The real 5G mobile internet connectivity race is to secure not only the network but also the ecosystem of devices and applications attached to the network, former Federal Communications Commission (FCC) Chairman Tom Wheeler said in a new paper published by the Brookings Institute.
In the report, entitled Why 5G Requires New Approaches to Cybersecurity, co-authors Wheeler and David Simpson, former chief of the FCC’s Public Safety and Homeland Security Bureau, contend that securing 5G networks is central to national security. “To build 5G on top of a weak cybersecurity foundation is to build on sand,” the authors wrote.
In a nod to the bigger picture, Wheeler and Simpson make a case that failing to move beyond the Huawei spying issue masks some larger issues concerning 5G security. “Policy leaders should be conducting a more balanced risk assessment, with a broader focus on vulnerabilities, threat probabilities, and impact drivers of the cyber risk equation” rather than becoming so immersed in Huawei. “China is a threat even when there is not Huawei equipment in our networks,” they said.
According to Wheeler and Simpson, with the advent of 5G technology comes these five cyber dangers:
- No hardware choke points. Previous networks were hub-and-spoke designs in which everything came to hardware choke points where cyber hygiene could be practiced. In the 5G software defined network, there is no chokepoint inspection and control.
- Virtualization. Virtualizing in software the higher-level network functions formerly performed by physical appliances complicates 5G cyber vulnerability.
- Software. Often early generation artificial intelligence itself can be vulnerable. An attacker that gains control of the software managing the networks can also control the network.
- New attack vectors. Physically, low-cost, short range, small-cell antennas deployed throughout urban areas become new hard targets.
- IoT. Vulnerabilities created by attaching tens of billions of hackable, smart devices attached to the network.
“We shouldn’t be surprised that the networks of the 21st century are the new attack vectors, but these are different because they are expanded to an almost infinite number of attack vectors,” Wheeler told The Hill.
The authors acknowledge that what needs to be done to secure 5G networks is “both important and not without cost.” They argue, however, that these are not normal times and require a “departure from traditional practices.”
This “new reality” justifies the following corporate and governmental actions:
Key #1: Companies must recognize and be held responsible for a new cyber duty of care. This spans:
- Reversing chronic under-investment in cyber risk reduction.
- Implementing machine learning and artificial intelligence protection.
- Shifting from post attack cyber preparedness to using leading indicators.
- Cybersecurity starts with the 5G networks themselves.
- Inserting security into the development and operations cycle.
- Congress should establish a cybersecurity standard of expected performance and accompanying incentives for its adoption by companies.
Key #2: Government must establish a new cyber regulatory paradigm to reflect the new realities. This spans:
- More effective regulatory cyber relationships with those regulated.
- Recognition of marketplace shortcomings.
- Consumer transparency.
- Inspection and certification of connected devices.
- Contracts aren’t enough.
- Stimulate closure of 5G supply chain gaps.
- Re-engage with international bodies.
In concluding, the authors chided the Trump administration and Congress for sitting on their hands on 5G cybersecurity. “Congress should not have to pass legislation instructing the Trump administration to act on 5G cybersecurity,” they wrote. “The whole-of-the-nation peril requires a whole-of-the-economy and whole-of-the-government response built around the realities of the information age, not formulaic laissez faire political philosophy or the structures of the industrial age.”