Public Safety Committee on Sept. 20th, 2018

We actually have a program called the cryptographic module validation program, which we use to actually strengthen encryption and make sure it is done properly. That's something that we work with the commercial sector on in terms of making sure that the products we use in government but also the products that are available to all of us are secure and implemented properly.

One of the debates is about how law enforcement does its job in the modern world of communications, with encryption and computers becoming powerful enough now to actually do encryption. It was hard before. It was slow. What tools does law enforcement need? I think that's a policy question that's actually probably best left in your hands, in terms of how to address the need.

I think if you're looking at it from the provider's point of view, there are some providers that are able to get to that data, so how do you provide that access, under what lawful authorities, etc.? You can ask, because it's not encrypted when it's, for example, on a vendor's server. It's things like that and how you get access to the data. It's a difficult challenge, especially when the encryption is on the communication between you and me versus when it goes to some central point where it's stored. It really depends on the circumstances.

I'm not sure what actually would be the method for that. I think there are a few different things, depending on the technology you're implementing. Sometimes it would be that the provider can provide the information, or they can design it. In a lot of cases they're designing it so that they don't actually see the data that traverses the network, and they're making explicit design choices. How you would address it depends on what you're actually trying to solve there. It could be technologically complex in some cases and it could be really easy for lawful access types of things.

I think that's absolutely the case. We rely on private infrastructure that runs our critical infrastructure, which is built in the commercial space. Pretty much gone are the days of government-produced equipment. We can't keep up with the rapid innovation pace that the private sector is able to bring to bear. That's one of the biggest challenges in the cybersecurity sector right now. Innovation is outpacing security. How do we build the relationships so that we can work together? That's the only way to effectively start to deal with it.

I can't see doing this without collaborating with the private sector.

When we're talking specifically about 5G, meaning fifth-generation telecommunications networks, the best security outcome for anything related to 5G is really an environment with multiple vendors where you're able to put security protocols or security appliances in at different layers. That's supported by a multi-vendor approach. The international standards organizations are setting some of the emerging elements of 5G. Of course, 5G doesn't really exist yet. There are some prototypes and things like that. How do we start to bake these things in through some cybersecurity pieces?

I think the biggest thing for us is that you don't want one vendor and only one vendor. That makes you vulnerable across your entire spectrum and across all of your telecommunications companies to the exact same vulnerability. You want to build in different vendors. You want different vendors at different layers. That bakes in a large amount of security just because you can't easily traverse up and down the so-called telecommunications stack. That's one of the key elements for 5G.

Did you want to expand on it, Rajiv?

That's pretty much it.

We're looking for heterogeneous networks. It's always very important from a business continuity perspective as well—building the controls in, understanding what technologies are coming down the road. We're always working with all of the vendors.

You talked about a horse before it's out of the gate. We're looking down the road to see what's coming in 5G so that we can put the appropriate mitigations in now, before the telcos start deploying their networks. It's very important for us to understand these technologies and then provide that advice and guidance early on so that the risks are mitigated early on in the process, before they are deployed.