The worldwide rollout of 5G will create innumerable benefits for the enterprise business community and the U.S. economy. Advanced 5G and wireless networks will bring a huge selection of benefits, including higher traffic capacities, lower latency, and increased reliability. It will empower millions by broadband connectedness. It will impact commercial verticals such as retail, health, and financial by enabling processing and analytics in real time. In essence, 5G will function as a data superhighway.
Although 5G is in the initial stages of deployment, connectivity is already exponentially expanding. The industry trade group 5G Americas cited an Omdia report that counted more than 17.7 million 5G connections at the end of last year, including a 329 percent surge during the final three months of 2019. Omdia is also predicting 91 million 5G connections by the end of 2020. (1)
The 5G ecosystem is gathering a wide range of investments and it will have financial implications. A GSMA industry report (GSMA represents the interests of mobile operators worldwide, uniting more than 750 operators with almost 400 companies in the broader mobile ecosystem) predicts 5G technology will add $2.2 trillion to the global economy over the next 15 years. And operators are expected to spend more than $1 trillion on mobile capex between 2020 and 2025, with 80 percent of that spend directed at their 5G networks. (2)
Security and 5G
5G speed, performance, capacity, and connectivity will necessitate the need for better security. As with any new technology 5G is not without its security concerns. Many of these issues have been out front in security discussions due to our highly charged political environment regarding 5G’s supply chain roots and controls emanating from China. But there are also significant risks from an increased attack surface that 5G will foster.
A Brookings Institution report, “Why 5G Requires New Approaches to Cybersecurity,” written by former FCC Chairman Tom Wheeler and Rear Adm. David Simpson (ret), former chief of the FCC’s Public Safety and Homeland Security Bureau, outlines five clear security challenges of 5G. They note that:
- “The network has moved away from centralized, hardware-based switching to distributed, software-defined digital routing. Previous networks were hub-and-spoke designs in which everything came to hardware choke points where cyber hygiene could be practiced. In the 5G software defined network, however, that activity is pushed outward to a web of digital routers throughout the network, thus denying the potential for chokepoint inspection and control.
- 5G further complicates its cyber vulnerability by virtualizing in software higher-level network functions formerly performed by physical appliances. These activities are based on the common language of Internet Protocol and well-known operating systems. Whether used by nation-states or criminal actors, these standardized building block protocols and systems have proven to be valuable tools for those seeking to do ill.
- Even if it were possible to lock down the software vulnerabilities within the network, the network is also being managed by software—often early generation artificial intelligence—that itself can be vulnerable. An attacker that gains control of the software managing the networks can also control the network.
- The dramatic expansion of bandwidth that makes 5G viable creates additional avenues of attack. Physically, low-cost, short range, small-cell antennas deployed throughout urban areas become new hard targets. Functionally, these cell sites will use 5G’s Dynamic Spectrum Sharing capability in which multiple streams of information share the bandwidth in so-called “slices”—each slice with its own varying degree of cyber risk. When software allows the functions of the network to shift dynamically, cyber protection must also be dynamic rather than relying on a uniform lowest common denominator solution.
- Finally, of course, is the vulnerability created by attaching tens of billions of hackable smart devices (actually, little computers) to the network colloquially referred to as IoT. Plans are underway for a diverse and seemingly inexhaustible list of IoT-enabled activities, ranging from public safety things, to battlefield things, to medical things, to transportation things—all of which are both wonderful and uniquely vulnerable.” (3)
Security requirements to mitigate threats are being prioritized by both the public and private sectors. In government, 5G communications technology has been recognized as a foundational enabler for all U.S. defense modernization programs. The Department of Defense (DOD) is engaged at the forefront of cutting-edge 5G testing and experimentation. DOD is committed via new research and development budgets and programs to exploring a wide range of potential applications and dual-use opportunities that can be built upon 5G next-gen networks. Recently DOD selected five locations and $600 million in awards for 5G testing that represents the largest global full-scale 5G test for dual-use applications. (4)
On the civilian side of the federal government the Department of Homeland Security (DHS) and the nation’s risk advisor, CISA, has determined that 5G implementation will introduce vulnerabilities. A summary of their findings in critical areas includes:
- Supply Chain: Risks of malicious software and hardware, counterfeit components, and poor designs, manufacturing processes, and maintenance procedures.
- Deployment: Improperly deployed, configured, or managed 5G equipment and networks may be vulnerable to disruption and manipulation.
- Network Security: Legacy vulnerabilities, such as Distributed Denial of Service attacks and SS7/Diameter challenges.
