David Simpson, former chief of the FCC’s Public Safety and Homeland Security Bureau, and Tom Wheeler, former FCC chair, presented a report to The Brookings Institution last week in which they said that many of the useful features that make 5G different from previous generations of networks also lead to a new set of cyber risks to be addressed.
Getting on top of these risks means moving away from voluntary approaches to 5G cybersecurity, they add, because just one entity’s lax security practices can put others at risk.
“The interconnected nature of the Internet creates a ‘whole of the network’ reality where the actions or inactions of one network provider can affect other networks,” their report states.
Wheeler and Simpson urged the federal government to provide a mix of carrot-and-stick efforts to prompt change, such as by subsidizing the costs of adopting better cyber behaviors while penalizing negligence.
MORE SOFTWARE, MORE HACKING RISK
While earlier generations of networks used “purpose-built hardware” for certain functions, 5G relies on software.
That heavy emphasis on software creates different kinds of risks. Hackers might find and exploit unintentional vulnerabilities in some of the software and malicious developers could insert back doors to exploit later, the report suggests.
“The thing that makes 5G special and different from previous telecommunications networks is that it is software-based. It virtualizes, in software, the kinds of activities that used to be performed in hardware and, as a result, it can do more things and do more things less expensively,” Wheeler said during the panel. “So, virtualizing in software is great and essential and a breakthrough. But we all know that software is hackable.”
Software often uses open-source components, which adds another potential avenue for attack: malicious actors might scour these publicly available code databases to find vulnerabilities, the report states.
Communities of volunteers develop, maintain and review open-source software, but questions have been raised about whether these groups are sufficiently resourced, as GovTech has previously reported. And mistakes can happen, despite efforts to vet proposed code modifications; for example, the widely impactful Log4Shell vulnerability arose even though the compromised function had been vetted by a core member of the project management committee.
MANY SUPPLIERS, MANY TARGETS
Mobile network providers have traditionally only been able to select among a handful of established equipment suppliers for their radio access networks (RANs). Such equipment also tends to be incompatible with offerings from other suppliers, forcing network providers to rely on a single company for RAN in a given geographic area, per the report.
The 5G landscape switches this up, however, because 5G implementations often make use of Open Radio Access Network (ORAN) architecture, or components designed to be interoperable and standardized. That lets network operators select components from a variety of different suppliers.
“We’re breaking up the technology stack,” Simpson said. “There is potentially a different owner-operator of the code at the core, at the distribution unit, at the radio unit for the RIC, who’s operating the cloud at the edge. And all of those elements include risk scenes that need to be addressed.”
One the one hand, expanding the potential supplier pool makes it easier for network providers to avoid companies that might pose security risks. The U.S. government sees Huawei as one such risky company, for example, and banned use of its equipment in 5G networks, due to fears the devices might be abused for foreign espionage.
On the other hand, involving more players increases opportunities for things to go wrong.
5G providers that look to combine solutions from different suppliers will need to make sure they configure each one properly to avoid security issues, for one.
Plus, increasing the number of suppliers involved in delivering 5G effectively expands networks’ attack surfaces. That’s because each entity is another potential target for hackers.
More suppliers means “more potential attack vectors,” Wheeler said.
MURKY RESPONSIBILITIES?
As 5G network providers engage with more suppliers and cloud providers, there needs to be a clear understanding of what security responsibilities each entity holds, Simpson said.
In their report, Simpson and Wheeler advised the FCC to clarify such situations by holding 5G network operators responsible for “anticipat[ing] and mitigat[ing]” cyber risks involved with “the services and products they deliver, even if it is a collection of multiple components from multiple sources.”
“The highest and best level to address cybersecurity is at the network, not chasing after the network’s multiplicity of suppliers,” they said.
Cybersecurity frameworks from the National Institute of Standards and Technology (NIST) and other entities provide strong guidance for bolstering network security. But, thus far, network providers have been permitted to choose whether to follow them — a practice that needs to change, Wheeler said.
Thanks to its regulatory oversight over commercial networks, the FCC is well positioned to push network providers to do more, the report asserts.
“Cybersecurity must be a required forethought in the design, implementation, and operation of 5G networks, not a voluntary afterthought,” the authors wrote.
Such cyber policies should be designed to be flexible, however, so the policies can be adjusted as technology and threats quickly evolve, per the report. Authors advised consultation among the public and private sectors to develop “agile and enforceable cyber expectations.”
To drive change, Wheeler and Simpson advised the federal government to reward entities that adopt recommended cyber defenses — regardless of how those organizations ultimately fare against a cyber attack — while penalizing entities that ignore warnings and neglect best practices.