The Digital Future Requires Making 5G Secure
From smart cities to smart cars, to smart factories, the future will be built on ubiquitous microchips connected by wireless networks. Fifth generation (5G) technology promises to bring the high-speed, low-latency wireless infrastructure necessary for the “smart” era. By some estimates, half of all worldwide data traffic over the next five years will be generated not by people, but by connected computerized devices requiring no human intervention.
Moving from promise to reality, however, will require those connecting networks to be secure. A new Brookings report examines the 5G promise, its cybersecurity challenges, and the policy decisions necessary to achieve the 5G promise. The report concludes that as China and Europe push forward with their 5G efforts, a domestic American emphasis on network security will both speed up 5G adoption and create a differentiated advantage for U.S. companies at home and abroad. Accomplishing such outcomes can be achieved through the implementation of well-known cybersecurity techniques, a program of federal oversight that eschews regulatory micromanagement in favor of a light-but-frequent review of 5G cyber risk mitigation activities, and appropriate government funding.
How We Got Here
Starting about a half-dozen years ago, concern arose that the United States was losing the “5G race”, especially with regard to China’s rapid buildout and adoption. Accompanying this was the worry that China’s Huawei—the world’s largest supplier of network infrastructure—could hide security vulnerabilities in that infrastructure.
Despite U.S. government warnings about such concerns, some domestic wireless network operators—typically small rural companies—installed Huawei equipment. Many of these companies lacked adequate cybersecurity and supply chain risk management capabilities. Nevertheless, these facilities are connected to the national wireless network, thus creating a potential cyber intrusion pathway. Congress ultimately banned Huawei equipment in domestic networks receiving federal support and appropriated billions of dollars to reimburse the companies to rip the equipment out.
In a separate action, Congress appropriated $1.5 billion “to spur movement towards open-architecture, software-based wireless technologies.” Not only would such an investment spur domestic economic growth, but it was also hoped that such efforts would decrease reliance on Huawei. Securing such open-architecture networks and their use of potentially insecure software components, while operating in an inherently insecure world is the challenge of the 5G era (and will continue into subsequent “next G” networks).
The 5G Cyber Paradox
Fifth generation wireless networks are a paradox: As they improve the efficiency and capability of the communications infrastructure to enable a new generation of services, they also introduce new security vulnerabilities that threaten both the networks and those who rely on their connectivity.
The first 5G vulnerability is that network functions once performed by purpose-built hardware are now being virtualized in software that, as has always been the case, is hackable. Building a network on software running over general-purpose computers increases functionality and decreases costs while at the same time introducing new vulnerabilities. Earlier networks ran on proprietary equipment utilizing proprietary software that offered focused protection against attacks. Moving more functions to hackable software that is disaggregated from a purpose-built network appliance has created new pathways to attack 5G networks.
The shift to virtualize many of the network functions previously performed by hardware has broken the chokehold of the traditional suppliers of network equipment. One cybersecurity advantage of this is the creation of alternatives to Chinese hardware. Yet, this too comes with the countervailing paradox that such supplier diversity represents another increase in the number of attack trajectories in the networks.
To facilitate supplier diversity while assuring the interoperability of components from an expanding universe of suppliers, network operators globally have developed the Open Radio Access Network (ORAN) protocol. There is an ORAN working group on network security, yet adoption of its output will be voluntary. As the European Union’s “Report on the Cybersecurity of Open Radio Access Networks” concluded, while there are security benefits to the diversification of suppliers, “by introducing a new approach, new interfaces and new types of RAN components potentially coming from multiple suppliers, Open RAN would exacerbate a number of the security risks of 5G and expand the attack surface.” It’s not that cybersecurity isn’t being worked on, the shortfalls lie “in the seams”, where cyber risk ownership is ill-defined and underprioritized as new market entrants jockey for position based primarily on function, performance and cost.
Lack of Oversight
As these new vulnerabilities manifest, there is little formal oversight of the companies’ implementation of the 5G standard and its ORAN protocols. Not only is there no comprehensive identification and assignment of the risk responsibilities inherent in 5G, but also the networks are free to pick and choose which of the security components they intend to implement.
Securing the network essential for the “smart” era but built using hackable software from a diverse collection of suppliers should not be a voluntary proposition. Nationwide cybersecurity requires a national policy that establishes common expectations for the security and behavior of all 5G networks. That this is a “whole-of-networks” challenge is especially true because of the interconnected interdependence of digital networks where the responsible cyber hygiene of one network can be undone by the less responsible decisions of another network.
Make no mistake about it, 5G wireless networks can usher in a new era of wonderous capabilities that will help consumers, companies, and communities. It can help grow the economy with new exportable products and increased productivity. But failure to assure its security will slow deployment, suppress use case demand signals, impair the ability to protect intellectual property, chill 5G investment, and expose critical infrastructure to increased risk of catastrophic failures.
We Know What to Do
The Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security (DHS) has made solid progress to secure federal systems and collaborate with infrastructure providers. CISA is responsible for overseeing 18 critical infrastructure sectors, of which communications is one. Yet, CISA and DHS lack meaningful enforcement authority to mandate cybersecurity expectations on commercial networks.
The National Institute of Standards and Technology (NIST) of the Department of Commerce has done groundbreaking work to develop multiple cyber-promoting frameworks on Network Security, Secure Software Development, and Cyber Supply Chain Risk Management. These well-conceived frameworks rely on voluntary industry implementation since the Department of Commerce lacks the requisite regulatory authority over telecommunications networks.