- Competition and Choice: Lack of interoperability with other technologies and services limits the ability of trusted ICT companies to compete in the 5G market. (5)
Cybersecurity Measures: Preparing for 5G
Because of myriad technological and policy challenges, it is critical that enterprises create a sense of urgency to prepare for the implementation and assimilation of 5G technologies. There are some things that enterprises should concentrate on to help deal with these security concerns. Yes, many of the below are “old friends” but they are needed still in light of the security challenges that 5G potentially creates:
1) Monitor your external supply chain to check what your providers are doing to keep secure – supply chain risk management was the focus of NIST cybersecurity framework 1.1. It should still be a concern today given 5G as many businesses are going to be sending huge amounts of data to cloud service providers, co-location centers, and other third parties via wireless transmissions. What are these providers doing as far as data security? What standards do they adhere to? What standards should they be adhering to given business needs (like HIPAA or SEC OCIE standards)? Much depends upon the strength of your own supply chain risk management program. Some companies can evaluate the cybersecurity of other entities on a regular and somewhat comprehensive basis. Others have less ability and fewer resources to do so. Here it is suggested that companies demand SOC 2 Type 2 reports that “define criteria for managing customer data based on five ‘trust service principles’ – security, availability, processing integrity, confidentiality and privacy.” (6)
2) Know what is on your network — time to clean up your network and your data. Given that 5G does not erase traditional security concerns, it is time to make sure all OS and other cybersecurity solutions are updated and patched regularly to make sure as many security holes as possible get closed. This includes not only network devices, but laptops and other personal, smart devices like iPads and iPhones. Know where on your network your most critical data is. Protect it like it was sitting in Fort Knox.
3) Data in, Data out? 5g will move a lot of data. Faster than ever before. An attacker could do that just as easily as your company. Figure out first: (a) where your data is going on a regular basis (i.e. the cloud) so that when you are reviewing your logs you understand “normal activity,” in terms of location but in terms of amounts as well too, so that you can then, (b) figure out where your data should NOT be going (i.e. China or Russia), and what amounts of data in transit are usual or not usual to better understand potential data exfiltration issues. Accurate and timely log review will continue to be critical in a 5G environment.
4) Make sure your endpoints are updated, patched and monitored. In today’s pandemic/COVID-19-filled world, the endpoint has taken on an increased focus as more and more people continue to remotely work from home. People are using all sorts of devices to connect, and more and more are coming to the market each week. Obviously, this creates thousands or more endpoints (if not millions more) than we ever had before. What is your company doing to monitor your employee when he or she logs in from home? Is that employee using his home internet, a VPN or wireless services? There are lots of questions here that need to be answered. But if “data is the new cash” your endpoint could be the attacker’s cash register.
5) Encrypt or tokenize all data transmitted wirelessly. There are many telecoms that will be pursuing encryption of data that you push to them/through them. Anti-tracking and spoofing features that make it harder for bad actors on a network to track and manipulate individual device connections. To do this, 5G encrypts more data, so less is flying around in the clear for anyone to intercept. 5G is also a much more software- and cloud-based system than previous wireless networks, which will allow for better monitoring to spot potential threats. (7)
One of the missing links here: Why not encrypt or tokenize all data in transit before it hits the wireless tower? We should be doing this anyway but the encryption discussion in the U.S. has taken several left turns even though more and more individuals and businesses are using encryption to secure their data.
Finally, you have also read it here before that with an increased amount of internet traffic, and now with the increased speed of 5G, it is important to consider whether you have sufficient personnel or bandwidth to detect anomalous behavior on your network. It might be time to consider some sort of machine learning solution to both check and affirm an employee’s access to the network (e.g. identity and access management), and to automatically monitor anomalous network behavior.
The above list is not mutually exclusive of other steps you might take to secure your network, but it’s a start. As with any new technology, there will be new behaviors and new patterns of activity. Things will change. Things do change. But we know three things: there will be more network traffic, there will be more and faster network wireless traffic, and there will be many more IoT devices. This creates an opportunity once again to review your network security, devices, and solutions to make sure they can keep up with the new “pace” of 5G and the cybersecurity battles of tomorrow.
3) Please see “Why 5G Requires New Approaches to Cybersecurity,” available at https://www.brookings.edu/research/why-5g-requires-new-approaches-to-cybersecurity/.
6) “SOC 2 Compliance,” https://www.imperva.com/learn/data-security/soc-2-compliance/
7) See “Moving the Encryption Conversation Forward,” available at https://carnegieendowment.org/2019/09/10/moving-encryption-policy-conversation-forward-pub-79573/. Creating true end to end encryption certain can help mitigate, in whole or in part, any potential risks associated with 5G.
Paul Ferrillo is a partner at the law firm of McDermott Will & Emer. He focuses his practice on corporate governance issues, complex securities class action, major data breaches and other cybersecurity matters, and corporate investigations. He is also an Adjunct Professor at Florida State University College of Law, and the current Director of the New York Chapter of Infraguard. Paul is author of the books Take Back Control of Your Cybersecurity Now: Game Changing Concepts on AI and Cyber Governance Solutions for Executives and Navigating the Cybersecurity Storm: A Guide for Directors and Officers
LinkedIn Profile: https://www.linkedin.com/in/paulthecyberguy/
Chuck Brooks, President of Brooks Consulting International, is a globally recognized thought leader and subject matter expert Cybersecurity and Emerging Technologies. He is Adjunct Faculty at Georgetown University in the Cyber Risk Management and Applied Intelligence programs. During his career, Chuck received two Presidential Appointments, and served an executive for several leading public companies. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn.” He was named by Thompson Reuters as a “Top 50 Global Influencer in Risk, Compliance,” and by IFSEC as the “#2 Global Cybersecurity Influencer.” He is also a Visiting Editor of Homeland Security Today.
LinkedIn Profile: https://www.linkedin.com/in/chuckbrooks/