Bold ideas about the world’s energy needs.
|
5G Requires New Approaches to Cybersecurity
by Tom Wheeler and David Simpson
The race to 5G is on and America must win,” President Donald Trump said in April, 2019. For political purposes, that “race” has been defined as which nation gets 5G built first. It is the wrong measurement. We must “fire first effectively” in our deployment of 5G. Borrowing on a philosophy Admiral Arleigh Burke coined in World War II: Speed is important, but speed without a good targeting solution can be disastrous.
5G will be a physical overhaul of our essential networks that will have decades-long impact. Because 5G is the conversion to a mostly all-software network, future upgrades will be software updates much like the current upgrades to your smartphone. Because of the cyber vulnerabilities of software, the tougher part of the real 5G “race” is to retool how we secure the most important network of the 21st century and the ecosystem of devices and applications that sprout from that network.
Never have the essential networks and services that define our lives, our economy, and our national security had so many participants, each reliant on the other—and none of which have the final responsibility for cybersecurity. The adage “what’s everybody’s business is nobody’s business” has never been more appropriate—and dangerous—than in the quest for 5G cybersecurity.
5G will be a physical overhaul of our essential networks that will have decades-long impact. Because 5G is the conversion to a mostly all-software network, future upgrades will be software updates much like the current upgrades to your smartphone. Because of the cyber vulnerabilities of software, the tougher part of the real 5G “race” is to retool how we secure the most important network of the 21st century and the ecosystem of devices and applications that sprout from that network.
Never have the essential networks and services that define our lives, our economy, and our national security had so many participants, each reliant on the other—and none of which have the final responsibility for cybersecurity. The adage “what’s everybody’s business is nobody’s business” has never been more appropriate—and dangerous—than in the quest for 5G cybersecurity.
|
The new capabilities made possible by new applications riding 5G networks hold tremendous promise. As we pursue the connected future, however, we must place equivalent—if not greater—focus on the security of those connections, devices, and applications. To build 5G on top of a weak cybersecurity foundation is to build on sand. This is not just a matter of the safety of network users, it is a matter of national security.
|
“As we pursue the connected future, however, we must place equivalent—if not greater—focus on the security of those connections, devices, and applications.”
|
HYPERFOCUS ON HUAWEI
Effective progress toward achieving minimally satisfactory 5G cyber risk outcomes is compromised by a hyperfocus on legitimate concerns regarding Huawei equipment in U.S. networks. While the Trump administration has continued an Obama-era priority of keeping Huawei and ZTE out of domestic networks, it is only one of the many important 5G risk factors. The hyperbolic rhetoric surrounding the Chinese equipment issues is drowning out what should be a strong national focus on the full breadth of cybersecurity risk factors facing 5G.
|
However, it is time to move beyond the Huawei infrastructure issue to review some of the issues that the furor over Huawei has masked. Policy leaders should be conducting a more balanced risk assessment, with a broader focus on vulnerabilities, threat probabilities, and impact drivers of the cyber risk equation. This should be followed by an honest evaluation of the oversight necessary to assure that the promise of 5G is not overcome by cyber vulnerabilities, which result from hasty deployments that fail to sufficiently invest in cyber risk mitigation.
|
“None of this suggests that we suspend the march to the benefits of 5G. It does, however, suggest that our status quo approach to 5G should be challenged.” |
Such a review of 5G cyber threat mitigation should focus on the responsibilities of both 5G businesses and government. This should include a review of whether current market-based measures and motivations can address 5G cyber risk factors and where they fall short, the proper role of targeted government intervention in an era of rapid technological change. The time to address these issues is now, before we become dependent on insecure 5G services with no plan for how we sustain cyber readiness for the larger 5G ecosystem.
5G EXPANDS CYBER RISKS
There are five ways in which 5G networks are more vulnerable to cyberattacks than their predecessors:
Fifth-generation networks thus create a greatly expanded, multidimensional cyberattack vulnerability. It is this redefined nature of networks—a new network “ecosystem of ecosystems”—that requires a similarly redefined cyber strategy. The network, device, and applications companies are aware of the vulnerabilities and many are making, no doubt, what they feel are good faith efforts to resolve the issues. The purpose of this paper is to propose a basic set of steps toward cyber sufficiency. It is our assertion that “what got us here won’t get us there.”
5G EXPANDS CYBER RISKS
There are five ways in which 5G networks are more vulnerable to cyberattacks than their predecessors:
- The network has moved away from centralized, hardware-based switching to distributed, software-defined digital routing. Previous networks were hub-and-spoke designs in which everything came to hardware choke points where cyber hygiene could be practiced. In the 5G software defined network, however, that activity is pushed outward to a web of digital routers throughout the network, thus denying the potential for chokepoint inspection and control.
- 5G further complicates its cyber vulnerability by virtualizing in software higher-level network functions formerly performed by physical appliances. These activities are based on the common language of Internet Protocol and well-known operating systems. Whether used by nation-states or criminal actors, these standardized building block protocols and systems have proven to be valuable tools for those seeking to do ill.
- Even if it were possible to lock down the software vulnerabilities within the network, the network is also being managed by software—often early generation artificial intelligence—that itself can be vulnerable. An attacker that gains control of the software managing the networks can also control the network.
- The dramatic expansion of bandwidth that makes 5G possible creates additional avenues of attack. Physically, low-cost, short range, small-cell antennas deployed throughout urban areas become new hard targets. Functionally, these cell sites will use 5G’s Dynamic Spectrum Sharing capability in which multiple streams of information share the bandwidth in so-called “slices”—each slice with its own varying degree of cyber risk. When software allows the functions of the network to shift dynamically, cyber protection must also be dynamic rather than relying on a uniform lowest common denominator solution.
- Finally, of course, is the vulnerability created by attaching tens of billions of hackable smart devices (actually, little computers) to the network colloquially referred to as IoT. Plans are underway for a diverse and seemingly inexhaustible list of IoT-enabled activities, ranging from public safety things, to battlefield things, to medical things, to transportation things—all of which are both wonderful and uniquely vulnerable. In July, for instance, Microsoft reported that Russian hackers had penetrated run-of-the-mill IoT devices to gain access to networks. From there, hackers discovered further insecure IoT devices into which they could plant exploitation software.
Fifth-generation networks thus create a greatly expanded, multidimensional cyberattack vulnerability. It is this redefined nature of networks—a new network “ecosystem of ecosystems”—that requires a similarly redefined cyber strategy. The network, device, and applications companies are aware of the vulnerabilities and many are making, no doubt, what they feel are good faith efforts to resolve the issues. The purpose of this paper is to propose a basic set of steps toward cyber sufficiency. It is our assertion that “what got us here won’t get us there.”
