IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Safeguarding 5G Will Take More Than Banning Tech from China

The U.S. is wary of 5G tech from China, but industry experts ask if it’s possible to guarantee software is free of components from a particular country. Plus, they ask, when something goes wrong with 5G applications’ security, who’s to blame?

Scott Charney speaking at a virtual conference.
Scott Charney, vice president of security policy at Microsoft, speaking during the RSA Conference.
Government officials looking to keep 5G networks safe need to consider not only the security standards they promote and require, but also who they ultimately hold responsible should something go wrong, said industry experts during the recent virtual RSA conference.

Network operators first began deploying 5G in 2019 and have been expanding coverage and building out infrastructure and more manufacturers have been introducing devices capable of connecting. 5G networks currently tend to make use of existing 4G infrastructure, but are expected to eventually be able to offer full coverage without such reliance.

The Cybersecurity and Infrastructure Security Agency (CISA)says 5G is unlikely to hit that stage before 2022. But when it does, this will change the kinds of cybersecurity risks and priorities that have to be confronted, said Scott Charney, vice president of security policy at Microsoft, during the conference.

“We’re moving from a place where 5G is mostly in the endpoints and the radio spectrum — if you’re running on a 4G backbone — to a place where it’s really going to be cloud-enabled, end-to-end with virtualized, software-defined networks — and that poses a whole different threat model,” he said.

WHO’S RESPONSIBLE?


Cyber threats are a fact of life by now, and some industry members want to know who will be on the hook for stopping something from going wrong with 5G-powered offerings.

5G use cases can rely on the network bringing together a bunch of different service providers — for instance, an autonomous driving application may depend on a multi-access edge computing (MAC) platform operating on a 5G network, said Shehzad Merchant, chief technology officer at cloud security and analytics firm Gigamon.

A real-world example of this is a test project announced in April 2021 by Verizon and Honda. In one trial, traffic intersection cameras are intended to detect pedestrians crossing streets, then transmit that information over the 5G network to a mobile edge-computing platform. That platform — with the assistance of a vehicle-to-everything communications platform — processes the data to determine the pedestrians’ proximity to nearby connected cars and issues a warning to the drivers.

Screenshot of Shehzad Merchant talking at a virtual conference.
Shehzad Merchant discussed 5G security during the RSA Conference.

The variety of moving parts prompts some parties to suggest that each service provider should be held responsible for certain security functions, something that’s known as a “shared security” model, said Merchant. But questions remain — and regulators may need to iron out the details.

“If there’s a compromise, in that [shared security] model, who’s responsible for the failure? Is it the cloud provider? Is it the application provider? Is it the mobile service provider?” Merchant said.

In Merchant’s view, 5G providers are the ones offering the core service — and so should have the greatest security obligations — and he said regulators ought to make this official.

“I don’t like more regulation, but I think this is a situation that probably needs to be more regulation on the security side,” he said.

Some 5G providers have articulated for their own vision of a shared security approach, with Theresa Lanowitz, director of AT&T’s cybersecurity solutions division, AT&T Cybersecurity, recently writing that network providers should be in charge of building secure “network architecture” while customers take responsibility for securing the devices they connect to — and data they store on— the networks. Cloud providers would be obligated to meet their own security requirements and monitor activity and data sent over the cloud.

THE SECURITY CHALLENGES


5G will be trickier to secure than earlier cellular networks, Merchant said. It brings together far more software components, giving malicious actors more potential targets to attack.

“We’ve gone from a monolithic, vertically integrated system to a completely distributed software system,” in the shift to 5G, Merchant said. “And that is leading to a massive expansion and explosion in the surface area of attack. 5G is essentially a services-based architecture where these services are now coming from open-source components, they’re coming from commercial vendors, they’re coming from contractors.”

Charney said that, as a result, stronger focus is being put on ensuring codes are secure and on using machine learning-powered systems to monitor networks for possible threats. Government officials also have been particularly concerned about the security risks of using 5G offerings from businesses based in countries with which they have tensions.

COUNTRY OF ORIGIN


U.S. officials have been scrutinizing China in particular, and the Congressional Research Service (CRS) noted in a report it updated in April 2021 that some experts fear the Chinese government could take advantage of any vulnerabilities in the technology — whether introduced voluntarily or involuntarily — to spy or launch cyber attacks. CRS said opinions varied over whether certain technologies posed an acceptable level of risk or whether any use of China-supplied 5G solutions would be too much.

Charney said that it makes sense for countries to avoid using tech from adversarial nations in government capabilities and critical services, comparing the situation to having the U.S. military depend on fighter jets from Russia. But, he added, putting this approach into practice could be exceptionally difficult.

“There’s no country on the planet that can create everything... so there is going to remain dependency on one another, even if it makes countries uncomfortable in some contexts,” Charney said, saying government may instead need to think about managing rather than fully eliminating such risks.

Avoiding offerings made in certain countries is one thing when talking hardware, but guaranteeing that software does not involve any code developed in those countries is a far steeper challenge, Merchant said. It’s also a challenge central to 5G security, because these cellular networks involve both a radio access network (RAN) and a software-based core network. It would be difficult to trace the origins of any open-source components used in that core network, Merchant said.

Even proprietary software created by a U.S.-based company often is made engaging a geographically dispersed workforce, Charney added, and he gave Microsoft’s Windows operating system as an example.

“Software, whether it’s open source, or proprietary software, may be made by the international community. That’s just the reality,” Charney said.

Charney and Merchant debated whether it would be enough for governments to avoid 5G devices and solutions from key countries or if it is important to also block consumer use of such offerings through regulatory bans or incentives.

Merchant said any weak point can introduce risks to the wider system, while Charney questioned whether requiring a level of security standards could make the offerings safe enough for personal use. Achieving the latter proposal brings its own hurdles, Charney noted, and it would require governments to establish strong metrics for vetting 5G products, then be able to quickly and effectively evaluate offerings against those standards.
Jule Pattison-Gordon is a senior staff writer for Governing and former senior staff writer for Government Technology, where she'd specialized in cybersecurity. Jule also previously wrote for PYMNTS and The Bay State Banner and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.