From smart cities to smart cars, to smart factories, the future will be built on ubiquitous microchips connected by wireless networks. Fifth generation (5G) technology promises to bring the high-speed, low-latency wireless infrastructure necessary for the “smart” era. By some estimates, half of all worldwide data traffic over the next five years will be generated not by people, but by connected computerized devices requiring no human intervention.
Moving from promise to reality, however, will require those connecting networks to be secure. A new Brookings report examines the 5G promise, its cybersecurity challenges, and the policy decisions necessary to achieve the 5G promise. The report concludes that as China and Europe push forward with their 5G efforts, a domestic American emphasis on network security will both speed up 5G adoption and create a differentiated advantage for U.S. companies at home and abroad. Accomplishing such outcomes can be achieved through the implementation of well-known cybersecurity techniques, a program of federal oversight that eschews regulatory micromanagement in favor of a light-but-frequent review of 5G cyber risk mitigation activities, and appropriate government funding.
How We Got Here
Starting about a half-dozen years ago, concern arose that the United States was losing the “5G race”, especially with regard to China’s rapid buildout and adoption. Accompanying this was the worry that China’s Huawei—the world’s largest supplier of network infrastructure—could hide security vulnerabilities in that infrastructure.
Despite U.S. government warnings about such concerns, some domestic wireless network operators—typically small rural companies—installed Huawei equipment. Many of these companies lacked adequate cybersecurity and supply chain risk management capabilities. Nevertheless, these facilities are connected to the national wireless network, thus creating a potential cyber intrusion pathway. Congress ultimately banned Huawei equipment in domestic networks receiving federal support and appropriated billions of dollars to reimburse the companies to rip the equipment out.
In a separate action, Congress appropriated $1.5 billion “to spur movement towards open-architecture, software-based wireless technologies.” Not only would such an investment spur domestic economic growth, but it was also hoped that such efforts would decrease reliance on Huawei. Securing such open-architecture networks and their use of potentially insecure software components, while operating in an inherently insecure world is the challenge of the 5G era (and will continue into subsequent “next G” networks).
The 5G Cyber Paradox
Fifth generation wireless networks are a paradox: As they improve the efficiency and capability of the communications infrastructure to enable a new generation of services, they also introduce new security vulnerabilities that threaten both the networks and those who rely on their connectivity.
“Earlier networks ran on proprietary equipment utilizing proprietary software that offered focused protection against attacks. Moving more functions to hackable software that is disaggregated from a purpose-built network appliance has created new pathways to attack 5G networks.”
The first 5G vulnerability is that network functions once performed by purpose-built hardware are now being virtualized in software that, as has always been the case, is hackable. Building a network on software running over general-purpose computers increases functionality and decreases costs while at the same time introducing new vulnerabilities. Earlier networks ran on proprietary equipment utilizing proprietary software that offered focused protection against attacks. Moving more functions to hackable software that is disaggregated from a purpose-built network appliance has created new pathways to attack 5G networks.
The shift to virtualize many of the network functions previously performed by hardware has broken the chokehold of the traditional suppliers of network equipment. One cybersecurity advantage of this is the creation of alternatives to Chinese hardware. Yet, this too comes with the countervailing paradox that such supplier diversity represents another increase in the number of attack trajectories in the networks.
To facilitate supplier diversity while assuring the interoperability of components from an expanding universe of suppliers, network operators globally have developed the Open Radio Access Network (ORAN) protocol. There is an ORAN working group on network security, yet adoption of its output will be voluntary. As the European Union’s “Report on the Cybersecurity of Open Radio Access Networks” concluded, while there are security benefits to the diversification of suppliers, “by introducing a new approach, new interfaces and new types of RAN components potentially coming from multiple suppliers, Open RAN would exacerbate a number of the security risks of 5G and expand the attack surface.” It’s not that cybersecurity isn’t being worked on, the shortfalls lie “in the seams”, where cyber risk ownership is ill-defined and underprioritized as new market entrants jockey for position based primarily on function, performance and cost.
Lack of Oversight
As these new vulnerabilities manifest, there is little formal oversight of the companies’ implementation of the 5G standard and its ORAN protocols. Not only is there no comprehensive identification and assignment of the risk responsibilities inherent in 5G, but also the networks are free to pick and choose which of the security components they intend to implement.
Securing the network essential for the “smart” era but built using hackable software from a diverse collection of suppliers should not be a voluntary proposition. Nationwide cybersecurity requires a national policy that establishes common expectations for the security and behavior of all 5G networks. That this is a “whole-of-networks” challenge is especially true because of the interconnected interdependence of digital networks where the responsible cyber hygiene of one network can be undone by the less responsible decisions of another network.
Make no mistake about it, 5G wireless networks can usher in a new era of wonderous capabilities that will help consumers, companies, and communities. It can help grow the economy with new exportable products and increased productivity. But failure to assure its security will slow deployment, suppress use case demand signals, impair the ability to protect intellectual property, chill 5G investment, and expose critical infrastructure to increased risk of catastrophic failures.
