IoT Security Bill Nears Passage as New Consortium Tackles Open 5G

A bill that would require certain internet-connected devices purchased by the government to include basic security features is closer to becoming law, Sen. Mark Warner, D-Va., said during the launch of a consortium that will be testing the open architecture for fifth-generation networking that U.S. policymakers are counting on to counter reliance on Chinese providers.

“I've got bipartisan legislation that I was hoping to be able to announce by today,” Warner said regarding the legislation, which he said would at least require the devices be patchable and avoid hard-coded passwords. “It’s passed the House. It’s close to passing the Senate, we're getting through a last run through.”

Warner spoke during an event hosted by the MITRE Corporation Tuesday to announce the Open Generation Consortium, which will test how issues like security will be affected by plans to diversify and integrate various components of 5G networks and move away from comprehensive kit suppliers like Chinese telecommunications giant Huawei.

Trusted Huawei alternatives Nokia and Ericsson are among the founding members of the consortium, even though they might have reason to be a little hesitant, as Warner pointed out.

“The existing system providers who work kind of in the classic soup-to-nuts system providing, both know they need to move towards [open radio access networks] but are also a little bit nervous about it because that breaks up their one-source delivery mechanism. So I think getting this right is going to be a challenge.”

But Warner said the approach to 5G security has to be more than “don’t buy from China,” and has authored legislation that would provide funds for the U.S. to start working on standards development for the open access technology with international allies and the private sector. 

Standards are one thing, but how these systems work in reality for specific applications could be more revealing. One set of devices in particular—drones—could play an integral role, not just in their end-use functions, but as components of the network. But they also could be targeted by attackers.

“The security aspect of drones is absolutely essential,” Monisha Ghosh, the Federal Communications Commission’s chief technology officer, said. “In my mind, there are two different classes of applications we should consider. One is the drone as a service in terms of package delivery. And the other is a drone as being part of the 5G infrastructure itself, so a drone as a temporary base station in emergency situations or to cover hotspots like stadiums.”

The known security issues presented by drones include their authentication, which Ghosh said is a big deal, and interference, where—especially in unlicensed parts of the spectrum—their command and control systems could be vulnerable to jamming attacks. 

Ghosh welcomed the new consortium, noting, “It is very hard to, I think, identify what all the security holes will be before you've actually started deploying and playing around with the systems. And this is where testbeds and collaboration and actually getting these things out there are so important.”

Regulation of drones generally falls to the Federal Aviation Administration. Some of the other government agencies involved include the National Science Foundation, which Ghosh said has established a platform for drone research, and the Commerce Department.

The Open Generation Consortium is planning a kick off meeting some time next month.