U.S. Tech Trade Groups call for industry-led telecom security standards

A coalition of nine telecom industry trade groups have called on the U.S. government to avoid imposing new security standards on the sector. While acknowledging the growing number of security threats, they said the government should uphold the history of industry-led technical standards in order to best address the issue.

The letter to the secretaries of Homeland Security (Alejandro Mayorkas) and Department of Commerce (Gina Raimond0) was signed by the Telecom Industry Association (TIA), Competitive Carriers Association (CCA), Consumer Technology Association (CTA), CTIA, ITI, National Association of Broadcasters (NAB), NTCA, USTelecom, and Wireless Infrastructure Association (WIA).

“Of critical importance now is maintaining the United States’ longstanding commitment to industry-led technical standards and best practices to address cybersecurity, supply chain, and other global challenges. Such standards are a bedrock of federal trade, technology, and security policy, so it is imperative that your respective Departments champion them. The federal government should not attempt to create its own technical demands, nor should it try to supplant private sector leadership in standards bodies.”

“In the wake of recently revealed, widespread compromises through software vectors like SolarWinds, government and industry face a renewed call to arms to address threats from foreign adversaries. The government has a vital interest in preventing suppliers that pose a national security threat from exploiting U.S. networks or undermining critical functions. However, policymakers should reconsider which tools are best suited to address particular aspects of this challenge and which kinds of approaches will deliver optimal security outcomes. Some recent policies deserve special review.”

Global, Open Standards for Cybersecurity - IEEE SA

The coalition is urging the Biden Administration to refrain from attempting to create its own technical demands or trying to supplant private sector leadership in standards bodies. As the recently released Interim Final Rules that implement aspects of E.O. 13873 are refined, the Commerce Department has the opportunity to take a more effective approach to supply chain security by placing greater focus on industry-led best practices as they represent a proven and positive model for nations working to build a secure, resilient and innovative connected ecosystem.

They are concerned about the Commerce Department’s implementation of an executive order passed in May 2019 by the Trump administration. This laid the groundwork for banning U.S. companies from doing business with Chinese suppliers Huawei and ZTE. It gives the Commerce secretary broad discretion to prohibit working with certain foreign companies in the name of national security.

The industry groups said in the letter that they are keen to work with the new government on efforts to “enhance the security of the ICT ecosystem and maintain US private sector leadership in international standards development”. They underlined their existing record on setting industry standards and work already underway to improve supply chain security. For example, the TIA is developing a standard to verify supply-chain security compliance.

Blanket measures like the Trump executive order should be avoided and more tailored solutions developed to address specific problems, the groups said. “The federal government should not attempt to create its own technical demands, nor should it try to supplant private sector leadership in standards bodies,” the letter said.

Further review of the rules implementing the Trump order is expected to include more input from the industry. The letter called on the Commerce department to work with the Department of Homeland Security and the private sector-led ICT Supply Chain Risk Management Task force “to tailor intervention actions to where they are most necessary, and place greater focus on industry-led standards and best practices that provide a positive model for nations working to build a secure, resilient, and innovative connected ecosystem now and in the future”.

The statement comes as several European countries have approved or are considering laws allowing greater controls on the telecom networks supply chain. The legislation is based on recommendations from the European Commission, which proposed in early 2020 a ‘tool box‘ to help ensure 5G networks are protected from potential security threats. The EU’s cybersecurity agency Enisa started last month at the Commission’s request developing a certification scheme, specifically for 5G equipment.