For nearly the past four years, the Trump Administration has purported to treat 5G supply chain security through empty political gestures such as network equipment banning. The disinformation reached its absurd zenith subsequent to the election with the Q-Anon myth of the Kraken. (The Myth advanced by Trump attorneys asserted the long-deceased Hugo Chavez working with China was corrupting voting machine software to deprive Trump of another term.)

This inanity also resulted in the U.S. government largely refusing to participate and impeding the engagement of U.S. companies in major global industry activities over the past four years to develop and implement multiple 5G and virtualisation supply chain standards and certification methods. Indeed, these activities have also become ever more open, transparent, with due process and consensus-based—notwithstanding Congressional unfounded assertions otherwise. The result has left the nation embarrassed and damaged American integrity internationally while costing billions of dollars in unneeded equipment replacement bereft of any actual supply chain security requirements.

The good news is that the international work over the past few weeks demonstrates the continuing healthy evolution of the global 5G virtualisation supply chain security work items at the 3GPP SA Plenary among the hundreds of participating parties, together with future strategy work occurring in the ETSI NFV SEC development body.

An Update on Current 5G Virtualisation Supply Chain Security Work

It is network architecture and service virtualisation that is the revolutionary and most significant aspect of 5G. A comprehensive array of 5G supply chain security work was initiated in 2015 that was suggested by the National Security Common Criteria Community and ensued through innovative work in the principal responsible bodies—a combination of NFV SEC, 3GPP, and GSMA. (NFV SEC is one of the eight NFV Industry Specification Groups within ETSI and comprised of 122 companies worldwide.) The 5G supply chain security work took the form of open consensus virtualisation security assurance standards developed initially in NFV SEC and migrated to 3GPP—engaging multiple industry and government participants with the implementation and certification occurring through GSM Association oversight bodies and requirements.

In NFV SEC, the work proceeded as NFV (Network Functions Virtualisation) Security. In 3GPP and GSMA, the work proceeded under the acronyms SCAS (Security Assurance Specifications) and SECAM (Security Assurance Methodology), under the aegis of NESAS (Network Equipment Security Assurance Scheme). Several U.S. government agency branches have been cognizant, and OTD participated actively in a segment of the work. The FCC and most other U.S. government agencies steadfastly ignored the work and never participated. Indeed, the Commission’s most recent supply chain order embarrassingly fails to even recognize the existence of five years of global supply chain security work within the industry’s principal bodies.

The recent quarterly 3GPP SA#90 plenary was an opportunity to review the progress of all the 5G virtualisation security work items in the security group SA3. There are currently eight SCAS work items that cover the key components of the 5G virtualisation ecosystem, including innovative capabilities such as “virtualized network products” and a set of five enhanced building blocks that includes network slice authentication and authorization, and service communication proxies. The work is supported by 18 different vendors and service providers from Asia and Europe, including one from the U.S. All work is slated for finalization in 2021 as part of the 5G Rel. 17 ensemble.

The recent NFV SEC #178 meeting continued to shepherd 5G supply chain security work across multiple other bodies, treated both the above SA3 progress on NFV Infrastructure security assurance and testing, as well as an overview of the threat landscape from one of the leading European national security agencies.

Needed Remediation by the Biden Administration

As the American Electoral College formally cast its votes today to remove Trump from office in 37 days, the new Biden Administration should focus on establishing a Restoring American International Engagement initiative consisting of two prongs. First is to reinstate American commitment to the international telecommunication and trade treaty agreements and activities which the U.S. helped put in place and ratified. Second is to marshal American Federal and industry resources and leadership to engage in the venues and perfect the ongoing international 5G virtualisation supply chain security initiatives. These actions can then be followed by a knowledgeable imposition of fact-based network supply chain security requirements and processes rather than Kracken myths.

Today, the 5G global security bodies are open, transparent and consensus-based public-private venues where technically definitive work on 5G virtualisation supply chain security occurs. America has the participatory resources where the relevant U.S. government agencies such as NSA and OTD can and should be actively engaged with its counterparts, and where American companies and security organizations should be strongly supported to contribute and review the work—as the nation once did decades ago. Restoring American international engagement here is easily achievable and should be a priority for the new Administration.