The race to secure 5G

Increased bandwidth and lower latency create the opportunity to develop ecosystems that can transform entire industries. The combination of IoT, 5G, cloud, data analytics, quantum computing, and AI paves the way for new and improved products and services in the energy, transportation, manufacturing, healthcare and logistics industries, to name a few.

5G also offers the foundation for a robust IoT ecosystem that will allow enterprises to harness data in unprecedented ways and enable governments to offer improved services to their constituents. By 2023, there will be more than one billion 5G connections, according to forecasts from International Data Corporation (IDC). Key drivers such as ever-increasing online content consumption, expanded reliance upon IoT devices, and the popularity of cloud gaming mean this rapid growth will continue for the foreseeable future.

But for 5G to be the success story that many envision, a variety of risks need to be addressed and mitigated.

New technologies, new risks, new requirements

CISOs will need to adopt a holistic, risk-based approach to 5G security and continuously monitor the maturity of their 5G security implementations. Whether serving telecom operators, digital service providers, IoT vendors or any part of an ecosystem that incorporates 5G technologies, CISOs should be aware of the risks and compliance needs, incorporate them in their risk register, and manage them.

Risk management should be embedded in any digital transformation project that involves 5G in order to tackle risks in timely fashion, avoid hidden costs or, even worse, make inefficient and irreversible decisions in sensitive areas, such as vendor selection and diversification or architectural design.

If security teams are able to properly manage the related risks, 5G’s impressive capabilities—including faster networks with higher capacity, support for static and mobile IoT devices and drastically reducing network energy usage, as outlined in ISACA’s recent white paper on 5G security—can be realized.

Government response

In the US, the Cybersecurity & Infrastructure Security Agency (CISA) in July, 2019, produced an overview of risks introduced by 5G adoption. Among the key findings: “Use of 5G components manufactured by untrusted companies could expose U.S. entities to risks introduced by malicious software and hardware, counterfeit components, and component flaws caused by poor manufacturing processes and maintenance procedures. 5G hardware, software, and services provided by untrusted entities could increase the risk of compromise to the confidentiality, integrity, and availability of network assets. Even if U.S. networks are secure, U.S. data that travels overseas through untrusted telecommunication networks is potentially at risk of interception, manipulation, disruption, and destruction.” As mitigating measures against these risks, CISA proposed steps such as encouraging continued development of trusted 5G technologies, promoting transparent international standards, and limiting the adoption of 5G equipment with known or suspected vulnerabilities.

In January 2021, the White House released  the implementation plan for its National Strategy to Secure 5G, in accordance with the Secure 5G and Beyond Act of 2020. The implementation plan describes four lines of effort: facilitating domestic 5G rollout, assessing risks to and identifying core security principles of 5G infrastructure, addressing risks to US economic and national security during development and deployment of 5G infrastructure worldwide, and promoting responsible global development and deployment of 5G. It follows a risk-based approach, assigning responsibilities for departments, agencies, and other federal entities and focusing on public-private and international cooperation, highlighting the need for standardization, education in cybersecurity, and research and development.

These efforts extend around the globe. In January 2021, the European Commission endorsed a toolbox of mitigating measures for addressing 5G infrastructure and supply chain cybersecurity risks. The toolbox focuses on 5G network configuration, access control, product quality, supplier diversification, state interference through the supply chain, controls against organized crime, critical infrastructure resilience, continuity in relation to electricity and other support systems, and IoT security. The mitigating measures are classified in strategic, technical, and other supporting actions and include audits on operators and the interdependencies between 5G networks and critical services, the risk profile of the supply chain, application security, virtual network security, patch management, incident response, and crisis management.

Encouragingly, the European Commission has signed joint declarations on 5G with Brazil, China, Japan and South Korea.

Further international cooperation along these lines—in addition to sharing good practices and making the needed investments in strengthening 5G infrastructure on a national level—will expedite governments’ ability to make 5G a positive transformational force.