The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has released its proposal for securing 5G networks and industry will have a big part.

"CISA relies on its partnership with the private sector to understand and manage risks posed to 5G technology," the proposal said. "With the promise of connectivity between billions of Internet of Things (IoT) devices, it is critical that CISA and industry collaborate to identify vulnerabilities and ensure that cybersecurity is prioritized within the design and development of 5G technology."

The proposal is grouped into five strategic objectives (see graphic).

The bottom line of the proposal is that it will take collaboration. "[T]he nature of the risk environment precludes any single entity from managing risk entirely on its own," it said, while "the stakes for safeguarding the network against these vulnerabilities could not be higher "given the potential for various applications and reliance of the network for future infrastructure."

“5G technology represents a pivotal shift in the United States' and world’s digital infrastructure, and with that shift come critical security and policymaking considerations,” said John Miller, senior counsel and senior VP for policy at tech association ITI. “The tech industry appreciates CISA’s leadership in recognizing where it can play a unique role in 5G implementation while simultaneously acknowledging the need for government-wide coordination to ensure a trusted and resilient 5G ecosystem.”

The Trump Administration and Congress have already taken some steps to secure 5G networks and the supply chain, most notably by excluding tech from Chinese telecom suppliers ZTE and Huawei from government-subsidized broadband buildouts and government contracts.

Hugo Teufel has joined CenturyLink as its chief privacy officer. 

He will advise sales, IT and security teams on strategic privacy initiatives. Teufel reports to VP and deputy general counsel Ryan McManis and will be based in Denver. 

He was most recently chief privacy counsel at Raytheon, where he helped that company navigate the new privacy landscape of EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), which went into effect this year. 

Teufel's is the former chief privacy officer at the Department of Homeland Security, associate solicitor for the Department of the Interior, deputy solicitor general for the state of Colorado, and a one-time judge advocate in the Army National Guard. 

Teufel succeeds Linda Gardner, who exited the company in December 2019 to become associate general counsel, privacy and data protection, at Leggett & Platt, a Kansas City law firm.

With broadband the essential connective tissue in the shelter-in-place age of coronavirus, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has expanded the list of communications workers considered essential workforce. 

The list is not a federal directive, but is meant to give state and local officials guidance as they decide who must be allowed to go to work even as they try to keep as many people sheltered at home as possible to prevent spread of the virus.  

Related: ITI Urges Consistent Essential Worker Guildelines 

According to USTelecom, which applauded the expansion, the list now includes "supply chain and logistics personnel, retail customer service personnel, and personnel responsible for infrastructure construction and restoration." 

DHS released the advisory list March 19. That guidance was prompted by the President's March 16 statement that “if you work in a critical infrastructure industry, as defined by the Department of Homeland Security, such as healthcare services and pharmaceutical and food supply, you have a special responsibility to maintain your normal work schedule.” 

Related: Complete Coverage on How Coronavirus Is Impacting Communications 

“It is unprecedented the degree to which the nation is relying on its communications infrastructure for remote activities like telework, distance learning and telehealth. Americans are also counting on our sector to keep the lines of news, public safety, daily communication and entertainment open and running smoothly as we collectively cope with the COVID-19 pandemic," said Robert Mayer, USTelecom’s SVP for Cybersecurity and Innovation. He also chairs the Communications Sector Coordinating Council. “We’re up to this challenge, but our employees need freedom of movement and unique access to core business or customer locations to manage the health and security of our shared networks. Some functions can only be handled in-person.” 

Sen. Josh Hawley has announced that he plans to introduce legislation banning the TikTok app from all government devices.  

He called it a necessary step to protect the security of the country and the data security of its citizens.  

Currently the State Department, DHS and the TSA have all banned their employees from using the Chinese-backed short-form mobile video app on government devices, and even advised them to have their children uninstall it from their personal devices, Hawley said Wednesday.  

TikTok is a Chinese company that does business in the U.S.

Hawley announced the bill at a Hill hearing on China's threat to tech.

Early in the hearing, Hawley talked of China launching social media apps to the global consumer market, another issue in Hawley's wheelhouse, then singled out TikTok, which was invited to the hearing but declined to participate. 

Sen. Dick Durbin also chided Apple for not agreeing to testify, saying that Hawley should not take it personally since it was ten years ago that the company declined his invitation to come and talk about their "complicity in human rights violations in China, and sadly it has gotten worse since.

Hawley pointed out that TikTok was the most downloaded app of 2019 in the U.S., and said more teenagers are on the app than on Facebook. He said it is required by Chinese law to share user data with Beijing and admits it has sent user data to China. He called that a major security risk as it collects images and info about the messages its users send and sites that they visit and location data.  

As a father of young children, Hawley said he found that "absolutely horrifying." 

Sen. Sheldon Whitehouse (D-R.I.), ranking member of the Judiciary Crime and Terrorism Subcommittee said at the hearing that focusing on China--the hearing, called by Republican chairman Hawley (R-Mo.) was entitled "Dangerous Partners: Big Tech and Beijing"--missed a larger picture. 

"The problem is bigger than Beijing and broader than any one industry," he said in his opening statement. Whitehouse said there had been an onslaught of cyber crime that came from individuals, criminal syndicates and nation states, including Russia, Iran and North Korea. 

