Report text available as:

  • TXT
  • PDF   (PDF provides a complete and accurate display of this text.) Tip ?

116th Congress    }                                 {   Rept. 116-368
                        HOUSE OF REPRESENTATIVES
 2d Session       }                                 {          Part 1

======================================================================

 
     EXPRESSING THE SENSE OF THE HOUSE OF REPRESENTATIVES THAT ALL 
  STAKEHOLDERS IN THE DEPLOYMENT OF 5G COMMUNICATIONS INFRASTRUCTURE 
 SHOULD CAREFULLY CONSIDER AND ADHERE TO THE RECOMMENDATIONS OF ``THE 
                           PRAGUE PROPOSALS''

                                _______
                                

  January 7, 2020.--Referred to the House Calendar and ordered to be 
                                printed

                                _______
                                

 Mr. Pallone, from the Committee on Energy and Commerce, submitted the 
                               following

                              R E P O R T

                       [To accompany H. Res. 575]

    The Committee on Energy and Commerce, to whom was referred 
the resolution (H. Res. 575) expressing the sense of the House 
of Representatives that all stakeholders in the deployment of 
5G communications infrastructure should carefully consider and 
adhere to the recommendations of ``The Prague Proposals'', 
having considered the same, report favorably thereon with 
amendments and recommend that the resolution as amended be 
agreed to.

                                CONTENTS

                                                                   Page
   I. Purpose and Summary.............................................4
  II. Background and Need for Legislation.............................4
 III. Committee Hearings..............................................4
  IV. Committee Consideration.........................................4
   V. Committee Votes.................................................5
  VI. Oversight Findings..............................................5
 VII. New Budget Authority, Entitlement Authority, and Tax Expenditure5
VIII. Federal Mandates Statement......................................5
  IX. Statement of General Performance Goals and Objectives...........6
   X. Duplication of Federal Programs.................................6
  XI. Committee Cost Estimate.........................................6
 XII. Earmarks, Limited Tax Benefits, and Limited Tariff Benefits.....6
XIII. Advisory Committee Statement....................................6
 XIV. Applicability to Legislative Branch.............................6
  XV. Section-by-Section Analysis of the Legislation..................6
 XVI. Exchange of Letters.............................................8
XVII. Changes in Existing Law Made by the Resolution, as Reported....11

    The amendments are as follows:
  Strike out all after the resolving clause and insert the 
following:

SECTION 1. SENSE OF THE HOUSE OF REPRESENTATIVES.

  The House of Representatives--
          (1) urges all stakeholders in the deployment of 5G 
        communications infrastructure to carefully consider adherence 
        to the recommendations of ``The Prague Proposals'' (as 
        described in section 2) as they procure products and services 
        across their supply chain; and
          (2) encourages the President and Federal agencies to promote 
        global trade and security policies that are consistent with 
        ``The Prague Proposals'' and urge our allies to embrace the 
        recommendations of ``The Prague Proposals'' for their 5G 
        infrastructure.

SEC. 2. PRAGUE PROPOSALS.

