Skip to main content

cbc-bridge-service — Service Risk Register

Version: 1.0 Status: Draft Owner: Government / Emergency + Security + SRE + Regulator Liaison Last Updated: 2026-04-21 References: FAILURE_MODES.md, SECURITY_MODEL.md, ADR-0004

Known service-level risks with owners, mitigations, and residual classification. Risk landscape is dominated by political / regulatory dependencies (MNO MoUs, PKI authority, legal frameworks) rather than pure engineering risks. Scored 1–5 Likelihood × Impact; residual must be ≤ Medium for GA.

1. Risk Summary

IDRiskCategoryLikelihoodImpactPre-mitigationResidualOwner
CBC-RISK-01National-PKI CA not established at launchRegulatory45CriticalMediumRegulator Liaison + Legal
CBC-RISK-02MNO CBE endpoints not available or undocumentedDependency45CriticalMediumMNO Partnerships
CBC-RISK-03Drill misfires and reaches real subscribers as emergencyProcess25HighLowGovernment / Emergency
CBC-RISK-04Emergency broadcast bandwidth exceeds MNO CBE capacityInfra23MediumLowMNO Partnerships
CBC-RISK-05Unauthorised broadcast via compromised caller certSecurity25HighLowSecurity + Legal
CBC-RISK-06PKI signature bypass via bug in HSM integrationSecurity15HighLowSecurity
CBC-RISK-07Audit chain break loses regulator-defensibilityCorrectness25HighLowGovernment / Emergency
CBC-RISK-08Cross-region coordination failure during multi-region incidentOperations24MediumLowSRE
CBC-RISK-09Translation errors in high-severity broadcast cause panic/misinformationCorrectness35HighMediumContent + Trust & Safety
CBC-RISK-10Geographic targeting error (broadcast reaches wrong area due to stale cell DB)Correctness24MediumLowSRE + MNO Partnerships
CBC-RISK-11Monthly drill cadence missed → regulator escalationProcess22LowLowGovernment / Emergency
CBC-RISK-12Replay-attack window exploitationAdversarial24MediumLowSecurity
CBC-RISK-13MNO CBE vendor protocol change breaks adapterDependency33MediumMediumSRE + MNO Partnerships
CBC-RISK-14HSM unavailability during real emergencyAvailability25HighMediumSRE + Security
CBC-RISK-15Political change in national-PKI authorityRegulatory24MediumMediumRegulator Liaison
CBC-RISK-16Legal liability for cross-border cell-broadcast (e.g., near-border MNO cell reaches foreign subscribers)Legal23MediumLowLegal
CBC-RISK-17False-authenticity: citizens lose trust after seeing drill-mistaken-for-emergency or vice-versaReputation24MediumLowGovernment / Emergency + PR

2. Risk Details

CBC-RISK-01 — National-PKI CA not established

Scenario. Afghanistan has no formally-recognised National PKI Certification Authority at platform launch. Government clients use ad-hoc self-issued certs.

Impact. No cryptographic basis for "authorised government caller". Verification becomes subject-name-match only, which is forgeable.

Mitigation.

  1. Phased rollout (Phase 0 engagement with Legal + regulator).
  2. Interim model: Ghasi operates a Government Trust Anchor whose issuance is dual-controlled by Government Liaison + CISO. Each caller cert signed by this anchor.
  3. Migrate to formal National PKI when available; AuthorisedCaller table retains issuer-chain so migration is rebind-not-reissue.
  4. Legal MoU with each government agency defines cert issuance procedure + revocation.

Residual risk. Medium — the interim Government Trust Anchor is defensible but not ideal.

CBC-RISK-02 — MNO CBE endpoints not available

Scenario. Not all Afghan MNOs expose standard 3GPP CBE interfaces; some use vendor-proprietary protocols with non-public documentation.

Impact. Without MNO CBE integration, there's no service.

Mitigation.

  1. Per-MNO MoU (Phase 0) documents protocol + endpoint + credentials + SLAs.
  2. Adapter abstraction supports proprietary protocols (Ericsson + Huawei adapters shipped).
  3. Fallback: high-throughput SMS A2P as interim emergency channel (NOT a CBC substitute, but covers emergency messaging when CBC is unavailable) — designed into channel-router-service.
  4. Continuous MNO engagement; onboarding playbook per new MNO.

Residual risk. Medium — dependent on MNO cooperation.

CBC-RISK-03 — Drill misfires as real emergency

Scenario. Bug in drill scheduler uses real severity instead of drill. Or admin mis-clicks drill as P0 emergency.

