Experts: 5G Networks Come With New Cybersecurity Challenges

5G poles are going up around the nation, but more technical specifications and standards need to be hashed out before all the network’s promised capabilities can come to life, said Joe Evans, the Department of Defense's principal director of 5G for the Office of the Director of Defense Research and Engineering, during the inaugural Billington CyberSecurity 5G Security Summit last week.

Stakeholders anticipate that 5G will enable a wide variety of creative use cases as its uptake grows and its features develop. But the network designs that enable these applications also introduce new kinds of risks, and standards setters must rethink what it takes to keep everything safe, summit panelists explained.

OPEN ECOSYSTEMS

5G sees a variety of different organizations come together to create the overall network ecosystem, with different vendors supplying equipment, devices and software.

Organizations like DoD have encouraged providers of various 5G components to make their offerings interoperable by designing them along common standards. This approach would ensure the solutions can work together easily, with one result being that agencies acquiring the tech could then modify their 5G setups by adding or swapping different components — rather than having to do heavy lifting themselves to make customizations, Evans said.

“We want to take pieces of systems from different vendors and make them interoperable user interfaces,” Evans said.

At the same time, the many different components in the 5G ecosystem can create more opportunities for something to become compromised, noted Joe Beel, defense business development and capture manager leader at Cisco, during a separate panel.

“There are various companies that are U.S.-based that create and deliver different portions of the 5G architecture,” Beel said. “These distributed architectures greatly expand the attack surface.”

Network carriers need to be attuned to this risk, but the involvement of numerous participants is not always a bad thing, said Kabir Kasargod, senior director of strategic operations at Qualcomm.

Kasargod said the different stakeholders can collaborate to reinforce security and that the wide array of 5G part manufacturers means that network providers can be choosier when selecting among vendors.

“Because of the diversity of this ecosystem, it's enabled network operators to pick and choose the vendors and the partners that are going to provide the best security profile, so there’s a bit of a choice now that didn’t exist before within the context of who should we pick within the various different subcomponents,” Kasargod said.

In many cases, 5G’s openness is a trade-off, swapping out the risks of closed, proprietary systems for those of open systems, with the hope that the latter risks will be fewer or accompanied by enough advantages to outweigh the limitations.

“Open source and the transparency that's there in the vendor ecosystem [is] very different than a closed system [that’s] tightly vertically integrated and proprietary, which have different sets of risks that are inherent to it,” said Bryan Ware, CEO and founder of Next5.

CLOUD COMPUTING

The openness question also comes into play with cloud computing, which is an important aspect of many 5G applications. The reliance on cloud can provide both security advantages and complications, Ware said.

One central tension is that cloud offerings often use open-source software.

Anyone can then view the code, meaning that the networks get the benefit of a vast pool of developers discovering and mitigating security flaws or other issues, Ware said. Of course, cyber criminals can also view the code just like anyone else, giving them deeper insights into how systems work and where weaknesses may be.

“This transparency is a bit of a double-edged sword,” Ware admitted. “But as a general rule, there are a lot more of the good guys.”

NEXT-GENERATION SECURITY

Each generation of mobile networks presents an opportunity for standard setters to replicate the security approaches that worked for the prior generation and iron out limitations that have been discovered, said Jeff Cichonski, cybersecurity engineer for the Applied Cybersecurity Division of the National Institute of Standards and Technology.

For 5G, that can mean taking a new approach to mobile network subscriber authentication that goes beyond the protections possible with 4G. Devices authenticate themselves on 4G networks (also known as LTE networks) by transmitting identifying details over the network to cell towers.

“It was discovered that the way LTE was architected is that a critical piece of attaching to a network requires the device to send its subscriber identity over the air as it’s cleared,” Cichonski said. “It's kind of seen as a weakness in LTE.”

Stakeholders approaching 5G knew this was a problem they would need to address and sought to create stronger encryption standards for user traffic.

“We took that under our belt and designed the protocol, or the architecture, in a way that protects that subscriber identity to make sure it's concealed when it's being sent over the air to the base station or to the network,” Cichonski said.

Along with fixing known flaws, he said, standard setters have added new security functions, including alternative ways for handling authentication.