  The text of ``The Prague Proposals'' is as follows:
          (1) ``Policy''.--
                  (A) ``Communication networks and services should be 
                designed with resilience and security in mind. They 
                should be built and maintained using international, 
                open, consensus-based standards and risk-informed 
                cybersecurity best practices. Clear globally 
                interoperable cyber security guidance that would 
                support cyber security products and services in 
                increasing resilience of all stakeholders should be 
                promoted.''.
                  (B) ``Every country is free, in accordance with 
                international law, to set its own national security and 
                law enforcement requirements, which should respect 
                privacy and adhere to laws protecting information from 
                improper collection and misuse.''.
                  (C) ``Laws and policies governing networks and 
                connectivity services should be guided by the 
                principles of transparency and equitability, taking 
                into account the global economy and interoperable 
                rules, with sufficient oversight and respect for the 
                rule of law.''.
                  (D) ``The overall risk of influence on a supplier by 
                a third country should be taken into account, notably 
                in relation to its model of governance, the absence of 
                cooperation agreements on security, or similar 
                arrangements, such as adequacy decisions, as regards 
                data protection, or whether this country is a party to 
                multilateral, international or bilateral agreements on 
                cybersecurity, the fight against cybercrime, or data 
                protection.''.
          (2) ``Technology''.--
                  (A) ``Stakeholders should regularly conduct 
                vulnerability assessments and risk mitigation within 
                all components and network systems, prior to product 
                release and during system operation, and promote a 
                culture of find/fix/patch to mitigate identified 
                vulnerabilities and rapidly deploy fixes or patches.''.
                  (B) ``Risk assessments of supplier's products should 
                take into account all relevant factors, including 
                applicable legal environment and other aspects of 
                supplier's ecosystem, as these factors may be relevant 
                to stakeholders' efforts to maintain the highest 
                possible level of cyber security.''.
                  (C) ``When building up resilience and security, it 
                should be taken into consideration that malicious cyber 
                activities do not always require the exploitation of a 
                technical vulnerability, e.g. in the event of insider 
                attack.''.
                  (D) ``In order to increase the benefits of global 
                communication, States should adopt policies to enable 
                efficient and secure network data flows.''.
                  (E) ``Stakeholders should take into consideration 
                technological changes accompanying 5G networks roll 
                out, e.g. use of edge computing and software defined 
                network/network function virtualization, and its impact 
                on overall security of communication channels.''.
                  (F) ``Customer--whether the government, operator, or 
                manufacturer--must be able to be informed about the 
                origin and pedigree of components and software that 
                affect the security level of the product or service, 
                according to state of art and relevant commercial and 
                technical practices, including transparency of 
                maintenance, updates, and remediation of the products 
                and services.''.
          (3) ``Economy''.--
                  (A) ``A diverse and vibrant communications equipment 
                market and supply chain are essential for security and 
                economic resilience.''.
                  (B) ``Robust investment in research and development 
                benefits the global economy and technological 
                advancement and is a way to potentially increase 
                diversity of technological solutions with positive 
                effects on security of communication networks.''.
                  (C) ``Communication networks and network services 
                should be financed openly and transparently using 
                standard best practices in procurement, investment, and 
                contracting.''.
                  (D) ``State-sponsored incentives, subsidies, or 
                financing of 5G communication networks and service 
                providers should respect principles of fairness, be 
                commercially reasonable, conducted openly and 
                transparently, based on open market competitive 
                principles, while taking into account trade 
                obligations.''.
                  (E) ``Effective oversight on key financial and 
                investment instruments influencing telecommunication 
                network development is critical.''.
                  (F) ``Communication networks and network service 
                providers should have transparent ownership, 
                partnerships, and corporate governance structures.''.
          (4) ``Security, privacy, and resilience''.--
                  (A) ``All stakeholders including industry should work 
                together to promote security and resilience of national 
                critical infrastructure networks, systems, and 
                connected devices.''.
                  (B) ``Sharing experience and best practices, 
                including assistance, as appropriate, with mitigation, 
                investigation, response, and recovery from network 
                attacks, compromises, or disruptions should be 
                promoted.''.
                  (C) ``Security and risk assessments of vendors and 
                network technologies should take into account rule of 
                law, security environment, vendor malfeasance, and 
                compliance with open, interoperable, secure standards, 
                and industry best practices to promote a vibrant and 
                robust cyber security supply of products and services 
                to deal with the rising challenges.''.
                  (D) ``Risk management framework in a manner that 
                respects data protection principles to ensure privacy 
                of citizens using network equipment and services should 
                be implemented.''.

    Amend the preamble to read as follows:

Whereas 5G, the next generation (5th generation) in wireless technology, 
promises the next evolution of communications and information technology 
services, applications, and capabilities across every sector of business, 
government, entertainment, and communications;

Whereas the United States, Europe, China, and others are racing toward 5G 
adoption and upgrading existing networks, which will drive subsequent 
advances in artificial intelligence, machine learning, smart homes, smart 
cities, robotics, autonomous vehicles, and quantum computers;

Whereas 5G will make possible the automatization of everyday activities and 
the use of the full potential of the Internet of Things;

Whereas these developments, while evolutionary, could include risks to 
important public interests, including privacy, data security, public 
safety, and national security;

Whereas in a highly connected world, disruption of the integrity, 
confidentiality, or availability of communications or even the disruption 
of the communications service itself can seriously hamper everyday life, 
societal functions, the economy, and national security;

Whereas the security of 5G networks is crucial for national security, 
economic security, and other United States national interests and global 
stability;

Whereas operators of communications infrastructure depend on a complex 
supply chain of technology from a global market of suppliers and service 
providers;

Whereas government security officials and experts from 32 countries came 
together in Prague in May of 2019 to work out guidelines for the deployment 
and security of 5G networks;

Whereas representatives agreed that ``[m]ajor security risks emanate from 
the cross-border complexities of an increasingly global supply chain which 
provides [information and communications technology] equipment. These risks 
should be considered as part of the risk assessment based on relevant 
information and should seek to prevent proliferation of compromised devices 
and the use of malicious code and functions.''; and

Whereas the Prague 5G Security Conference adopted security recommendations, 
which have come to be known as ``The Prague Proposals'': Now, therefore, be 
it

    Amend the title so as to read:
    Resolution expressing the sense of the House of 
Representatives that all stakeholders in the deployment of 5G 
communications infrastructure should carefully consider 
adherence to the recommendations of ``The Prague Proposals''.

