FEDERAL COMMUNICATIONS COMMISSION WASHINGTON OFFICE OF THE CHAIRMAN January 3, 2020 The Honorable Ron Wyden United States Senate 221 Dfrksen Senate Office Building Washington, DC 20510 Dear Senator Wyden: Thank you for your letter regarding the security of 5G wireless networks. For my part, I have frequently discussed my support for addressing 5G security issues upfront. Making the right choices before deployment is much easier than trying to correct mistakes once network construction and operation is well underway. 5G security decisions must be made with the long- term in mind and in coordination with our international partners (where possible). Last May, more than 140 representatives from 32 countries came together to develop the Prague Proposals, a consensus approach for protecting next-generation networks. As acknowledged in the Proposals, there are no universal solutions to security. Rather,  {t]hedecision on the most optimal path forward when setting the proper measures to increase security should reflect unique social and legal frameworks, economy, privacy, technological self-sufficiency and other relevant factors important for each nation. 2 In 2019, the FCC tasked the Communications Security, Reliability, and Interoperability Council (C$RIC), a Federal Advisory Committee designed to promote the security, reliability, and resiliency of theNation s communications systems, with identifying the optional features in proposed 3GPP standards that, if not implemented, can diminish the effectiveness of 5G security. The CSRIC was further asked to recommend ways to address these gaps. This work is ongoing, with recommendations due by March 2021. The group is well represented by experts in this area, which should make their recommendations more likely to be implemented. Notably, the FCC historically has adopted flexible-use policies for spectrum bands. The FCC does not mandate a particular technology or air interface that licensees must deploy on a particular spectrum band. Rather, the FCC adopts minimal technical and operating rules to protect against harmful interference to co-channel and adjacent-channel operations in the band. Licensees, through standards-setting bodies like 3GPP, develop standards and protocols for mobile wireless network technologies such as 4G LTh and 5G.  See, e.g., Remarksof ChairmanAjit Paiatthe Prague 5G Security Conference2 (May 2,2019), https://docs.fcc.gov/public/attachments/DOC-3 57288A1.ydf. 2 https://www.vlada .cz/en/media-centmmlaktualne/praEue-5 g-security-conference-announced-series ofrecommendations-the-yrague-pronosals-1 73422/. Page 2 The Honorable Ron Wyden End-to-end encryption of voice calls and text messages raises a number of important legal, economic, privacy, technological and other considerations that must be taken into account. The need to deploy this technology is likely to vary depending on the circumstances, such as the type of customer, the subject matter of the communication, the locations of the communicating parties, and other considerations. End users are usually in best positioned to make risk-based determinations as to whether or not end-to-end encryption is needed. In addition, mobile wireless carriers must be able to continue to meet theft obligations under the Communications Assistance for Law Enforcement Act. Today, there are several applications available to consumers that encrypt voice calls and messages.3 In addition, both AT&T and Verizon currently offer encryption services for enterprise and government customers according to publicly available information. AT&T s Encrypted Mobile Voice service  provides mobility customers with end to end security features for confidential and sensitive calls. 4 Verizon s Cypher encryption software offers end-to-end encryption for commercial smartphones.5 Verizon previously has stated that  [t]he evolution toward a fully-realized 5G environment will bring even stronger security more encryption, more defense at the edge, and greater potential for creating secure enclaves or  slices. Verizon also has stated that it  intend[s] to leverage all of these tools as the network develops. 6 These carriers and T-Mobile appear to compete with one another to differentiate themselves on the security of their mobile wireless service offerings at least to certain customer segments that may find particular value in these services. While the Commission has not taken a formal stance on the use of encryption, the issue has been addressed in the context of advisory committees. In 2009, FCC tasked the CSRIC to recommend best practices that encourage communications service providers to secure their networks. In March 2011, CSRIC recommended that the Conmiission encourage communications service providers to incorporate standards-based encryption services on theft networks. CSRIC recommended that communications service providers  