YOU ARE AT:5GHow should stakeholders work together to ensure 5G security?

How should stakeholders work together to ensure 5G security?

 

By its very nature, 5G is complex. Next generation networks are going live all over the globe and operators are working in earnest to secure the capital dollars needed to scale 5G, continue to enhance the technology and deliver cutting-edge consumer and enterprise services. 

This process simultaneously involves a diverse ecosystem of telecom network vendors providing hardware, software and other solutions in support of ongoing 5G rollouts. And regulators charged with overseeing spectral, technological and other aspects of public policy are working to foster innovation while putting in safeguards to ensure security in an increasingly connected world.

During a recent panel discussion hosted by Huawei, including Kevin Jackson, founder and CEO of GovCloud Network, Tony Scott with Patton Boggs, and Huawei’s Chief Security Officer Andy Purdy, the panelists highlighted the need for effective equipment verification, supply chain and operation transparency, as well as the establishment of global network security standards for our networks. Achieving comprehensive 5G cybersecurity requires collaborative action from operators, vendors and governments. 

The role of operators in 5G security

Jackson put the issue in its simplest terms, saying: “We are moving so fast, it’s hard to keep up — and that in and of itself is a threat.” He went on to explain that because network infrastructure is no longer hardware-based, but instead becoming increasingly software-based, security threats will now be software-based, as well.

“As a carrier, it’s important to understand what this means for your operations. Historically, you have been focused on physical things, but the threat is coming from a completely different direction now.”

He also called on operators to develop a better understanding of the “non-person” entities–the machines, sensors and other devices comprising the internet of things–within their infrastructures and the data that these entities are capable of, and permitted to, share with another entity.

Scott agreed, adding, “As machines start to take over the role of humans, we have to have a more richly developed concept of machine identity and what those machines are able to access and actions that those machines can take based on that access.”

The biggest hurdle facing operators when it comes to security is going to be a cultural shift. “It necessary to change the mindset about what it takes to be an effective telecom operator,” said Jackson.

The role of vendors in 5G security

Purdy pointed to a need to create better monitoring capabilities in general and greater transparency, and referenced efforts by GSMA and 3GPP to work with operators and equipment vendors to create standards and a certification process for next-generation telecom equipment.

He also highlighted that equipment vendors should develop a close collaboration with the telecom operators to make sure the vendors are meeting the operator’s international and external requirements. “[Equipment vendors] have the requirement to address the risk from what [they] do and the risk from [their]supply chain and doing so transparently and effectively.”

Having independent programs as an equipment vendor to verify that requirements are being met—requirements “steeped in international standards” when possible—and the feedback from those processes can, according to Purdy, significantly reduce security risks.

In addition, he elaborated on the role of the vendor, explaining that there are methods that can be used to ensure that vendors have very limited ability to access any data that they’re not supposed to access or to turn over that data to anyone they’re not supposed to turn it over to. “Methods that provide both assurance and transparency are absolutely essential as part of verification and conformance,” he added.

The role of governments in 5G security 

“Government has to be engaged in this big time,” Scott asserted. According to him, the government has to have two major roles: establishing regulatory and policy frameworks; and fostering innovation by encouraging R&D through funding.

Purdy called for better accountability on the part of the government and private sector organizations. “[They] have to own cybersecurity risk and need to know what they’re requirements are. They don’t need to be experts, but they need to use frameworks and follow guidelines.”

He also feels that the U.S. government is not putting enough emphasis on the importance of competition in the telecom equipment space.

“There is a fragile situation in the world about the number of equipment vendors and their capability to perform R&D,” he said. The risk of losing companies from that competition is too high. He pointed to the Chinese government as an example worth following, explaining, “The [Chinese] government recognizes the importance of competition and that having it in the market helps encourage reduced prices, better innovation, and better security features and resilience.”

Purdy said he does not think that the government should lead the way in setting verification and transparency standards. Instead, it should be led by the private sector, to avoid the development of regulations that end up stifling competition, innovation, assurance or transparency.

This is part of a series examining 5G cybersecurity. For more information, explore the following materials: 

 

ABOUT AUTHOR