[Federal Register Volume 75, Number 44 (Monday, March 8, 2010)]
[Rules and Regulations]
[Pages 10439-10441]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2010-4855]


=======================================================================
-----------------------------------------------------------------------

FEDERAL COMMUNICATIONS COMMISSION

47 CFR Part 2

[ET Docket No. 03-108; FCC 10-12]


Cognitive Radio Technologies and Software Defined Radios

AGENCY: Federal Communications Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This document dismisses a petition for reconsideration filed 
by the SDR Forum requesting that the Commission modify the policy 
statements it made in the Memorandum Opinion and Order (MO&O) in this 
proceeding concerning the use of open source software to implement 
security features in software defined radios (SDRs). While, the 
Commission dismisses this petition on procedural grounds, it also 
provides clarification concerning the issues raised therein.

DATES: Effective April 7, 2010.

FOR FURTHER INFORMATION CONTACT: Hugh Van Tuyl, Policy and Rules 
Division, Office of Engineering and Technology, (202) 418-7506, e-mail: 
[email protected].

SUPPLEMENTARY INFORMATION: This is a summary of the Commission's 
Memorandum Opinion and Order, ET Docket No. 03-108, adopted January 14, 
2010, and released January 19, 2010. The full text of this document is 
available on the Commission's Internet site at http://www.fcc.gov. It 
is also available for inspection and copying during regular business 
hours in the FCC Reference Center (Room CY-A257), 445 12th Street, SW., 
Washington, DC 20554. The full text of this document also may be 
purchased from the Commission's duplication contractor, Best Copy and 
Printing Inc., Portals II, 445 12th St., SW., Room CY-B402, Washington, 
DC 20554; telephone (202) 488-5300; fax (202) 488-5563; e-mail 
[email protected].

Summary of the Memorandum Opinion and Order

    1. On March 17, 2005, the Commission adopted the Cognitive Radio 
Report and Order, 70 FR 23032, May 4, 2005, in which the rules were 
modified to reflect ongoing technical developments in cognitive and 
software defined radio (SDR) technologies.
    2. On April 20, 2007, the Commission adopted a Memorandum Opinion 
and Order (MO&O), 72 FR 31190, June 6, 2007, which responded to two 
petitions filed in response to the Cognitive Radio Report and Order. 
The Commission,

[[Page 10440]]

inter alia, granted a petition for clarification filed by Cisco 
Systems, Inc. (``Cisco'') requesting that the Commission clarify: (1) 
The requirement to approve certain devices as software defined radios; 
and (2) its policy on the confidentiality of software that controls 
security measures in software defined radios.
    3. In responding to the Cisco petition, the Commission stated that 
with regard to the use of open source software for implementing 
software defined radio security measures:

    ``* * * manufacturers should not intentionally make the 
distinctive elements that implement that manufacturer's particular 
security measures in a software defined radio public, if doing so 
would increase the risk that these security measures could be 
defeated or otherwise circumvented to allow operation of the radio 
in a manner that violates the Commission's rules. A system that is 
wholly dependent on open source elements will have a high burden to 
demonstrate that it is sufficiently secure to warrant authorization 
as a software defined radio.''

    4. The SDR Forum filed a petition for reconsideration on July 3, 
2007, requesting that the Commission modify the statements.
    5. In its petition, the SDR Forum expresses concern that the 
language in the MO&O on the use of open source software for 
implementing SDR security measures may inadvertently pose a barrier to 
the development and wide implementation of security techniques that 
would ensure compliance with the Commission's rules. SDR recommends 
that these policy statements be modified, stating that manufacturers 
should have the discretion to discuss their security measures in public 
so long as the intent of the disclosure is not to enable circumvention 
of the Commission's rules. The SDR Forum states that the Commission 
should remain neutral on the security of open source elements because 
open source approaches are no less secure than proprietary techniques. 
It specifically requests that the Commission modify the text quoted 
above by:

    ``revising the first sentence to state ``a manufacturer may make 
public its SDR security mechanisms so long as the intent is not to 
circumvent compliance with Commission rules;'' and by deleting the 
second sentence.''

    6. The Commission is dismissing the SDR Forum petition for 
reconsideration on procedural grounds. While the SDR Forum filed 
comments in response to the NPRM in this proceeding, it did not submit 
comments in response to the Cisco petition for reconsideration that 
raised the issue of using open source software to implement software 
defined radio security mechanisms. The Cisco petition was addressed in 
the Commission's MO&O for which the SDR Forum now requests 
reconsideration. A petition for reconsideration that relies on facts 
not previously presented to the Commission will be granted only if:
    (a) The facts relied on relate to events which have occurred or 
circumstances which have changed since the last opportunity to present 
them to the Commission;
    (b) The facts relied upon were unknown to the petitioner until 
after his last opportunity to present them to the Commission, and the 
petition could not through the exercise of due diligence have learned 
of the facts in question prior to such opportunity; or
    (c) The Commission determines that consideration of the facts 
relied on is required in the public interest.

