SECURITY & 5G
Q&A with Cybersecurity and Infrastructure Security Agency (CISA)
Q Is 5G deployment introducing new security concerns and vulnerabilities?
A Yes, along with ground breaking increases in data coverage, speeds and capacity, 5G technology is also introducing new security concerns and vulnerabilities either developed intentionally for malicious intent or unintentionally through poor security practices throughout networks and the information and communications technology (ICT) supply chain. These vulnerabilities can enable data and intellectual property theft, loss of confidence in the integrity of the system or exploitation to cause system and network failure. Managing these risks are a top priority for the Cybersecurity.
Q What are the security considerations that enterprise users of 5G should keep in mind when adopting the technology?
A CISA is encouraging all users both private and public to adopt a risk-based security framework for the adoption of 5G technology. We urge nations to conduct a careful evaluation of potential hardware and software equipment, vendors and the supply chain. It is imperative that the international community renews its efforts to incentivise security in the marketplace and make it a primary consideration, on par with cost, in product development, manufacture, acquisition, and procurement. In 2019, the global community made great strides at the Prague 5G Security Conference, where officials from nearly 40 countries met to discuss a set of principles on how best to design, construct, and administer secure 5G infrastructure, known as the Prague Proposal. Additionally, the European Commission and member states released their coordinated European Union risk assessment of 5G security. We welcomed the assessment and how it clearly identified the vulnerability of 5G vendors
or suppliers that could be subject to pressure or control by a third country, especially countries without legislative or democratic checks and balances in place. The assessment also highlighted the corporate ownership structure of 5G suppliers as a potential risk factor, which aligns with the U.S. assessment and the Prague Proposals’ call for transparency. Establishing international cybersecurity norms, like we did in Prague, must continue with our international partners, we must continue to encourage responsible behaviour and oppose those who would seek to disrupt networks and systems.
Q CBRS and private networks are gaining a lot of momentum with 5G. What are the security considerations this connectivity option is introducing? How can they be overcome?
A The Citizens Broadband Radio Service (CBRS) represents a significant advance in dynamic spectrum sharing and may prove applicable to future spectrum management frameworks by replacing traditional, static methods of sharing that excluded new entrants from using specific frequencies or from operating in specific geographic areas. This represents an advantage for those who can afford to participate but may exclude others who cannot. We live in a system of systems world where 5G components underpin a broad range of critical infrastructure and governmental functions private citizens depend upon. There must be trust in these components and they must be secure by design. Our engagements with new stakeholders largely reinforce a growing recognition that effective 5G security is not only important for product security, but is also necessary for business and organisation resilience, as well as economic and national security. The participation in our ICT Supply Chain Risk Management (SCRM) Task Force by 40 of the largest ICT stakeholders is testament to the fact that those on the front end of developing and producing the connected infrastructure underpinning our digital world are committed to leading in and prioritising security and resilience in their business decisions