Working Group 6: Secure Hardware and Software – Security by Design

Status UpdateSeptember 21, 2015

Joel Molinoff, Co-Chair (CBS)Brian Scarpelli, Co-Chair (Telecommunications Industry Association)

2

WG 6 Objectives• Develop voluntary recommendations and best

practices to enhance the security of hardware and software in the core public communications network

• Develop voluntary mechanisms to demonstrate success of recommendations/best practices

3

WG 6 Deliverables

• March 2016 – Security best practices recommendations

• September 2016 – Recommend voluntary attestation framework

4

WG 6 Members

* Also a CSRIC member

FN LN OrgJoel Molinoff CBS* (WG 6 co-chair)Brian Scarpelli TIA* (WG 6 co-chair)Peter Allor IBMJon Amis DellJames Bean Juniper NetworksKevin Beaudry Charter*Al Bolivar Verisign*Jon Boyens NISTChris Boyer AT&T*Jamie Brown CA TechnologiesRob Covolo CenturyLink*Brian Daly AT&T (ATIS)*Mike Geller Cisco (ATIS)*Alex Gerdenitsch EchoStar*Steve Goeringer Cable LabsKazu Gomi NTT AmericaStacy Hartman CenturyLink*Franck Journoud OracleMasato Kimura NTT AmericaDarren Kress T-Mobile*Ethan Lucarelli Iridium* (Wiley Rein)

FN LN OrgJennifer Manner Echostar*Gabriel Martinez DHSRobert Mayer US Telecom Association*Heath McGinnis Verizon*Eli Dourado Mercatus Center (GMU)Angela McKay MicrosoftTomofumi Okubo Verisign*Richard Perlotto Shadow ServerJeff Greene SymantecGlen Pirrotta Comcast Cable*Kallol Ray Comcast Cable*Chris Roosenraad TWC*Michelle Rosenthal T-Mobile*Peter Ruffo ZTE USADorothy Spears-Dean NASNA*Matt Tooley NCTA*Rao Vasireddy Alcatel-Lucent (TIA)*Joe Viens TWC*Eric Wenger CiscoShinichi Yokohama NTT America

FN LN OrgSteven McKinnon FCC liaisonEmily Talaga FCC liaison

5

Background• Recognizing the advantages of building security in to

hardware and software (rather than retrofitting), FCC has urged industry to examine security by design practices for core network equipment– Examined by FCC Technological Advisory Council (TAC) in

2014

• CSRIC IV’s WG 4 Final Report, Cybersecurity Risk Management and Best Practices, provides baseline/model for approach

6

• WG 6 held a kickoff conference call on 9/16/15• Roster reflects a healthy and diverse stakeholder

community invested and interested in hardware/software security by design• WG 6 has agreed to a three-phased approach to the

development of WG 6 deliverables–WG 6 has formed a subgroup to address objectives, scope

and methodology for 1st deliverable

WG6 Status

7

WG 6 Schedule

PHASE 1: Define Objectives, Scope, & MethodologyPHASE 2: Analysis & Determine Findings

PHASE 3: Conclusions & Recommendations

: Deliverable Adopted by Full CSRIC 5

8

Next Steps• Build/finalize WG 6 membership • Continue to develop a work plan to accomplish the

CSRIC V charge, taking advantage of WG 6 members’ subject matter expertise• Seek WG 6 volunteers to lead aspects of the work

plan• Continue bi-weekly conference calls • Provide periodic status updates to Steering

Committee and Council