Impact. Real emergency alarm reaches millions of subscribers for a drill — panic, liability.

Mitigation.

  1. Drill uses CBS test-range Message Identifier (4370..4379 test slot) — physically different from emergency MI (standard 4370/4371/4372); handsets display drill-banner.
  2. Drill broadcasts include localised "DRILL — NO ACTION REQUIRED" prefix in every language.
  3. is_drill=true is enforced at the domain layer — CBS encoder refuses to encode a drill without the test MI.
  4. Drill scheduling requires platform-admin role (not caller-initiated).
  5. Public test channel (EP-CBC-04 US-CBC-017) pre-announces drill schedule.

Residual risk. Low.

CBC-RISK-04 — MNO CBE capacity exceeded

Scenario. During a national emergency (earthquake + multiple simultaneous civil-defence broadcasts), MNO CBE queues overflow.

Impact. Delayed delivery.

Mitigation.

  1. Per-MNO CBE capacity documented in MoU.
  2. Platform rate-limits broadcast-submissions per severity; P1/P2 throttled if P0 active.
  3. Retry logic: queue excess broadcasts for sequential dispatch.
  4. MNO NOC coordination runbook.

Residual risk. Low.

CBC-RISK-05 — Compromised caller cert

Scenario. Government-client machine compromised; attacker uses legitimate caller cert to send unauthorised broadcast.

Impact. False emergency reaches subscribers.

Mitigation.

  1. Cert revocation via CRL + OCSP; revoked certs rejected within 4 h (CRL cache) or immediately (OCSP-stapled).
  2. Dual-control for cancellation of in-flight unauthorised broadcasts.
  3. Anomaly detection: unusual broadcast from a caller triggers manual review before dispatch.
  4. Cert rotation every 90 d; long-lived certs not allowed.
  5. HSM-held private key on government-client side (mandated in cert-issuance procedure).
  6. SIEM monitoring of caller activity patterns.

Residual risk. Low.

CBC-RISK-06 — PKI bypass via HSM bug

Scenario. Integration bug in @ghasi/hsm-client allows signature verification to return TRUE without actual HSM call.

Impact. Unauthenticated broadcasts accepted.

Mitigation.

  1. Extensive PKI-bypass adversarial corpus in CI (500+ crafted attacks).
  2. Two-implementation cross-check: PKI verification has a defence-in-depth second verifier (Node in-process openssl for redundancy) comparing HSM result — divergence blocks dispatch.
  3. HSM call-level audit (every verify logged with session ID).
  4. Quarterly security review of HSM integration code.
  5. Pen test before GA.

Residual risk. Low.

CBC-RISK-07 — Audit chain break

Scenario. Bug or tamper corrupts the hash chain.

Impact. Regulator-defensibility lost for affected period.

Mitigation.

  1. Daily verifier + tamper-detection drill.
  2. Canonical JSON (RFC 8785 JCS) eliminates serialisation ambiguity.
  3. Two independent implementations cross-check.
  4. Postgres trigger rejects UPDATE/DELETE on cbc.audit.

Residual risk. Low.

CBC-RISK-08 — Cross-region coordination failure

Scenario. kbl ↔ mzr network partition during emergency; both regions attempt to dispatch same broadcast → duplicate.

Impact. Subscriber receives duplicate emergency; possible confusion.

Mitigation.

  1. Broadcasts are region-pinned (accepted only in the region where first received).
  2. Correlation-ID dedup across regions (cached in Redis within each region with cross-region reconciliation).
  3. MNO CBE adapters deduplicate by Serial Number (per 3GPP TS 23.041).
  4. Post-partition reconciliation cron.

Residual risk. Low.

CBC-RISK-09 — Translation errors cause panic

Scenario. Pashto / Dari / Arabic translation of a P0 emergency broadcast is mistranslated (e.g., "evacuate" rendered as "remain").

Impact. Loss of life.

Mitigation.

  1. Pre-approved template library (per EP-CE-13) — emergency broadcasts use templates only.
  2. Translation review by native speakers (Trust & Safety + Content team) for every template.
  3. Emergency-broadcast templates reviewed quarterly and re-attested by NDMA.
  4. Broadcast submission requires translator attestation ID.
  5. Real-time render preview to government-client before submission.
  6. Post-broadcast review with NDMA to detect miscommunication.

Residual risk. Medium — natural-language translation will have irreducible risk; mitigation reduces but doesn't eliminate.

CBC-RISK-10 — Geographic targeting error

Scenario. Cell-database stale or incomplete; polygon targeting misses intended area or reaches unintended area.

Impact. Wrong subscribers receive alert; correct subscribers miss.

