Illustration by iStock; *Security Management*

The Faults in 5G

By Megan Gates

01 December 2019

Print Issue: December 2019

Coined by then Forrester Research Vice President and Principal Analyst John Kindervag, the Zero Trust approach means instead of trusting that all users have not been compromised and are acting normally, network owners and operators assume that no user can be trusted and that their actions need to be verified.

This philosophy is gaining greater appreciation as the world rapidly deploys the fifth generation (5G) of wireless technology, capable of peak data rates of 10 gigabits per second. More than 225 cities worldwide have already deployed 5G networks. By 2020, Verizon estimates that 5G will support the connection of more than 20.4 billion Internet of Things (IoT) devices.

This new network structure will allow more devices to be connected to each other and transfer data at faster speeds than society has seen before. But what happens if the infrastructure used to support these networks is compromised?

To find out, the European Commission conducted a risk assessment of the cybersecurity of 5G networks. It asked EU member states to answer a questionnaire and then published the findings in a report released in October 2019 (EU coordinated risk assessment of the cybersecurity of 5G networks).

The report found that the rollout of 5G networks will create an increased exposure to cyberattacks and more potential entry points for attackers.

“With 5G networks increasingly based on software, risks related to major security flaws, such as those deriving from poor software development processes within suppliers, are gaining in importance,” the commission said. “They could also make it easier for threat actors to maliciously insert backdoors into products and make them harder to detect.”

The report also highlighted threat scenarios targeting 5G that would have major ramifications if they were carried out: network disruption, spying on traffic or data in the network, modification or rerouting of traffic or data in the network, and destruction or alteration of other infrastructure and systems connected to 5G networks.

“An important difference compared with threats to existing networks concerns the nature and intensity of potential impacts of threats,” the risk analysis found. “In particular, greater reliance on economic and societal functions on 5G networks could significantly worsen the potential negative consequences of disruptions. As such, the integrity and availability of those networks will become major concerns, on top of the existing confidentiality and privacy requirements.”

The risk assessment also found that the threat posed by nation-states, or nation-state backed actors, is the highest relevant threat to 5G networks.

“They represent the most serious, as well as the most likely threat actors, as they can have the motivation, intent, and most importantly the capability to conduct persistent and sophisticated attacks on the security of 5G networks,” according to the assessment.

This finding is especially concerning for the security community because China has made a strategic investment in 5G. Chinese company Huawei is a major player and has built a vast 5G network that supports activity in the European Union, the United Kingdom, and the United States, despite recently being blacklisted by the Americans.

“The European Commission’s report makes clear that the vulnerabilities facing a Huawei 5G global network are systemic,” says Nate Snyder, former Obama administration senior counterterrorism official with the U.S. Department of Homeland Security and Countering Violent Extremism Task Force. “Huawei’s networks are a house of cards supported by shoddy coding and a supply chain full of holes, with countless entry points for state and non-state actors, organized crime, and terrorist groups—cyber-based and otherwise—to exploit.”

To mitigate the risk of attacks exploiting these vulnerabilities, Snyder says the European Union and United States need to focus on creating their own interoperable standards, diversifying their supply chains, and working with stakeholders to build a “stronger foundation and protocols for the world to jump on the 5G highway.”

These efforts were the focus of a recent U.S. Senate Homeland Security and Government Affairs Committee hearing where stakeholders discussed the recent “rip and replace” mandate for Huawei’s equipment, increasing U.S. investment into the deployment of 5G, and addressing network insecurity.

“We need to start thinking about investing in technologies that allow us to be secure when we connect to insecure networks,” said Jessica Rosenworcel, U.S. Federal Communications Commission (FCC) commissioner.

In her testimony, she referenced the Defense Innovation Board—a U.S. military advisory board of academic researchers and private sector technologists—which found that the nation that owns 5G will own innovations and set standards for the rest of the world. The United States is not immediately poised to be that nation, Rosenworcel explained, and that needs to change through strategic rollout of a national plan for 5G that addresses both infrastructure and device security.

“We need to adjust our policies now to ensure this future is secure,” she said. “After all, the equipment that connects to our networks is just as consequential for security as the equipment that goes into our networks.”

Megan Gates is editor-in-chief of Security Technology. Contact her at [email protected]. Follow her on Twitter: @mgngates.