We Know What to Do
The Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security (DHS) has made solid progress to secure federal systems and collaborate with infrastructure providers. CISA is responsible for overseeing 18 critical infrastructure sectors, of which communications is one. Yet, CISA and DHS lack meaningful enforcement authority to mandate cybersecurity expectations on commercial networks.
The National Institute of Standards and Technology (NIST) of the Department of Commerce has done groundbreaking work to develop multiple cyber-promoting frameworks on Network Security, Secure Software Development, and Cyber Supply Chain Risk Management. These well-conceived frameworks rely on voluntary industry implementation since the Department of Commerce lacks the requisite regulatory authority over telecommunications networks.
The efforts of CISA and NIST to address cyber risk illustrate that cyber professionals know what to do. The challenge lies more in the governance of cyber risk: who decides, who pays, and who implements the policy? Cybersecurity for 5G networks starts as a management challenge. Technology plays an important role, but management practices and decisions create the first line of defense. This calls for prioritized implementation of known standards and the establishment of enduring mechanisms to secure operations with continuous stakeholder cybersecurity engagement.
Acting alone, neither government nor individual private companies can meet the cyber management challenges of 5G networks. Traditional governmental processes are too slow and tend to produce rigid regulations that are antithetical to the rapidly evolving and agile reality of digital innovation. Networks and their suppliers, on the other hand, are saddled with the need to produce financial results in a world where the return on corporate cyber investment is relatively low and often not visible. As a result, there is no focused, proactive, agile, and enforced exercise of regulatory authority over the security practices of commercial digital networks, not the least of which are the expanded vulnerabilities of new 5G functions and the emergent ORAN multi-supplier approach.
The multiple NIST frameworks provide the generic roadmap for what needs to be done to protect 5G network security. The challenge becomes how to incent active multi-stakeholder security responsibility and implement the frameworks apart from the traditional sclerotic and rigid regulatory process.
A Plan for Agile Regulatory Oversight
The establishment and enforcement of uniform expectations for 5G cybersecurity is a process in two parts. It begins with a policy declaration that cybersecurity must be a required forethought in the design, implementation, and operation of 5G networks, not a voluntary afterthought. The second part is the establishment of a private/public supervised process to develop agile and enforceable security expectations to address cyber risk areas for which market incentives are not aligned with required risk reduction investments.
The command-and-control regulatory model previously applied to telecommunications networks is ill-suited—in fact, is counter-productive—to the fast-paced cyber challenge of the internet era. In its place, government should implement a public/private multistakeholder process for the establishment of cyber standards to be executed by the companies and enforced by the government.
The methodology for establishing such cyber standards should mimic the development of the industry’s technical standards process. The evolution from 1G to 5G, and now the ongoing development of 6G, demonstrates a successful process that constantly adapts to new threats and technological realities.
Under such a standard-setting process the regulator would identify an issue and convene an industry/public body to develop a standardized approach to mitigate the problem. The remediation process would begin with the appropriate agency producing its own detailed report on the issues, identification of any missing market incentives to address the issues, and development of affirmative remedies. Those findings would be put before a multistakeholder group of industry, government, and civil society representatives with a set time for recommending a behavioral standard. The agency would review, accept, or modify the proposal and once accepted, be responsible for its enforcement. This approach should address the near-term cyber risk problems, while also addressing market incentive gaps, returning, wherever possible, risk ownership to the companies involved once self-sustaining industry mechanisms emerge.
Cyber accountability requires not only appropriate regulatory oversight but also financial support for the universal implementation of agreed to standards. Because 5G cybersecurity is a whole-of-networks problem, it presents a classic market commons challenge where everyone benefits from reduced cyber risk, but no one company alone can address the end-to-end challenge. The Internet has become an expected universal service in the United States, and cyber risk management must be a whole-of-the-nation responsibility whose implementation deserves the same commitment the government has had for decades supporting the deployment of telephone and internet service in high unit-cost rural areas.
5G Must Be Secure
Private industry has done an amazing job developing new wireless networks that bring to market new technological capabilities. Now private industry is engaged in investing tens of billions of dollars to build 5G networks.
It has always been that it was not the network per se that was transformational, but what that network enabled. Fifth generation networks will be a key enabler for the role that machine-to-machine interaction and artificial intelligence (AI) will play in our smart economy. Wireless networks will be the workhorse to connect machines to each other and databases to AI. Investment in smart cities, smart business verticals, and smart consumer services, along with AI will be highly correlated with our trust in the networks that deliver the data essential to the processes.
It is the networks that are essential. The digital future will be built on 5G networks. Those pathways must be secure.
We know what is necessary to secure the networks. We know network security must be prioritized. We must demand that every network is expected to meet enforceable security minimums and for public support of those efforts.
We must focus on outcomes and work continuously to create market-based mechanisms to maximize security while minimizing rigid federal cybersecurity technical interventions.
5G is smart, now let’s make it secure.