Is Huawei's equipment secure or not? Right now, the answer to that question depends largely on who you ask.
But the Telecommunications Industry Association (TIA) trade group hopes to provide a definitive, unbiased answer, one backed up with details and specifics – and one that everyone can agree on. To do so, the association is building a global standard and benchmarking tool that can measure the risks present in each vendor's supply chain in real-time, with the goal of testing third-party certifications starting in the middle of 2021.
"I'm not interested in blackballing a particular company," explained Ken Koffman, TIA's CTO and the executive leading the security effort.
Instead, Koffman explained that TIA's goal is to determine whether a given vendor's equipment can be trusted. He said TIA's effort will center on a process-based system, meaning it won't certify specific products but instead focus on a company and its entire product-delivery process, ranging from where it obtains its components to how it assembles and sells finished products. And the decision on whether that process is secure would be made by trained third-party inspectors, similar to the United Nations' International Atomic Energy Agency (IAEA) inspectors charged with overseeing nuclear facilities stretching from Iran to Japan.
"Based on history, Huawei would not be able to conform to these [security] standards," Koffman added, explaining that TIA's security program would determine whether a company was receiving government funding or sharing information with outside parties.
But if Huawei changes those practices, "then I'm happy to have them."
Added Koffman: "Our interest is to say, 'This is how you can be trusted.'"
Koffman argued that he and TIA are uniquely positioned to address the security issue. For more than two decades Koffman worked with the QuEST Forum, which developed the TL-9000 quality-management system for telecommunications products. That effort essentially measures the quality and interoperability of telecom equipment for network operators. TIA merged with the QuEST Forum in 2017.
Koffman said some of TIA's members last year began to ask the association to apply its focus to the supply chain security issue. "Wouldn't it be nice if we had a single standard that comprised or oversaw all aspects of security?" TIA's members asked, according to Koffman. He added that the association is working to create a holistic process that would cover hardware, software and components – an increasingly important task given the global nature of the industry's supply chain and the wide range of devices and applications connecting to all areas of the network, from the core to the edge.
"People said, 'TIA you are uniquely positioned to do this,' " Koffman added. "This is nothing new."
Koffman said the association began its work on the initiative at the start of this year by surveying similar efforts. He said TIA will borrow elements from work already done by agencies and associations ranging from the Department of Homeland Security's Supply Chain Risk Management (SCRM) Task Force for information and communications technology, to the National Institute of Standards and Technology (NIST), the US Commerce Department, the Cybersecurity Maturity Model Certification (CMMC), the recent Prague Proposals on 5G security and the European Network and Information Security Agency (ENISA).
"We are not terribly concerned about being the initial inventor of everything," Koffman said.
After that, the association turned to developing the structure for its security standard, which it is just now finishing. Koffman said he hopes to have the program available for review starting in the early part of 2021 in order to begin providing initial certifications by the third quarter of 2021.
And which companies are supporting TIA's efforts? AT&T and Verizon "are very active," Koffman said. Other companies involved range from Japan's NTT to BT, CommScope, Fujitsu, Spirent, Adtran and Nokia.
He added that TIA is also exploring ways to team up with other associations engaged in similar efforts. For example, the Alliance for Telecommunications Industry Solutions (ATIS) recently opened an investigation into how to enhance security for the 5G supply chain.
"We've talked with ATIS about trying to collaborate. Those discussions are ongoing," Koffman explained, adding that ATIS is leaning toward a self-assessment model whereas TIA is looking at a model that relies on third-party certifications.
But the benefits to a global, agreed-upon security standard are obvious. "Manufacturers, buyers and suppliers will benefit from the validation of the devices and components that they produce, purchase and supply via analysis against security benchmarks and third-party objective evaluations, reducing the cost of audits and compliance with unnecessary trade restrictions and regulations that can lead to increased prices, decreased competition, and stifled innovation and investment," TIA argued in a recent description of its planned program. "State, local and federal governments can rest assured that the products and services required for the deployment of new networks and technologies have been assessed for risk through standards and programs designed specifically for these complex systems, allowing them to focus their attention on threats that have a direct impact on national security and public health and safety."
Perhaps not surprisingly, the association is also working to get US policymakers on board.
"TIA strongly believes that this program can solve many of the concerns held by industry and the US government when it comes to exposing risks and vulnerabilities present in the ICT [information and communications technology] supply chain," the agency wrote in recent comments to the Trump administration. "TIA would welcome the opportunity to continue working with US government stakeholders to ensure agencies' supply chain risk mitigation concerns are adequately met by our final standard and third-party certification regime."
How TIA's efforts might impact the US government's efforts to block China's Huawei both inside the US and internationally remain unclear. But it's likely that US and international telecom operators and vendors would be keen to put the issue into an industry trade association rather than into the hands of one country's government officials.