Federal Communications Commission.
This document dismisses a petition for reconsideration filed by the SDR Forum requesting that the Commission modify the policy statements it made in the Memorandum Opinion and Order (MO&O) in this proceeding concerning the use of open source software to implement security features in software defined radios (SDRs). While, the Commission dismisses this petition on procedural grounds, it also provides clarification concerning the issues raised therein.
Effective April 7, 2010.Start Further Info
FOR FURTHER INFORMATION CONTACT:
Hugh Van Tuyl, Policy and Rules Division, Office of Engineering and Technology, (202) 418-7506, e-mail: Hugh.VanTuyl@fcc.gov.End Further Info End Preamble Start Supplemental Information
This is a summary of the Commission's Memorandum Opinion and Order, ET Docket No. 03-108, adopted January 14, 2010, and released January 19, 2010. The full text of this document is available on the Commission's Internet site at http://www.fcc.gov. It is also available for inspection and copying during regular business hours in the FCC Reference Center (Room CY-A257), 445 12th Street, SW., Washington, DC 20554. The full text of this document also may be purchased from the Commission's duplication contractor, Best Copy and Printing Inc., Portals II, 445 12th St., SW., Room CY-B402, Washington, DC 20554; telephone (202) 488-5300; fax (202) 488-5563; e-mail FCC@BCPIWEB.COM.
Summary of the Memorandum Opinion and Order
1. On March 17, 2005, the Commission adopted the Cognitive Radio Report and Order, 70 FR 23032, May 4, 2005, in which the rules were modified to reflect ongoing technical developments in cognitive and software defined radio (SDR) technologies.
2. On April 20, 2007, the Commission adopted a Memorandum Opinion and Order (MO&O), 72 FR 31190, June 6, 2007, which responded to two petitions filed in response to the Cognitive Radio Report and Order. The Commission, Start Printed Page 10440 inter alia, granted a petition for clarification filed by Cisco Systems, Inc. (“Cisco”) requesting that the Commission clarify: (1) The requirement to approve certain devices as software defined radios; and (2) its policy on the confidentiality of software that controls security measures in software defined radios.
3. In responding to the Cisco petition, the Commission stated that with regard to the use of open source software for implementing software defined radio security measures:
“* * * manufacturers should not intentionally make the distinctive elements that implement that manufacturer's particular security measures in a software defined radio public, if doing so would increase the risk that these security measures could be defeated or otherwise circumvented to allow operation of the radio in a manner that violates the Commission's rules. A system that is wholly dependent on open source elements will have a high burden to demonstrate that it is sufficiently secure to warrant authorization as a software defined radio.”
4. The SDR Forum filed a petition for reconsideration on July 3, 2007, requesting that the Commission modify the statements.
5. In its petition, the SDR Forum expresses concern that the language in the MO&O on the use of open source software for implementing SDR security measures may inadvertently pose a barrier to the development and wide implementation of security techniques that would ensure compliance with the Commission's rules. SDR recommends that these policy statements be modified, stating that manufacturers should have the discretion to discuss their security measures in public so long as the intent of the disclosure is not to enable circumvention of the Commission's rules. The SDR Forum states that the Commission should remain neutral on the security of open source elements because open source approaches are no less secure than proprietary techniques. It specifically requests that the Commission modify the text quoted above by:
“revising the first sentence to state “a manufacturer may make public its SDR security mechanisms so long as the intent is not to circumvent compliance with Commission rules;” and by deleting the second sentence.”
6. The Commission is dismissing the SDR Forum petition for reconsideration on procedural grounds. While the SDR Forum filed comments in response to the NPRM in this proceeding, it did not submit comments in response to the Cisco petition for reconsideration that raised the issue of using open source software to implement software defined radio security mechanisms. The Cisco petition was addressed in the Commission's MO&O for which the SDR Forum now requests reconsideration. A petition for reconsideration that relies on facts not previously presented to the Commission will be granted only if:
(a) The facts relied on relate to events which have occurred or circumstances which have changed since the last opportunity to present them to the Commission;
(b) The facts relied upon were unknown to the petitioner until after his last opportunity to present them to the Commission, and the petition could not through the exercise of due diligence have learned of the facts in question prior to such opportunity; or
(c) The Commission determines that consideration of the facts relied on is required in the public interest.
