Software defined radio
SDR Rulemaking FINALLY Resolved
02 02, 10 12:59 Filed in: New Technology
Mitchell Lazarus writes in the Fletcher, Heald & Hildreth CommLawBlog this week about the end of the FCC’s software defined radio (SDR) rulemaking, Docket 03-108. “Not with a bang, but with a wimper” is a good way to describe it.
Note that this docket begins with “03” - yes, that means it has been around since the NPRM was issued on 12/20/03, although the issue in contention here actually is a followon to Docket 00-47. In the NPRM the Commission said brave words about the importance of these technologies:
In the 2007 Order in this docket, FCC said “[M]anufacturers should not intentionally make . . . security measures in a software defined radio public, if doing so would increase the risk that these security measures could be defeated . . . .” The Order then said: “A system that is wholly dependent on open source elements will have a high burden to demonstrate that it is sufficiently secure . . . .”
Those of us who are Firefox users have made a judgment of the security of this open source software vs. the endless security problems of closed source Internet Explorer. The security of open source software if not a real issue. What is an issue is how slow the ancien regime at FCC was in keeping up with technology and keeping up with its “in box”. Telecom technology moves at Internet speed and excessive slowness discourages innovation and the capital formation needed to support it. Your blogger suggested in comments to Docket 09-157 that the Commission should delegate this type of noncontroversial policy issue to a panel of senior employees empowered by Section 5(c) of the Communications Act to make decisions. So far no one else has commented on this proposal. What do you think?
But another issue here in the area of software security has nothing to do with open source software. At the recent SDRForum conference in Arlington (now called the Wireless Innovation Forum) I was on a panel discussion and someone in the audience asked why doesn’t FCC do more about the security of the software in software defined radios. Indeed, with malicious software changes, SDR radios could do all sorts of malicious things to disrupt CMRS communications, public safety communications, etc.
While I was at FCC some of us were concerned about this and considered safeguards. But the SDR Forum and its major members were very insistent that they were responsible people and would only sell SDR units that were difficult//impossible to load with malicious unauthorized software. I am certain that this was and still is the intent of the legitimate companies that are members of the SDR Form and its successor. BUT. FCC Rules do not apply just to them. The same rules apply to anyone who manufacturers or imports SDRs.
There are sleazy foreign companies who have sold systems as antisocial as high power cordless phones that operate on air traffic control frequencies. Such firms would be happy to make an SDR that is approved by FCC with software for some benign function such as Part 90 use. Then they, or an affiliate, can sell through the Internet software that turns the unit into some nefarious use. Once large numbers are imported into the US, there is little in practice FCC can do about them. The fundamental problem about the SDR rules is they assume the manufacturer/importer is a “good guy” in all cases. This is not always the case. I am afraid other spectrum users may find out the hard way and am puzzled while CTIA, NAB and APCO have never been interested in this issue.
Note that this docket begins with “03” - yes, that means it has been around since the NPRM was issued on 12/20/03, although the issue in contention here actually is a followon to Docket 00-47. In the NPRM the Commission said brave words about the importance of these technologies:
“By initiating this proceeding, we recognize the importance of new cognitive radio technologies, which are likely to become more prevalent over the next few years and which hold tremendous promise in helping to facilitate more effective and efficient access to spectrum. We seek to ensure that our rules and policies do not inadvertently hinder development and deployment of such technologies, but instead enable a full realization of their potential benefits.”
In the 2007 Order in this docket, FCC said “[M]anufacturers should not intentionally make . . . security measures in a software defined radio public, if doing so would increase the risk that these security measures could be defeated . . . .” The Order then said: “A system that is wholly dependent on open source elements will have a high burden to demonstrate that it is sufficiently secure . . . .”
Those of us who are Firefox users have made a judgment of the security of this open source software vs. the endless security problems of closed source Internet Explorer. The security of open source software if not a real issue. What is an issue is how slow the ancien regime at FCC was in keeping up with technology and keeping up with its “in box”. Telecom technology moves at Internet speed and excessive slowness discourages innovation and the capital formation needed to support it. Your blogger suggested in comments to Docket 09-157 that the Commission should delegate this type of noncontroversial policy issue to a panel of senior employees empowered by Section 5(c) of the Communications Act to make decisions. So far no one else has commented on this proposal. What do you think?
But another issue here in the area of software security has nothing to do with open source software. At the recent SDRForum conference in Arlington (now called the Wireless Innovation Forum) I was on a panel discussion and someone in the audience asked why doesn’t FCC do more about the security of the software in software defined radios. Indeed, with malicious software changes, SDR radios could do all sorts of malicious things to disrupt CMRS communications, public safety communications, etc.
While I was at FCC some of us were concerned about this and considered safeguards. But the SDR Forum and its major members were very insistent that they were responsible people and would only sell SDR units that were difficult//impossible to load with malicious unauthorized software. I am certain that this was and still is the intent of the legitimate companies that are members of the SDR Form and its successor. BUT. FCC Rules do not apply just to them. The same rules apply to anyone who manufacturers or imports SDRs.
There are sleazy foreign companies who have sold systems as antisocial as high power cordless phones that operate on air traffic control frequencies. Such firms would be happy to make an SDR that is approved by FCC with software for some benign function such as Part 90 use. Then they, or an affiliate, can sell through the Internet software that turns the unit into some nefarious use. Once large numbers are imported into the US, there is little in practice FCC can do about them. The fundamental problem about the SDR rules is they assume the manufacturer/importer is a “good guy” in all cases. This is not always the case. I am afraid other spectrum users may find out the hard way and am puzzled while CTIA, NAB and APCO have never been interested in this issue.
Comments