incorporate cellular voice encryption services and ensure that such encryption services are enabled for end users and  encourage the use of IPsec VPN, wireless TLS, or other end-to-end encryption services over the cellular/wireless network. While the Commission does not track service provider implementation of CSRIC best practices, they were developed and recommended by practitioners, which increases the likelihood that they will be implemented by communications providers. The Commission makes CSRIC best practices available to the public through a Commission-hosted database, which is available at https://opendata.fcc.gov/Public Safety/C$RIC-B est-Practices/gb45-rw2t/data. Andy Greenberg, How to EnciyptAll of the Things, Wired (Dec. 9,2017), https://www.wired.com/storv/encrvpt all-of-the-things! (noting that  [tJhanks in part to drop-dead simple, increasingly widespread encryption apps like Signal, anyone with a vested interest in keeping their communications away from pryingeyes has no shortage of options. ). https://www.wjreless.att.com/businesscenter/en US/pdf/terms-and-eondftions-PB-EMV-20788-V05-1 0-13-10.pdf. 5 httns://enteipnse.verizon.com/resources!articles/verizon -cypher-encryption-so ftware/. 6 https://www.linkedin.com/yulse/verizons-apprpach-5 -secunty-cmig-silliman. Page 3 The Honorable Ron Wyden You also ask about the retirement of predecessor wireless technologies. According to publicly available information, AT&T has afready discontinued its 2G network and Verizon Wireless and T-Mobile are expected to shut-down their 2G networks in the near future. Specifically, AT&T discontinued service on its 2G wireless network in Januaiy 2017. Consistent with its public statements, in its recently filed FCC Form 477 data AT&T no longer reports having 2G service. Verizon Wireless has stated that it planned to shut down its 2G CDMA network by the end of 2019.8 T-Mobile previously has stated that it will support 2G until December 2020, and Sprint has indicated that the termination of its CDMA network is not expected to commence prior to January 2021.10 Among the aforementioned 2G service providers, I-Mobile and Verizon have made changes to their devices configuration settings that allow users to disable 2G. The Commission is also aware that certain smaller carriers have not announced their plans to switch-off their 2G networks. The Commission will continue to monitor communications service providers efforts to phase out 2G networks and encourage them to invest in more secure networks. Finally, you ask about the FCC s 2018 Restoring Internet Freedom Order s transparency requirement. Given the sheer number of I$Ps offering service throughout the country, the Commission has determined that the most effective way for it to monitor compliance is to require public disclosure of an ISP s practices so that  consumers, entrepreneurs, and other small business [can] report to the Commission any market-barriers they discover. The FCC has provided a portal and instructions for consumers to access TSPs transparency disclosures, 2 and consumers can file informal complaints using the FCC s Consumer Complaint Center as well as by phone or by mail. 3 Notably, the transparency rule only applies to broadband Internet access service, not to voice and text-messaging services. Our transparency rules amplify the power of antitrust law and the FTC Act to deter and where needed, remedy behavior that harms consumers. Although the rules require providers to disclose security practices, they do not specifically address encryption and  [t]he Commission s primary concern is those security measures likely to affect a consumer s ability to access the content, applications, services, and devices of his or her choice. 4 The Commission  do[es] not expect ISPs to disclose internal network security measures that do not directly bear on a https://about.att.com/innovationb1oJ2 g sunset. SeeApplicationsofT-Mobile US, Inc., and Sprint Corp.for Consent to Transfer Control of Licenses and Authorizations, et al., Memorandum Opinion and Order, Declaratoiy Ruling, and Order of Proposed Modification, WT DocketNo. 18-J97,fCC J9-lO3atpara.335& n.1177(2019)(Spnnt/T-MobileOrder). https://www.geotab.com/blo W2c-network-shutdown/. 10 Sprint/T-Mo bile Order at para.298.  RIF Order atpara.228. 12 https://www.fcc.gov/isp-disclosures. 13 See https:!/www.fcc.gov/consum ers/uides/filing-informa1-comp1aint; httns:/!consumercomplaints.fcc.govlhc/en us. 14 RIF Order atpara.220& n.814. Page 4 The Honorable Ron Wyden consumer s choices. 15 Finally, as noted in the Restoring Internet Freedom Order, the Commission has had transparency requirements in place since 2010, and there have been very few incidents in the U.S. since then that plausibly raise openness concerns.16 Please let me know if I can be of any further assistance. Sincerely, Ajit V. Pal  Id. 16 RIf Order atpara.241.