[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[H. Res. 575 Engrossed in House (EH)]
<DOC>
H. Res. 575
In the House of Representatives, U. S.,
January 8, 2020.
Whereas 5G, the next generation (5th generation) in wireless technology,
promises the next evolution of communications and information technology
services, applications, and capabilities across every sector of
business, government, entertainment, and communications;
Whereas the United States, Europe, China, and others are racing toward 5G
adoption and upgrading existing networks, which will drive subsequent
advances in artificial intelligence, machine learning, smart homes,
smart cities, robotics, autonomous vehicles, and quantum computers;
Whereas 5G will make possible the automatization of everyday activities and the
use of the full potential of the Internet of Things;
Whereas these developments, while evolutionary, could include risks to important
public interests, including privacy, data security, public safety, and
national security;
Whereas in a highly connected world, disruption of the integrity,
confidentiality, or availability of communications or even the
disruption of the communications service itself can seriously hamper
everyday life, societal functions, the economy, and national security;
Whereas the security of 5G networks is crucial for national security, economic
security, and other United States national interests and global
stability;
Whereas operators of communications infrastructure depend on a complex supply
chain of technology from a global market of suppliers and service
providers;
Whereas government security officials and experts from 32 countries came
together in Prague in May of 2019 to work out guidelines for the
deployment and security of 5G networks;
Whereas representatives agreed that ``[m]ajor security risks emanate from the
cross-border complexities of an increasingly global supply chain which
provides [information and communications technology] equipment. These
risks should be considered as part of the risk assessment based on
relevant information and should seek to prevent proliferation of
compromised devices and the use of malicious code and functions.''; and
Whereas the Prague 5G Security Conference adopted security recommendations,
which have come to be known as ``The Prague Proposals'': Now, therefore,
be it
Resolved,
SECTION 1. SENSE OF THE HOUSE OF REPRESENTATIVES.
The House of Representatives--
(1) urges all stakeholders in the deployment of 5G communications
infrastructure to carefully consider adherence to the recommendations of
``The Prague Proposals'' (as described in section 2) as they procure
products and services across their supply chain; and
(2) encourages the President and Federal agencies to promote global
trade and security policies that are consistent with ``The Prague
Proposals'' and urge our allies to embrace the recommendations of ``The
Prague Proposals'' for their 5G infrastructure.
SEC. 2. PRAGUE PROPOSALS.
The text of ``The Prague Proposals'' is as follows:
``(1) Policy.--
``(A) Communication networks and services should be designed
with resilience and security in mind. They should be built and
maintained using international, open, consensus-based standards
and risk-informed cybersecurity best practices. Clear globally
interoperable cyber security guidance that would support cyber
security products and services in increasing resilience of all
stakeholders should be promoted.
``(B) Every country is free, in accordance with
international law, to set its own national security and law
enforcement requirements, which should respect privacy and
adhere to laws protecting information from improper collection
and misuse.
``(C) Laws and policies governing networks and connectivity
services should be guided by the principles of transparency and
equitability, taking into account the global economy and
interoperable rules, with sufficient oversight and respect for
the rule of law.
``(D) The overall risk of influence on a supplier by a third
country should be taken into account, notably in relation to its
model of governance, the absence of cooperation agreements on
security, or similar arrangements, such as adequacy decisions,
as regards data protection, or whether this country is a party
to multilateral, international or bilateral agreements on
cybersecurity, the fight against cybercrime, or data protection.
``(2) Technology.--
``(A) Stakeholders should regularly conduct vulnerability
assessments and risk mitigation within all components and
network systems, prior to product release and during system
operation, and promote a culture of find/fix/patch to mitigate
identified vulnerabilities and rapidly deploy fixes or patches.
``(B) Risk assessments of supplier's products should take
into account all relevant factors, including applicable legal
environment and other aspects of supplier's ecosystem, as these
factors may be relevant to stakeholders' efforts to maintain the
highest possible level of cyber security.
``(C) When building up resilience and security, it should be
taken into consideration that malicious cyber activities do not
always require the exploitation of a technical vulnerability,
e.g. in the event of insider attack.
``(D) In order to increase the benefits of global
communication, States should adopt policies to enable efficient
and secure network data flows.
``(E) Stakeholders should take into consideration
technological changes accompanying 5G networks roll out, e.g.
use of edge computing and software defined network/network
function virtualization, and its impact on overall security of
communication channels.
``(F) Customer--whether the government, operator, or
manufacturer--must be able to be informed about the origin and
pedigree of components and software that affect the security
level of the product or service, according to state of art and
relevant commercial and technical practices, including
transparency of maintenance, updates, and remediation of the
products and services.
``(3) Economy.--
``(A) A diverse and vibrant communications equipment market
and supply chain are essential for security and economic
resilience.
``(B) Robust investment in research and development benefits
the global economy and technological advancement and is a way to
potentially increase diversity of technological solutions with
positive effects on security of communication networks.
``(C) Communication networks and network services should be
financed openly and transparently using standard best practices
in procurement, investment, and contracting.
``(D) State-sponsored incentives, subsidies, or financing of
5G communication networks and service providers should respect
principles of fairness, be commercially reasonable, conducted
openly and transparently, based on open market competitive
principles, while taking into account trade obligations.
``(E) Effective oversight on key financial and investment
instruments influencing telecommunication network development is
critical.
``(F) Communication networks and network service providers
should have transparent ownership, partnerships, and corporate
governance structures.
``(4) Security, privacy, and resilience.--
``(A) All stakeholders including industry should work
together to promote security and resilience of national critical
infrastructure networks, systems, and connected devices.
``(B) Sharing experience and best practices, including
assistance, as appropriate, with mitigation, investigation,
response, and recovery from network attacks, compromises, or
disruptions should be promoted.
``(C) Security and risk assessments of vendors and network
technologies should take into account rule of law, security
environment, vendor malfeasance, and compliance with open,
interoperable, secure standards, and industry best practices to
promote a vibrant and robust cyber security supply of products
and services to deal with the rising challenges.
``(D) Risk management framework in a manner that respects
data protection principles to ensure privacy of citizens using
network equipment and services should be implemented.''.
Attest:
Clerk.