Cipher Brief Expert and former Senior Director for Cyber Operations at the National Security Council, Thomas Donahue, provides critical perspective on the strategy needed to protect the sovereignty of the U.S. telecommunications backbone.
The U.S. Government - by blocking the sale of U.S. high technology firms to foreign companies for national security reasons and through trade sanctions that cite unfair trade practices - seeks to create time and space for U.S. industry to innovate and be competitive in global markets including those for information technology. While arguably necessary, these actions will not be sufficient to overcome a U.S. deficit in the marketplace for high-end telecommunications integration. Overcoming this deficit will be essential not only to U.S. economic prosperity but also to national security, which depends on telecommunication to serve as the "nervous system" for controlling critical infrastructure and military defensive systems.
The United States continues to be a source of innovation for network components at the internet routing layer; however, the major telecommunications integration capabilities at the switching and physical layers in North America over the past two decades largely disappeared in bankruptcy or were absorbed into foreign firms as the North American firms failed to keep up with new technologies or compensate for Internet-driven commoditization and declining prices. In addition, telecommunications networks remain in flux in an extended transition from old architectures to a blend of old and new systems that vary by carrier and geography resulting in varying degrees of capability and security across the national infrastructure.
China over the same time period has developed indigenous capabilities and significant international market share, first in the developing world and now increasingly within western democracies. At first, Chinese companies were dismissed as unable to provide sophisticated automated services that would satisfy the needs of western customers or do more than copy outdated western technology. Through the combination of persistent effort in technology appropriation efforts publicly criticized by U.S. Government officials, however, Chinese companies are now poised to be top system-level and component providers for new wireless 5G networks that will increasingly represent the "last mile" for consumers of broadband services. Increasing capabilities in space launches and satellites may position China to leap ahead as well in the next generation of telecommunications (6G), which will include efforts to integrate terrestrial and space-based network elements.
Aside from the economic aspects of this Chinese ascendancy, the United States also should be concerned about the long-term security implications of an increasingly foreign, unverifiable supply chain for the nation's telecommunications infrastructure. Indeed, a mirrored concern with supply chains was undoubtedly a significant driver for China's original investment in telecommunications.
A narrow technical effort to secure networks lacking trusted points of origin, distribution, and integration will fail because mitigating the supply chain threat goes well beyond detecting the presence of malicious activity in individual components. The design and integration of the overall network offers more robust and stealthy opportunities to build in seemingly benign "features" that only become malicious when used in combination with targeted updates that, as part of an integrated whole, are less likely to be flagged as problematic by inspection and testing regimes. While the theft of information could be enabled by a supply-chain induced vulnerability through traffic analysis and redirection and geolocation of individuals in sensitive facilities (not to mention direct theft of unencrypted data), the primary concern should be continuity of operations and resilience against efforts to disrupt national communications during a crisis.
In a sense, the United States now finds itself in a similar place as China was 20 years ago albeit with a stronger cultural base of innovation. The United States must somehow reestablish indigenous capabilities to be used at least for the most critical national security purposes and for other critical infrastructure. To make this venture affordable, however, U.S. companies would need to leverage and scale new capabilities to re-establish a strong position in domestic and international markets. Continuous re-investment would be needed to preserve any recovered market share.
Telecommunications integration, however, occurs in the relatively narrow market of the telecommunications carriers rather than a broad-based consumer market, suggesting that some form of government involvement might be needed to seed a new industrial base. This seeding might seek new manufacturing methods as well as new architectures and more sophisticated components and services. Short-term strategies that only pile on new applications will not regenerate the fundamentals of the nation's backbone networks. The U.S. Government, in the past, invested in the base technologies and manufacturing methods of the semi-conductor (see lessons learned from Sematech), battery, solar energy, and aerospace industries, not to mention router and other technologies that led to the development of the network originally designed for resilience against nuclear attacks, the Internet.
Focused innovation will be important but insufficient to overcome the momentum of legacy technologies and architectures now dominated by foreign companies. The U.S. aerospace industry provides a useful case study for government seeding. The manufacturing and composite material technology now used in modern civilian aircraft were first developed decades ago for U.S. military aircraft.
A similar acquisition approach by the U.S. government could assist trusted U.S. industry partners acting as a consortium to deliver integrated telecommunications capabilities with performance and security embedded within new architectures for U.S. Government national security networks and civilian critical infrastructure applications (especially industrial control systems) and ultimately for most U.S. telecommunications backbone networks.
New architectures would need to interface with existing systems to allow for incremental adoption to spread costs over time, allow for real-world testing, and enable more rapid deployment of at least islands of secure and resilient capabilities for the most critical applications such as military command and control. However, this interface to legacy networks must not allow new systems to be undermined by the weaknesses of legacy systems.
U.S. innovation at the component level remains strong and could feed into such a system approach to help deliver a much faster result than occurred in aerospace. Speed will be of the essence but, even so, a sustained longer-term perspective will be required, measured in years and even decades, as it was for the Internet. The U.S. Government would need to inject a national security component into the acquisition strategy - perhaps centered around hardware-based integrated technologies for encryption, authentication, and identity management - to ensure that industrial partners retain an inherent advantage in competition for U.S. Government contracts.
This national security approach would also be essential to mitigating concerns that could be raised under international trade agreements. National security approaches, with funding from the U.S. Government, could also provide additional security for key technologies, as has been done for key military programs, to retain technical advantage at least through development and initial deployments.
Finally, the U.S. Government would need to ensure that the partnerships, technologies, and capabilities feed into a broader commercial approach that could be sustained over the long term. Any government effort will meet resistance from many quarters if the government seeks to work in isolation. Industry has already reacted negatively to reports of the U.S. Government considering options to build a "secure 5G network". Partnerships with industry would need to include the major U.S. telecommunications carriers who do the final assembly and integration and then operate the most critical backbone networks, as well as the system manufacturers.
The United States also should consider the benefits of including key national security partners, certainly the Five Eyes, but also other western-oriented democracies with strong technical capabilities such as the Germans, the French and the Japanese. This would also help spread the costs and open markets for the new systems in trusted environments and provide the critical mass needed to push through improvements in international standards.
National security and the economy require that this 'backbone of democracy' be trusted and resilient. We will not succeed unless government and industry come together and reset our course. While the United States retains fundamental advantages in its broad culture of innovation and individual initiative, regaining ground in a lost industrial sector needed for a national level infrastructure will require leadership from the U.S. Government along with sustained focus and resources. In this regard, we may have something to learn from China.
This article initially appeared in Military Cyber Affairs (MCA) and is copyright of Military Cyber Affairs © 2019. The original article can be found here: https://scholarcommons.usf.edu/mca/vol3/iss2/4/
Military Cyber Affairs (MCA) is a peer-reviewed professional journal published by the Military Cyber Professionals Association.
Read more from Cipher Brief Expert Thomas Donahue in The Cipher Brief.
