Government officials who seek to keep 5G networks safe must consider not only the security standards they promote and require, but also who they ultimately hold accountable if something goes wrong, industry experts said during the recent RSA virtual conference.
Network operators first started implementing 5G in 2019 and have already been expansion coverage and infrastructure construction and more and more manufacturers are introducing devices capable of connecting. Currently, 5G networks tend to use the existing 4G infrastructure, but are expected to eventually be able to offer full coverage without such dependency.
Agency for Cyber Security and Infrastructure Security (CISA) he says 5G is unlikely to reach this stage before 2022. But when it does, it will change the types of cybersecurity risks and priorities they need to face, he said. Scott Charney, vice president of security policy at Microsoft, during the conference.
“We’re moving from a place where 5G is mostly at the endpoints and the spectrum – if you’re working on a 4G backbone – to a place where the cloud will really be activated, from end to end with virtualized, software-defined networks – and that’s quite a different threat model, “he said.
WHO IS RESPONSIBLE?
Cyber threats are a fact of life so far, and some industry members want to know who will be stopped to stop something from going wrong with 5G-powered offerings. 5G usage cases can rely on a network that brings together a bunch of different service providers – for example, an autonomous driving application could depend on a multi-access computing edge (MAC) platform running on a 5G network, The merchant Shehzad, chief technology officer at security and analytics firm Gigamon.
A real example of this is a test project announced in April 2021 by Verizon and Honda. In one test, traffic intersection cameras were designed to detect pedestrians crossing streets and then transmit this information over the 5G network to a mobile final computing platform. This platform – with the help of a vehicle communication platform – everything – processes the data to determine the proximity of pedestrians to nearby connected cars and issues a warning to drivers.
The variety of moving parts leads some countries to suggest that each service provider should be responsible for certain security features, something known as a “shared security” model, the Merchant said. But questions remain – and regulators may need to smooth over the details.
“If there is a compromise, in this [shared security] model, who is responsible for the failure? Is it a cloud provider? Is this the application provider? Is it a mobile service provider? “The merchant said.
According to the trader, 5G providers are the ones offering the basic service – and therefore should have the biggest security obligations – and he said regulators should do so formally.
“I don’t like regulation anymore, but I think it’s a situation that probably needs to be more regulatory on the part of security,” he said.
Some 5G providers have formulated their own vision for a shared security approach, with Theresa Lanowitz, Director of AT&T Cybersecurity Solutions, AT&T Cybersecurity, recently writing that network providers must be responsible for building a secure ‘network architecture’, while customers take responsibility for providing the devices to which they connect – and the data they store in – the networks. Cloud providers will be required to meet their own security requirements and monitor activity and data sent through the cloud.
SECURITY CHALLENGES
5G will be more difficult to protect than previous cellular networks, the Merchant said. It combines many more software components, giving malicious participants more potential targets to attack.
“We’ve moved from a monolithic, vertically integrated system to a fully distributed software system,” with the transition to 5G, Merchant said. “And this leads to a massive expansion and explosion on the surface of the attack. 5G is essentially a service-based architecture in which these services now come from open source components, come from commercial vendors, come from contractors. “
Charney said that as a result, a stronger focus is being placed on ensuring the security of the codes and on using machine-powered systems to monitor networks for possible threats. Government officials are also particularly concerned about security risks when using 5G offerings from businesses based in countries with which they have tensions.
COUNTRY OF ORIGIN
U.S. officials are looking at China in particular, and the Congressional Research Service (CRS) notes in report it updated in April 2021 that some experts feared that the Chinese government could take advantage of any vulnerabilities in the technology – whether introduced voluntarily or unintentionally – to spy or launch cyber attacks. The CRS said opinions differed on whether certain technologies posed an acceptable level of risk or whether the use of China-supplied 5G solutions would be too much.
Charney said it made sense for countries to avoid using technology from rival states in government capabilities and critical services, comparing the situation to the US military’s dependence on Russian fighter jets. But, he added, putting this approach into practice can be extremely difficult.
“There is no country on the planet that can create everything … so it will remain interdependent, even if it makes countries uncomfortable in some contexts,” Charney said, saying the government should think about governance instead. not completely eliminate such risks.
Avoiding suggestions made in certain countries is one thing when it comes to hardware, but ensuring that software does not include code developed in those countries is a far steeper challenge, Merchant said. This is also a challenge that is fundamental to 5G security, as these cellular networks include both a radio access network (RAN) and a software-based core network. It would be difficult to trace the origins of open source components used in this core network, Merchant said.
Even proprietary software created by an American company is often involved in a geographically dispersed workforce, Charney added, citing Microsoft’s Windows operating system.
“Software, whether open source or proprietary software, can be made by the international community. That’s just the reality, “Charney said.
Charney and Merchant discussed whether it would be enough for governments to avoid 5G devices and solutions from key countries, or whether it was also important to block the use of such offers by consumers through regulatory bans or incentives.
The trader said any vulnerabilities could pose risks to the wider system, while Charney doubted whether the requirement at the level of security standards could make the proposals safe enough for personal use. Achieving the latest proposal has its own hurdles, Charney said, and will require governments to establish strong benchmarks for testing 5G products and then be able to quickly and effectively evaluate proposals against those standards.