Mitigation.

  1. Weekly cell-DB refresh per MNO.
  2. Cell-DB coverage report + alert when < 95% of national area covered per MNO.
  3. Named-region (province/district) targeting less error-prone than polygon — preferred for government clients.
  4. Pre-dispatch preview returns resolved cell count + coverage; government client confirms before proceed.
  5. Cross-check polygon resolution against multiple MNO cell DBs.

Residual risk. Low.

CBC-RISK-11 — Drill cadence missed

Scenario. Scheduler pod crashes over a month-end weekend.

Impact. Regulator escalation; minor reputation.

Mitigation.

  1. Scheduler pod has health probe + automatic restart.
  2. CbcDrillOverdue alert fires at +7 d past cadence.
  3. Manual drill trigger available to platform admin.
  4. Quarterly audit of drill history.

Residual risk. Low.

CBC-RISK-12 — Replay attack

Scenario. Attacker captures a legitimate broadcast request + replays it hours later.

Impact. Duplicate broadcast.

Mitigation.

  1. Signature timestamp window (5 min).
  2. Nonce per-cert cache (Redis TTL 10 min).
  3. Correlation-ID uniqueness enforced.

Residual risk. Low.

CBC-RISK-13 — MNO CBE vendor protocol change

Scenario. MNO upgrades CBE; protocol breaks existing adapter.

Impact. That MNO receives no broadcasts until adapter updated.

Mitigation.

  1. Adapter abstraction → new adapter deployed without full-service redeploy.
  2. MNO 30-d advance notice of protocol changes (in MoU).
  3. Standard3gppCbeAdapter as fallback where the MNO also supports standard.
  4. Continuous-integration against MNO staging endpoints (weekly smoke).

Residual risk. Medium — MNO notice reliability is variable.

CBC-RISK-14 — HSM unavailability during emergency

Scenario. HSM cluster outage coincides with real emergency.

Impact. New broadcasts blocked; existing in-flight complete.

Mitigation.

  1. HSM HA + regional quorum (ADR-0004 §11).
  2. Emergency manual-dispatch runbook (CISO + CTO + Government Liaison dual-control) — out-of-band to MNO NOCs.
  3. Fallback emergency channel via channel-router-service high-throughput SMS (not cell-broadcast, but reaches subscribers).
  4. HSM fail-over tested quarterly in GameDay.

Residual risk. Medium — low probability × very high impact = accept with prominent mitigation.

CBC-RISK-15 — Political change in national-PKI authority

Scenario. Afghan government re-orgs the agency responsible for PKI; new issuer doesn't honour existing certs.

Impact. All caller certs invalidated; service offline.

Mitigation.

  1. Trust anchor migration runbook — add new root CA while retaining old for transition period.
  2. Ghasi Government Trust Anchor remains as the stable intermediate layer (per CBC-RISK-01 mitigation).
  3. Regulator Liaison tracks upstream political risk quarterly.

Residual risk. Medium.

CBC-RISK-16 — Cross-border cell-broadcast

Scenario. MNO cell on border reaches foreign subscribers. Cross-border broadcast could trigger diplomatic issue.

Impact. Reputation / diplomatic.

Mitigation.

  1. Polygon validation rejects targets beyond national boundary + 10 km buffer.
  2. Border cells flagged in cbc.mno_cell_database; broadcasts honour national-scope restriction.
  3. Legal briefing with foreign affairs Ministry.

Residual risk. Low.

CBC-RISK-17 — False-authenticity erodes public trust

Scenario. Citizens experience drills not-labelled-clearly or emergency broadcasts without apparent official source. Trust in the system erodes.

Impact. Reduced effectiveness of future emergency broadcasts.

Mitigation.

  1. Drill labelling is mandatory + enforced at domain level.
  2. Every broadcast includes official issuer in body (e.g., "— NDMA" suffix).
  3. Public awareness campaign before Phase 2 (MedComms + PR).
  4. Public test channel exposes drill history for citizen verification.
  5. Annual citizen-survey on trust level.

Residual risk. Low.

3. Residual-Risk Summary

ResidualCountAcceptance
Low11Accepted for GA
Medium6Accepted with mitigation commitments and named owners
High0

4. Risk Review Cadence

  • Weekly during development (Platform Architecture).
  • Monthly post-GA (Government / Emergency + SRE + Security).
  • Quarterly (Regulator Liaison + Legal + CTO + CISO) — includes political-risk review (CBC-RISK-01, CBC-RISK-15).
  • Annual (CEO-chaired) — regulator / MNO partnership posture.