President Signs Two Broadband Bills

On March 24, President Trump signed two bills designed to enhance the availability and security of 5G and other broadband services. The first bill, the “Broadband Deployment Accuracy and Technological Availability Act” or the “Broadband DATA Act” requires the FCC to develop rules for fixed, satellite and mobile broadband providers to create and update accurate maps of broadband coverage across the country, and to prohibit broadband providers “from selling, leasing, or otherwise disclosing for monetary consideration any personally identifiable information to any other entity other than for purposes authorized under this title.” Especially in these times when people are forced to work remotely, Congress has found that it is critical to enhance the amount of broadband coverage, noting that “98.3 percent of those living in urban areas have access to high-speed broadband, while that number is 73.2 percent for rural areas, and 67.6 percent for Tribal lands.” The first step in enhancing broadband coverages is to know where genuine true broadband exists, and where it doesn’t.

But be wary. As people crush the current broadband networks by telecommuting, they quickly learn the tyranny of the words “up to.” Your mobile, satellite or fixed broadband provider may market or advertise that the offer speeds of “up to” 2,000Mbps probably are providing speeds closer to 940Mbps at peak times. Not too bad. In fact, the most recent FCC report on fixed broadband (in 2017) “for most ISPs, the actual speeds experienced by subscribers either nearly met or exceeded advertised service tier speeds.” The same report noted that there were still issues with respect to latency and packet loss, especially since user habits have changed and people are not simply browsing the web but also using videoconferencing and streaming services, which put greater strain on the internet backbone and delivery systems. But with mobile broadband, a lot depends on the technology deployed, the location, the geography and the weather. You will find that “up to” and actual speeds will vary. You may find that out more now that you are working from home.

AppSec/API Security 2022

The second bill signed by Trump requires the FCC to “develop and submit to the appropriate committees of Congress a strategy to ensure the security of 5th and future generations wireless communications systems and infrastructure within the United States” and to work with allies “to maximize the security of 5th and future generations wireless communications systems and infrastructure inside their countries” and “to protect the competitiveness of United States companies, privacy of United States consumers, and integrity and impartiality of standards-setting bodies and processes related to 5th and future generations wireless communications systems and infrastructure.”

The legislation recognizes the importance of current and future 5G deployment and the risks associated with having insecure or potentially compromised 5G infrastructure (hint, hint, a particular large Chinese telecom and 5G provider) and requires the FCC to conduct risk assessments that will identify “potential security threats and vulnerabilities to the infrastructure, equipment, systems, software, and virtualized networks that support 5th and future generations wireless communications systems, infrastructure, and enabling technologies.” The assessments are required to “include a comprehensive evaluation of the full range of threats to, and unique security challenges posed by, 5th and future generations wireless communications systems and infrastructure, as well as steps that public and private sector entities can take to mitigate those threats.”

The bill could more accurately be called the “No Huawei, China Mobile or ZTE Act of 2020.” Clearly, both Congress and the administration are concerned that these two Chinese telecom giants have installed, both in the United States and internationally, infrastructure that supports current and future 5G connectivity. Apart from mere xenophobia, there are legitimate (and illegitimate) security, competitiveness, privacy and self-interest concerns about foreign (and state-supported) industries having such a deep and integrated foothold in such a critical infrastructure in the U.S. In light of reports that the NSA sponsored a Swiss company, Crypto AG, to propagate cryptological products around the world that were designed to allow secret access by the U.S. government, governments are decidedly wary about deploying technologies for critical infrastructures that they do not control.

As the Senate report on the legislation noted, Congress has already barred federal agencies from procuring communications services from providers that have purchased equipment from Huawei and ZTE, and also limited the ability of the federal government to provide grants, loans and loan guarantees to providers that intend to use that money to purchase equipment from those same providers. The president issued an executive order prohibiting the use of certain foreign broadband technology, while the FCC prohibited the use of the USF funds (taxes on broadband access) to buy broadband goods or services from any provider identified as posing a national security risk to communications networks or the communications supply chain.

The new legislation continues that trend, mandating a comprehensive risk analysis prior to the introduction of new 5G hardware, software or services. While this may simply be a cover for a “buy American” trend, the Crypto AG model shows that governments and countries are right to be wary about deploying technology that they cannot be 100% sure of its provenance. That’s great when the U.S., UK and others are refusing to buy Chinese 5G telecom. It’s not so great when, with the same general concerns, India refuses to buy Cisco routers or Australia refuses to buy Android phones.

Commerce relies on trust. If every country distrusts products, goods or services provided by another country, then it becomes impossible to have commerce. When you invade that trust for one national purpose, you run the risk that you destroy that trust for other purposes. In their efforts to hunt down Osama Bin Laden, U.S. government agencies used Afghan doctors to run a fake hepatitis vaccine clinic in Abbottabad in an attempt to get familial DNA. Awesome. But as a result, the doctor who did the hepatitis tests was arrested by the Pakistani government and the distrust engendered has led to people refusing the vaccine and to other physicians being assaulted and killed because they are suspected of working as shills for the CIA.

That’s the law of unintended consequences. When we try to corrupt technology for our own short-term goals, we run the risk of destroying faith in technology generally. When we put a “back door” into a crypto product or a 5G network (or are suspected of doing so), we may ensure that nobody buys any products from the U.S. or China in the future. So you have to ask yourself one question: Do you feel lucky? Well, do ya, punk?

Mark Rasch

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 145 posts and counting.See all posts by mark