                         I. PURPOSE AND SUMMARY

    H. Res. 575, a Resolution expressing the sense of the House 
of Representatives that all stakeholders in the deployment of 
5G communications infrastructure should carefully consider and 
adhere to the recommendations of `The Prague Proposals', was 
introduced on September 24, 2019, by Rep. Flores (R-TX), and 
Rep. Soto (D-FL), and referred to the Committee on Energy and 
Commerce and in addition to the Committee on Foreign Affairs. 
H. Res. 575 expresses the sense of the House of Representatives 
that all stakeholders in the deployment of 5G communications 
infrastructure should adhere to the Prague Proposals, that 
resulted from the Prague 5G Security Conference, in procuring 
products and services. It also encourages the President and 
Federal agencies to encourage allies of the United States to 
embrace the recommendations of the proposals for their 5G 
infrastructure.

                II. BACKGROUND AND NEED FOR LEGISLATION

    5G technology promises evolution across every sector of the 
American economy. It promises new technology and network 
applications that touch every aspect of daily lives. While this 
advancement is beneficial in many ways, it significantly 
increases risk to national security. As a result, it is 
essential that companies deploying these networks ensure that 
their infrastructure is secure and consists of trusted network 
components.
    In May 2019, representatives from 32 countries met in 
Prague to discuss concerns about equipment supplied by certain 
vendors that pose a threat to national security. The 
conclusions from the conference became known as ``The Prague 
Proposals,'' which are recommendations for stakeholders to 
consider when deploying their networks. H. Res. 575 further 
urges stakeholders to adhere to these recommendations and 
encourages the President and other Federal agencies to promote 
policies consistent with these recommendations.

                        III. COMMITTEE HEARINGS

    For the purposes of section 103(i) of H. Res. 6 of the 
116th Congress, the following hearing was used to develop or 
consider H. Res. 575:
    The Subcommittee on Communications and Technology held a 
legislative hearing on September 27, 2019, entitled 
``Legislating to Secure America's Wireless Future.'' The 
Subcommittee received testimony from the following witnesses:
           John Nettles, President, Pine Belt Wireless;
           Harold Feld, Senior Vice President, Public 
        Knowledge;
           Dean Brenner, Senior Vice President, 
        Spectrum Strategy & Tech Policy, Qualcomm Incorporated; 
        and
           Bobbie Stempfley, Managing Director, CERT 
        Division Software Engineering Institute, Carnegie 
        Mellon University.

                      IV. COMMITTEE CONSIDERATION

    H. Res. 575, a resolution expressing the sense of the House 
of Representatives that all stakeholders in the deployment of 
5G communications infrastructure should carefully consider and 
adhere to the recommendations of `The Prague Proposals', was 
introduced on September 24, 2019, by Rep. Flores (R-TX), and 
Rep. Soto (D-FL), and referred to the Committee on Energy and 
Commerce and the Committee on Foreign Affairs. The resolution 
was referred to the Subcommittee on Communications and 
Technology on September 25, 2019. Following a legislative 
hearing, the Subcommittee met in open markup session on H. Res. 
575 on November 14, 2019, pursuant to notice, for consideration 
of the resolution. During consideration, an amendment making 
technical changes to the resolution was offered by Mr. Flores 
and was agreed to by a voice vote. Subsequently, the 
Subcommittee on Communications and Technology agreed to a 
motion by Mr. Doyle, Chairman of the subcommittee, to forward 
favorably H. Res. 575 to the full Committee on Energy and 
Commerce, amended, by a voice vote.
    The full Committee met in open markup session, pursuant to 
notice, on November 20, 2019, to consider H. Res. 575, as 
amended by the subcommittee. No amendments were offered in full 
Committee. The Committee on Energy and Commerce thereupon 
agreed to a motion by Mr. Pallone, Chairman of the committee, 
to order H. Res. 575 reported favorably to the House, as 
amended, by a voice vote.

                           V. COMMITTEE VOTES

    Clause 3(b) of rule XIII of the Rules of the House of 
Representatives requires the Committee to list each record vote 
on the motion to report legislation and amendments thereto. The 
Committee advises that there were no record votes taken on H. 
Res. 575.

