Japan KDDI Corporation, KDDI Research, Inc., Fujitsu Limited, NEC Corporation, and Mitsubishi Research Institute, Inc. (MRI), announced that they will embark on a series of trials exploring the introduction of software bill of materials (SBOM)(1), a list of programmes that comprise software, into the communications field including 5G and LTE network equipment with the aim of strengthening cybersecurity. The five companies plan to establish a framework to manage this project and start a survey to address different technical and operational issues surrounding the use of SBOM.
The project follows the decision on May 11, 2023 by Japan’s Ministry of Internal Affairs and Communications to commission KDDI to conduct ‘a survey on the introduction of SBOM in the communications field in FY 2023’.
With the increasing sophistication and diversity of functions required in communications systems, the composition of core software in communications systems used by telecommunication operators has changed from a combination of a few software components to a complex combination of many software components, including open source software (OSS). OSS can be used by anyone because the source code of the software is publicly available, and its use cases are expanding because of its rich functionality and flexibility.
On the other hand, changes in the software supply chain have led to the introduction of malicious code into software components, including OSS, and cyberattacks targeting vulnerabilities.
Similarly, the risk of being attacked is becoming apparent in communication systems. A database that collects and provides vulnerability information on software components in response to attacks is already in operation, but if the configuration of software components in the communication system is not understood, it is difficult to respond when vulnerabilities are identified. As a result, the importance of SBOM, which provide a list of the various parts that make up software, version information, and dependencies between parts, is increasing.
Initiatives of the project
Under this initiative, the companies will use the SBOM to grasp the software supply chain and respond to vulnerabilities. To strengthen cybersecurity in the communications field, the following items will be investigated and discussed.
1. Survey of domestic and overseas trends and study of draft guidelines for the introduction of SBOM in the communications field.
The companies will investigate initiatives and existing guidelines related to SBOM by government agencies and private organisations in Japan and internationally and will consider draft guidelines for utilising SBOM for communications equipment and software components for such equipment.
2. Creation of SBOM for communication equipment and investigation of problems
The companies will create SBOM for some of the facilities actually operated by carriers through this project.
3. Evaluation of accuracy of SBOM for communication equipment
By evaluating the accuracy of the newly created SBOM and organising items specific to the communications field, the participants aim to solve problems for the introduction of SBOM.
Amid the foreseeable changes in the environment surrounding cybersecurity, the five companies will continue to contribute to strengthening cybersecurity to ensure the stable provision of communications services that support the lives of customers.