He said the government must look at the "full array of cyber threats" and figure out what more should be done.  

Whitehouse said the country needs to strengthen the NIST (National Institute of Standards and Technology) framework of voluntary best practices for the companies that build out and maintain critical infrastructure. He called that framework, announced in 2014, groundbreaking, but said "we still don't know if it is working." 

Whitehouse said the framework needed to be "stress-tested" and updated. He also called for the President to name a "discloser-in-chief" to declassify and share government cybersecurity info with states, the private sector and the public. "We can only defend ourselves against threats if we know they are out there," he said. 

Related: NIST Releases Privacy Framework 

He gave the Department of Homeland Security for trying to get more cyberattack information out faster.  

While Whitehouse wanted to look beyond China, Hawley began the questioning focused on  

China, saying the U.S. faced a major security threat from that country, to economic, military and cyber and personal data security.

Witness Clyde Wallace, deputy assistant director of the FBI's cyber division, echoed Hawley's concern. "While several nation-states pose a cyber threat to U.S. interests, no other country presents a broader and more comprehensive threat to our ideas, innovation, and economic security than the People’s Republic of China," Wallace said.  

Asked why the government agencies that had banned TikTok so far had done so, Wallace said TikTok was an application whose implications the average American did not understand in terms of what data could flow to a state-sponsored actor and its data warehouses. 

Witness Bryan Ware, assistant director for cybersecurity at the Department of Homeland Security added said that consumers trade their personal information pretty freely for  entertainment or convenience and said he wished "we were all more aware of what we were giving up when we did that." 

He agreed there was not place for TikTok, primarily an entertainment platform, on any government devices or networks. 

Whitehouse said there was a way for well-intention countries to surveil apps with malicious payloads, particularly ones that are becoming rapidly popular--like TikTok--and put warning labels on them so the public knows what the hazards are. He urged his witnesses to pursue that, which would require State buy. He said TikTok was an example of such a hazardous product that was unmarked by most people.

Fearing cyber attacks in the wake of the U.S. killing of Iranian General Qasem Soleimani, the Democratic chairs of the House Energy & Commerce Committee want to know what the FCC and Homeland Security are doing to defend against that prospect. 

In letters to FCC chair Ajit Pai and DHS acting Secretary Chad Wolf, House Energy & Commerce Committee chairman Frank Pallone (D-N.J.) and Communications Subcommittee chairman Mike Doyle (D-Pa.), asked for briefings, classified if necessary.  

They pointed out that Iranians have vowed revenge and have launched cyberattacks against U.S. businesses in the past in response to government actions. 

They want that briefing by Feb. 5.  

The FCC had no comment at press time on the letter. 

The Department of Homeland Security and Department of Justice have issued guidance to non-federal entities, including ISPs, on how to share cyber threat information under the Cybersecurity Information Sharing Act (CISA) of 2015.

The bill (now law), supported by cable operators and other ISPs, makes it easier for companies to share cyber threat information with government and vice versa, including providing liability protections from lawsuits if sensitive personal information was inadvertently shared. The sharing is voluntary, so the liability protection is a way to incentivize participation. It passed as a rider on the omnibus budget bill that passed in December.

The guidance includes examples of what qualifies as a "threat indicator" that can be shared, what types of information are protected and unlikely to be directly related to a security threat, what defensive measures can be taken, and what protections non-federal entities get.

Among the info that would be a threat indicator and could be shared are:

"A company could report that its web server log files show that a particular IP address has sent web traffic that appears to be testing whether the company’s content management system has not been updated to patch a recent vulnerability.

"A security researcher could report on her discovery of a technique that permits unauthorized access to an industrial control system."

"A software publisher could report a vulnerability it has discovered in its software.

"A managed security service company could report a pattern of domain name lookups that it believes correspond to malware infection."

"A manufacturer could report unexecuted malware found on its network.

"A researcher could report on the domain names or IP addresses associated with botnet command and control servers.

"An engineering company that suffers a computer intrusion could describe the types of engineering files that appear to

have been exfiltrated, as a way of warning other companies with similar assets.

"A newspaper suffering a distributed denial of service attack to its web site could report the IP addresses that are sending malicious traffic."

Acceptable defensive measures against attacks that can be shared could include:

"A computer program that identifies a pattern of malicious activity in web traffic flowing into an organization.

"A signature that could be loaded into a company’s intrusion detection system in order to detect a spear phishing campaign with particular characteristics.

"A firewall rule that disallows a type of malicious traffic from entering a network.

"An algorithm that can search through a cache of network traffic to discover anomalous patterns that may indicate malicious activity."

Among the information protected under other privacy rules that would not appear to be directly related to cyberthreats and thus not necessary to share include protected health information, human resource information, purchase or preference history or credit history, education history, financial information, property ownership, identifying information of children under 13.

Chris Feeney, president of the tech policy division of the Financial Services Roundtable (http://fsroundtable.org/members/), comprising banks, insurance companies and other financial institutions that backed the bill, called the advisory "a positive step toward enabling the private sector to identify and share cyber threat indicators with the federal government, which will help better protect consumers and our nation’s security."