The SDR Forum petition does not address why it did not respond to the 
Cisco petition or claim that any of these three conditions are met in 
this case. Accordingly, the SDR Forum's petition for reconsideration is 
procedurally defective and is hereby dismissed. However, the Commission 
recognizes that the issue of open source software in software defined 
radios is of interest to the SDR Forum and other parties. Accordingly, 
the Commission is taking this opportunity to clarify its policies with 
respect to the use of open source software for implementing security 
features in software defined radios.
    7. The Commission's rules require that a software defined radio 
manufacturer take steps to ensure that only software that has been 
approved with a software defined radio can be loaded into the radio. 
The software must not allow the user to operate the transmitter with 
radio frequency parameters other than those that were approved by the 
Commission. The Commission's rules require that the manufacturer have 
reasonable security measures to prevent unauthorized modifications that 
would affect the RF operating parameters or the circumstances under 
which the transmitter operates in accordance with Commission rules. 
Manufacturers may select the methods used to meet these requirements 
and must describe them in their application for equipment 
authorization.
    8. When a party applies for certification of a software defined 
radio, the description of the security methods used in the radio is 
automatically held confidential. The Commission does this because such 
information often is proprietary and also because revelation of the 
security methods, or portions thereof, could possibly assist parties in 
defeating the security features and enable operation of the radio 
outside the Commission's rules. Out of an abundance of caution--because 
operation of a radio outside the Commission's rules could result in 
harmful interference to a wide variety of radio services, including 
safety-of-life services--the Commission holds the entire description of 
the security measures confidential. Therefore, the Commission's staff 
does not have to determine which portions of a software defined radio 
security methods description filed with an application could be made 
publicly available without risk that such disclosure could assist 
parties in defeating the security measures. Further, by automatically 
holding the description confidential, applicants for certification do 
not have to specifically request confidentiality for the description of 
a radio's security mechanisms.
    9. Neither the Commission's rules whereby it maintains the 
confidentiality of a software defined radio's security mechanism nor 
the policy stated in the MO&O prohibit radio manufacturers and software 
developers from sharing information on the design of security methods 
with other manufacturers and developers. Rather, the Commission's 
policy stated only that manufacturers should not make the ``distinctive 
elements'' of security features publicly available, if doing so would 
increase the risk that security measures could be defeated or 
circumvented to allow operation of a radio in a manner that violates 
the rules. The Commission's intent was not to prohibit manufacturers 
from collaborating and sharing information that could allow them to 
develop more robust security features or reduce the cost of 
implementing them. In fact, the Commission would encourage such work by 
industry. The Commission's concern is only with disclosure of those 
particular elements of a security scheme when such disclosure could 
facilitate defeating the security scheme. Thus, manufacturers can make 
whatever information they wish concerning their security methods 
public, provided they can demonstrate the implementation has a means of 
controlling access to the distinctive elements that could allow parties 
to defeat or circumvent the security methods.
    10. The Commission emphasizes that it does not prohibit the use of 
open source software in implementing software defined radio security 
features. The Commission's concern with open source software is that 
disclosure of

[[Page 10441]]

certain elements of a security scheme could assist parties in defeating 
the scheme. As Cisco stated in its petition, licensing agreements may 
require that open source software code be made publicly available. This 
could potentially lead to public disclosure of this information. For 
these reasons, the Commission stated in the MO&O that a system that is 
wholly dependent on open source elements would have a high burden to 
demonstrate that it is sufficiently secure to warrant authorization as 
a software defined radio. However, the Commission's statements in the 
MO&O were not intended to prohibit the use of open source software or 
discourage its use. All applicants seeking to certify a software 
defined radio are held to the same standard, i.e., they must 
demonstrate that the radio contains security features sufficient to 
prevent unauthorized modifications to the radio frequency operating 
parameter. A party applying for certification of a software defined 
radio would need to show that public disclosure of the source code 
would not assist parties in defeating the security scheme, or that 
disclosure of the distinctive elements of the security scheme would not 
assist parties in defeating the security scheme. As the SDR Forum 
notes, security mechanisms can rely on a variety of means to control 
access, such as keys, passwords or biometric data.
    11. Finally, as software defined radio and security technologies 
continue to develop and mature, the Commission may address the rules 
for software defined radios, including their security requirements, in 
future proceedings. The Commission encourages the SDR Forum and other 
interested parties to participate in such proceedings.

Ordering Clauses

    12. The petition for reconsideration filed by the SDR Forum IS 
hereby dismissed. This action is taken pursuant to the authority 
contained in Sections 4(i), 301, 302, 303(e), 303(f), and 303(r) of the 
Communications Act of 1934, as amended, 47 U.S.C. Sections 154(i), 301, 
302, 303(e), 303(f), and 303(r).
    13. It is further ordered that ET Docket No. 03-108 is terminated.

Federal Communications Commission.
Marlene H. Dortch,
Secretary.
[FR Doc. 2010-4855 Filed 3-5-10; 8:45 am]
BILLING CODE 6712-01-P