-world inputs and contributions from Working Group 5 members and invite guest speakers and subject matter experts to share insights during the work group meetings. The work group members evaluated recent industry executive orders, government agency publications, industry publications, industry forum responses, standards development organization’s specifications, and recent supply chain cyber-attacks. The work group captured their analysis highlighting the key aspects including their findings and recommendations to further strengthen the specific artifact reviewed.

The work group identified a few key findings and recommendations from all of the evaluated artifacts with the goal to move the needle forward to providing a sustainable and repeatable supply chain security ecosystem for the service providers, software vendors, and cloud service providers. 

The CSRIC VIII report said that despite these published supply chain enhancements, there are still gaps in the industry today that need modernizing. “SBOM operationalization is a work in progress and additional work is required. This work group has created a list of SCRM enhancement considerations,” it added. 

For the service provider, software vendor, and cloud service provider, there is no clear and concise definition for the minimum data fields required for an SBOM, the CSRIC VIII report disclosed, adding that this lack of industry standardization needs to be addressed. The report said that cybersecurity operations could have been a capability that may have alerted the service provider, software vendor, and/or cloud service provider to the attack(s) and mitigated recent software supply chain cyber attacks. The work group suggests that broader discussions within the industry should be conducted to possibly engage in some studies on runtime security. 

While the work group did not specifically chart to provide a security report on open source software, the report does provide several open source security recommendations, but the topic itself should be researched independently in a future CSRIC session.

The CSRIC VIII report also provides an analysis of current industry and governmental efforts, including U.S. President Joe Biden’s Executive Order 14028, minimum elements for an SBOM released by the National Telecommunications and Information Administration (NTIA), and the publication of guidance of practices that enhance software supply chain security by the NIST director. 

Last month, the Public Safety and Homeland Security Bureau at the FCC added equipment and services from two Chinese telecom firms to its list of communications equipment and services that have been deemed a threat to national security. The two Chinese vendors are China Unicom (Americas) Operations Limited, and Pacific Network and its wholly-owned subsidiary ComNet (USA) LLC.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.