                         VI. OVERSIGHT FINDINGS

    Pursuant to clause 3(c)(1) of rule XIII and clause 2(b)(1) 
of rule X of the Rules of the House of Representatives, the 
oversight findings and recommendations of the Committee are 
reflected in the descriptive portion of the report.

 VII. NEW BUDGET AUTHORITY, ENTITLEMENT AUTHORITY, AND TAX EXPENDITURES

    Pursuant to 3(c)(2) of rule XIII of the Rules of the House 
of Representatives, the Committee adopts as its own the 
estimate of new budget authority, entitlement authority, or tax 
expenditures or revenues contained in the cost estimate 
prepared by the Director of the Congressional Budget Office 
pursuant to section 402 of the Congressional Budget Act of 
1974.
    The Committee has requested but not received from the 
Director of the Congressional Budget Office a statement as to 
whether this resolution contains any new budget authority, 
spending authority, credit authority, or an increase or 
decrease in revenues or tax expenditures.

                    VIII. FEDERAL MANDATES STATEMENT

    The Committee adopts as its own the estimate of Federal 
mandates prepared by the Director of the Congressional Budget 
Office pursuant to section 423 of the Unfunded Mandates Reform 
Act.

       IX. STATEMENT OF GENERAL PERFORMANCE GOALS AND OBJECTIVES

    Pursuant to clause 3(c)(4) of rule XIII, the general 
performance goal or objective of this legislation is to 
encourage participation in global wireless standards bodies by 
trusted companies and relevant stakeholders.

                   X. DUPLICATION OF FEDERAL PROGRAMS

    Pursuant to clause 3(c)(5) of rule XIII, no provision of H. 
Res. 575 is known to be duplicative of another Federal program, 
including any program that was included in a report to Congress 
pursuant to section 21 of Public Law 111-139 or the most recent 
Catalog of Federal Domestic Assistance.

                      XI. COMMITTEE COST ESTIMATE

    Pursuant to clause 3(d)(1) of rule XIII, the Committee 
adopts as its own the cost estimate prepared by the Director of 
the Congressional Budget Office pursuant to section 402 of the 
Congressional Budget Act of 1974.

    XII. EARMARKS, LIMITED TAX BENEFITS, AND LIMITED TARIFF BENEFITS

    Pursuant to clause 9(e), 9(f), and 9(g) of rule XXI, the 
Committee finds that H. Res. 575 contains no earmarks, limited 
tax benefits, or limited tariff benefits.

                   XIII. ADVISORY COMMITTEE STATEMENT

    The legislation does not create any new Federal advisory 
committee within the meaning of section 5(b) of the Federal 
Advisory Committee Act.

                XIV. APPLICABILITY TO LEGISLATIVE BRANCH

    The Committee finds that the legislation does not relate to 
the terms and conditions of employment or access to public 
services or accommodations within the meaning of section 
102(b)(3) of the Congressional Accountability Act.

           XV. SECTION-BY-SECTION ANALYSIS OF THE LEGISLATION

Section 1. Sense of the House of Representatives

    Section 1 urges all stakeholders involved in the deployment 
of 5G communications infrastructure to carefully consider 
adherence to the recommendations of ``The Prague Proposals'' as 
they procure products and services across their supply chain. 
It also requires the President and Federal agencies to promote 
global trade and security policies that are consistent with 
``The Prague Proposals'' and urge allies of the United States 
to embrace the recommendations of ``The Prague Proposals'' for 
their 5G infrastructure.

Sec. 2. Prague proposals

    This section sets forth the text of ``The Prague 
Proposals'' as developed at the conference in May 2019. The 
proposals provide recommendations for building and maintaining 
communications networks and services.
    The policy recommendations include: designing networks with 
cybersecurity, transparency, and equitability in mind; 
respecting privacy and adhere to laws protecting information 
from improper collection and misuse; and considering the 
overall risk of influence on a supplier by a third country.
    The technology recommendations provide guidance to 
stakeholders on how best to protect their networks through 
certain actions, such as regularly conducting risk and 
vulnerability assessments, adopting secure data flows, and 
ensuring that the customer is informed of the security level of 
products or services.
    Finally, the proposals encourage stakeholders to consider 
the impact of secure networks on a nation's economy and 
encourages stakeholders to work together and share experiences 
to promote the security, privacy, and resiliency of networks.

                        XVI. EXCHANGE OF LETTERS

              [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

   XVII. CHANGES IN EXISTING LAW MADE BY THE RESOLUTION, AS REPORTED

    This resolution makes no changes to existing law, as 
reported by the Committee on Energy and Commerce.

                                  [all]