The SDR Forum petition does not address why it did not respond to the Cisco petition or claim that any of these three conditions are met in this case. Accordingly, the SDR Forum's petition for reconsideration is procedurally defective and is hereby dismissed. However, the Commission recognizes that the issue of open source software in software defined radios is of interest to the SDR Forum and other parties. Accordingly, the Commission is taking this opportunity to clarify its policies with respect to the use of open source software for implementing security features in software defined radios.
7. The Commission's rules require that a software defined radio manufacturer take steps to ensure that only software that has been approved with a software defined radio can be loaded into the radio. The software must not allow the user to operate the transmitter with radio frequency parameters other than those that were approved by the Commission. The Commission's rules require that the manufacturer have reasonable security measures to prevent unauthorized modifications that would affect the RF operating parameters or the circumstances under which the transmitter operates in accordance with Commission rules. Manufacturers may select the methods used to meet these requirements and must describe them in their application for equipment authorization.
8. When a party applies for certification of a software defined radio, the description of the security methods used in the radio is automatically held confidential. The Commission does this because such information often is proprietary and also because revelation of the security methods, or portions thereof, could possibly assist parties in defeating the security features and enable operation of the radio outside the Commission's rules. Out of an abundance of caution—because operation of a radio outside the Commission's rules could result in harmful interference to a wide variety of radio services, including safety-of-life services—the Commission holds the entire description of the security measures confidential. Therefore, the Commission's staff does not have to determine which portions of a software defined radio security methods description filed with an application could be made publicly available without risk that such disclosure could assist parties in defeating the security measures. Further, by automatically holding the description confidential, applicants for certification do not have to specifically request confidentiality for the description of a radio's security mechanisms.
9. Neither the Commission's rules whereby it maintains the confidentiality of a software defined radio's security mechanism nor the policy stated in the MO&O prohibit radio manufacturers and software developers from sharing information on the design of security methods with other manufacturers and developers. Rather, the Commission's policy stated only that manufacturers should not make the “distinctive elements” of security features publicly available, if doing so would increase the risk that security measures could be defeated or circumvented to allow operation of a radio in a manner that violates the rules. The Commission's intent was not to prohibit manufacturers from collaborating and sharing information that could allow them to develop more robust security features or reduce the cost of implementing them. In fact, the Commission would encourage such work by industry. The Commission's concern is only with disclosure of those particular elements of a security scheme when such disclosure could facilitate defeating the security scheme. Thus, manufacturers can make whatever information they wish concerning their security methods public, provided they can demonstrate the implementation has a means of controlling access to the distinctive elements that could allow parties to defeat or circumvent the security methods.
10. The Commission emphasizes that it does not prohibit the use of open source software in implementing software defined radio security features. The Commission's concern with open source software is that disclosure of Start Printed Page 10441certain elements of a security scheme could assist parties in defeating the scheme. As Cisco stated in its petition, licensing agreements may require that open source software code be made publicly available. This could potentially lead to public disclosure of this information. For these reasons, the Commission stated in the MO&O that a system that is wholly dependent on open source elements would have a high burden to demonstrate that it is sufficiently secure to warrant authorization as a software defined radio. However, the Commission's statements in the MO&O were not intended to prohibit the use of open source software or discourage its use. All applicants seeking to certify a software defined radio are held to the same standard, i.e., they must demonstrate that the radio contains security features sufficient to prevent unauthorized modifications to the radio frequency operating parameter. A party applying for certification of a software defined radio would need to show that public disclosure of the source code would not assist parties in defeating the security scheme, or that disclosure of the distinctive elements of the security scheme would not assist parties in defeating the security scheme. As the SDR Forum notes, security mechanisms can rely on a variety of means to control access, such as keys, passwords or biometric data.
11. Finally, as software defined radio and security technologies continue to develop and mature, the Commission may address the rules for software defined radios, including their security requirements, in future proceedings. The Commission encourages the SDR Forum and other interested parties to participate in such proceedings.
12. The petition for reconsideration filed by the SDR Forum IS hereby dismissed. This action is taken pursuant to the authority contained in Sections 4(i), 301, 302, 303(e), 303(f), and 303(r) of the Communications Act of 1934, as amended, 47 U.S.C. Sections 154(i), 301, 302, 303(e), 303(f), and 303(r).
13. It is further ordered that ET Docket No. 03-108 is terminated.Start Signature
Federal Communications Commission.
Marlene H. Dortch,
[FR Doc. 2010-4855 Filed 3-5-10; 8:45 am]
BILLING CODE 6712-01-P