A Defense Department official said DOD’s 5G prototyping is also examining the benefits of hardware and software bills of materials to scrutinize the supply chain.
The Defense Department and the National Telecommunications and Information Administration partnered on a challenge to validate the technology behind the government’s main strategy to compete with China on fifth-generation networks, according to an official.
The government is betting big on open radio access network, or O-RAN, technology, which would use software to allow different components of 5G networks to work together. Such software would create an alternative to the hardware-based proprietary models that tie operators to only four “kit” providers—two of which are Chinese equipment providers Huawei and ZTE.
DOD and NTIA will be using their 5G testbeds to check whether they can establish “a complete 5G protocol stack” from disparate components that is mature, stable and interoperable, said Joseph Evans, principal director for 5G in the office of the director of Defense for research and engineering.
Evans headlined a virtual event Billington CyberSecurity hosted Thursday on securing 5G.
“We want to be able to take pieces of systems from different vendors and make them interoperable along these interfaces,” he said. “If those challenges are successful, it could lead to more requirements for open architectures and implementations and maybe just as importantly, form the foundation for what would be, you know, the next G.” He noted the importance of the challenge to DOD, not just from the perspective of improving vendor diversity for security, but also to allow the department greater ability to customize their systems going forward.
Bryan Ware, former assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency and now CEO of the tech firm Next5, touted greater transparency that he said will be inherent in cloud-heavy, software-based 5G networks. This will be very different from the closed proprietary systems, he said.
“I will say that sometimes adversaries have similar advantages to the good guys and defenders when there is open-source software and when there's ubiquitous systems in the sense that they get to understand how they're built, and they get to understand what they're built out of. They get to see that code,” he said. “So, so the transparency is a bit of a double-edged sword, but as a general rule, there are a lot more of the good guys and the guys trying to build good software than there are the bad guys that are trying to do malicious things and so you know, I think it's generally better.”
But Evans differentiated between open-source software and the open interfaces the DOD wants to be part of 5G.
“What we really mean by open 5G,” he said, has to do with “well-defined interfaces, not necessarily open source. Open source is fine but, you know, we believe that the marketplace should make that decision, not us.”
DOD is trying to achieve more 5G software transparency though and is incorporating a practice the NTIA has been working to standardize over the last three years—use of a software bill of materials, or SBOM—which will eventually be required of all federal agencies under Executive Order 14028.
“We're working closely with our colleagues in DOD [Office of the Chief Information Officer] and other government agencies to implement supply chain risk management principles starting in our testbeds,” Evans said. “As we deploy at the DOD sites, we're reviewing the entire supply chain for our prototype networks, entire bills of materials, hardware and software, so that we understand the provenance of all the hardware and software for each system at the site. This is kind of a great opportunity … We have these approaches. We have these processes laid out. Let's actually try them at these prototype sites and learn, enhance those processes, where necessary.”
Evans added, understanding the necessity to operate overseas over untrusted networks, DOD will soon be starting “major efforts on analyzing the vulnerabilities, assessing risk and developing, you know, security safeguards and mitigations.”