The headlines are filled with stories about inflation, recession and stock market volatility. At a time when cost matters, additional focus is needed to evaluate the effect of something as important as regulation of the information and communications technology sector.
We published a report at Darkhorse Global aimed at helping policymakers evaluate the costs of over- and underregulating ICT, especially telecom.
Based on interviews with two dozen experts in the U.S., EU and China, the report intends to help guide legislative and regulatory decisions that could affect the deployment of advanced technology in the U.S., as well as America's ability to collaborate across borders and produce innovative new technologies.
Let's look at why changing government approach to the ICT sector is so important.
Balancing risk and innovation
While the telecom ecosystem connects most of the world, it can also exacerbate national security or cybersecurity risks. Ecosystem regulation must strike a balance: Too little creates risk, but too much can shrink the supply of available products and competitive vendors, causing businesses to pay higher prices for technology and hindering innovation with the creation of a market with little competition.
Although most countries have concluded that the benefits of an ICT ecosystem outweigh its risks, some governments have moved toward a protectionist posture, sometimes known as security nationalism. A better course would be to seek ways that compete and cooperate with other countries -- an approach that is more likely to ensure the security, reliability, resilience and cost-effectiveness of the telecom infrastructure.
The telecom ecosystem faces challenges, however. Vulnerabilities exist in all networks, hardware and software. Also, it's easy to conflate national security issues with concerns about economic competitiveness. Plus, the capabilities of manufacturers and carriers, which are often used as the basis for establishing risk, are common and required by regulation.
These problems are insoluble, so their solutions are imperfect. Still, imperfect solutions can help manage difficult problems in a more practical way than blunt measures that do little to resolve issues of national security or economic advancement.
What's the answer for the ICT sector?
To solve the problem, we need to create objective security standards, evaluate all telecom equipment vendors according to those standards and then make the results of the evaluation available to the public. Several such standards already exist, including the NIST Cybersecurity Framework.
A single set of standards, unfortunately, can't address the full range of technical risks that exist across the telecom ecosystem. An overlay of multiple standards is, therefore, required that evaluates the full lifecycle of network equipment, from software development to the supply chain to post-deployment maintenance.
Specific standards and enhanced regulatory scrutiny are often only applied to a subset of equipment vendors based on their country of origin. A better approach would be to test all critical network gear using consistent, uniform standards.
A second, related option would be to implement technical risk assessments and risk mitigation consistently across vendors. As with standards, good models for mitigating telecom-related national security risks already exist. The Foreign Investment Risk Review Modernization Act, for example, modernized and strengthened the Committee on Foreign Investment in the U.S., a government body that reviews foreign investments in U.S. companies. The Federal Communications Commission (FCC) also standardized its review process to include national security, foreign policy and trade policy issues.
Using these and other existing measures as a framework, we can expand technical risk mitigation to address software and supply chain security threats in the telecom industry.
Other models can also be used to assess and mitigate risk. Security by design, for example, incorporates security features into software throughout the development process, rather than at the end. It also includes regular testing of maintenance procedures to ensure no malicious functionality is inserted into the software.
Trusted delivery is another model to consider. Its mechanisms rely on third-party reviews of hardware, software and firmware. Trusted delivery platforms can prevent vendors from delivering software updates directly to wireless carriers, instead routing them through an independent entity, among other things.
A third option is for the U.S. to participate more actively in standards-setting bodies. International standards help ensure the interoperability and security of products used in 5G networks, AI, driverless cars and other emerging technologies. The U.S. government and private experts should take a bigger role in shaping policies formulated in the world's telecom standards-setting organizations.
The U.S. and other governments must also ask whether the focus on China and Chinese companies establishes a flawed standards framework that fails to fully identify and address cybersecurity risk in the telecom industry.
Tom Wheeler, former chairman of the FCC, and David Simpson, former chief of the FCC's Public Safety and Homeland Security Bureau, noted in a joint essay that "the hyperbolic rhetoric surrounding the Chinese equipment issues is drowning out what should be a strong national focus on the full breadth of cybersecurity risk factors facing 5G."
Decouple or die?
One course of action that has become popular among lawmakers is to call for a decoupling between tech platforms and the supply chains of China and those of the U.S. and its allies.
Advances in technology and global trade, however, have created an irrevocably interconnected ecosystem for telecom. Despite talk of tech decoupling in areas such as semiconductors and telecom, a 100% decoupling seems unlikely, if not impossible.
To be sure, if matters of national security are at stake, there should be no room for negotiation. Matters of trade and economic policy, on the other hand, are frequently negotiable. Achieving a posture of sustained cyber-readiness requires we move beyond the traditional approach of risk-seeking assessments. We must consider both risks and benefits instead and then weigh them against the costs of government intervention or inaction.
Risk standards and technical mitigation frameworks should be applied consistently across the ecosystem. Making critical networks more secure requires a framework that provides for objective standards that can be independently evaluated.
Regulators and policymakers should review the facts objectively, without conflating matters of national security with those of economic competitiveness and industrial policy. Only then will it be possible to reestablish trust in the equipment deployed in telecom and other ICT networks.
Problems require solutions. To achieve security, reliability, resilience and cost-effectiveness in telecom infrastructure, we need to start working toward those solutions.
About the author
John Lash is founder and CEO of Darkhorse Global, a geo-economic and national security consultancy. His work focuses on compliance strategy, M&A, and performance transformation across a variety of high-tech and advanced industrial subsectors, including semiconductors, telecom and renewable energy. Lash has a doctorate of philosophy from Robert Morris University.