Ensuring the Pros of 5G Can't Be Conned
Supply chain issues are only the tip of the iceberg for security.
The much-hyped 5G has begun to arrive, but in the United States, the truly transformative elements of these next-generation cellular networks are probably still four or five years off. Although improvements such as 100-times-faster speeds will enable more life-and-death type services, including remote surgery or self-driving cars, they also employ a more compromised hardware supply chain and offer a larger attack surface than current networks, federal officials warn.
“The anxiety from governments and regulators about the security issues [arising from 5G] and possible nation-state interference is at a fever pitch right now,” Robert Mayer, senior vice president for cybersecurity, USTelecom, says.
Limited 5G hardware components manufacturing alternatives also concern officials. Only a handful of companies, none of them American, produce the equipment required to make 5G a reality, including the antennas and accompanying network equipment that connect phones and other devices over the air. One of those companies is Huawei, the Chinese telecom giant regarded by the U.S. intelligence community as a tool of Beijing’s spy agencies.
Federal officials say they’re working with U.S. companies to exclude suspect Chinese suppliers from the 5G supply chain. They have sanctioned Huawei and ZTE, another Chinese manufacturer, and forbidden telecommunications companies that provide government services or receive government funding from using their equipment. The concern is these restrictions won’t matter if U.S. allies in Europe, Latin America and Asia use Huawei equipment in their 5G networks.
“If you keep Huawei out of your network, you have a ‘Huawei-free’ network,” Brig. Gen. Robert Spalding, USAF (Ret.), says. “You don’t have a secure network.” Gen. Spalding was a senior adviser on China to the chairman of the Joint Chiefs of Staff and worked in the White House 2017-2018, where he was the chief architect of the 2017 National Security Strategy.
While at the White House, the general argued unsuccessfully that, like the national highway system, a secure 5G network is a public good, so it deserves a huge upfront investment from the government. Instead, the administration opted to use 5G as a cash cow, aiming to raise more than $6 billion by auctioning off the spectrum telecommunications providers will need to offer 5G services.
Gen. Spalding argues those huge spectrum costs will deprive providers of the capital they need to build out the network. Worse, the profits from the new technology will flow not to the companies that build the network but to the service providers that will use 5G. “The way the business model is set up, all the profits are in the data,” he says. “Those who build the network don’t make the money.”
Proponents of the new technology argue that 5G networks will be more secure than previous capabilities because for the first time in the development of a new global mobile standard, security is being designed into them.
But critics such as Gen. Spalding charge the Chinese are dominating the standards development process, and the same measures U.S. agencies have taken to protect the supply chain have chilled U.S. companies’ participation in the deliberations.
“At this point, we have anecdotal evidence that private sector participation in some standards development activities has dropped off, while participation by non-like-minded countries has increased significantly,” acknowledges Rob Strayer, deputy assistant secretary for cyber and international communications and information policy, U.S. Department of State.
In telecommunications, as in information technology, global organizations that bring technical specialists together and operate by consensus set the technical standards. For example, the 3rd Generation Partnership Project (3GPP) develops cellular standards. Last year, the group finalized its first set of standards for 5G called Release 15.
The 3GPP currently is working on Release 16, the standards that will offer the ultra-reliable low-latency networks that 5G boosters crow about. Release 17 will cover the back-end services that 5G networks can offer for automated manufacturing and other physical systems.
According to industry leaders, the 5G standards are not yet complete, which may lead to delays. “Our ability to innovate in this industry is very much tied to a robust and global standards-setting operation,” adds John Neuffer, CEO, Semiconductor Industry Association. But, he warns, “overly broad” sanctions against Chinese suppliers were deterring U.S. participation in the standards-setting process. For example, Huawei has been placed on the U.S. Commerce Department’s “entities list,” meaning it is illegal for U.S. companies to do any kind of business with them.
“Overly broad export controls can make it very hard for collaboration and cooperation in the global standard-setting bodies,” Neuffer says. “Technical folks from our companies go to these standards-setting bodies and, with these export controls in place, sometimes they have to have a lawyer sitting next to them to tell them what they can engage and what they can’t engage on.”
Mayer explains the first export controls listing created some uncertainty. “They’ve issued a clarification, but people are still trying to figure out what all this means,” he says. And according to Neuffer, the sanctions on Huawei “gums up the gears of standards-setting in the global bodies.”
The unintended consequences of sanctioning Huawei are adding to a failure of U.S. policy on 5G standards, Gen. Spalding argues. “The 3GPP processes, especially the security ones, are almost entirely dominated by Chinese” companies, he says.
Mayer argues the transparent and consensus-driven nature of the standards-setting process makes it a great forum in which democracies can triumph. “You make sure that you have the experts at the table who can evaluate proposals and make sure that they are presented in good faith and have technical merit. You can use the open process, the consensus-based process to make sure no one is gaming the system and not using it to try to leverage an advantage for one company or country,” he says.
Gen. Spalding points out that the two largest U.S. telecommunications companies, AT&T and Verizon, have not yet submitted a single set of technical comments on the standards. “U.S telecoms companies will be more than happy to adopt whatever standards 3GPP comes up with,” he states.
Regardless of what happens with the standards, the new technology will connect an order of magnitude greater numbers of devices at 100 times faster speeds. As a result, critics fear they will offer many more possible entry points for hackers and a capability for them to steal data more quickly.
John Costello, director of strategy, policy, and plans, Cybersecurity and Infrastructure Security Agency, Department of Homeland Security, notes that the sheer size and complexity of 5G networks offer would-be hackers a larger attack surface. “The number of ways that an attacker could get at a 5G network or manipulate it ... exponentially increases as the network becomes more complex,” he observes. His agency is still trying to get its arms around the threat.
But Mayer points out that larger attack surface will be offset by the greater control 5G will offer. “From industry’s point of view, the sky is not falling. Yes, the attack surface is larger, but that’s offset by the capabilities that will be built into a smarter edge and a more adaptive and resilient core.
“The telecommunications industry looks at the progress it’s made over several generations of cellular technology,” he adds, noting that some vulnerabilities in existing telecommunications technologies were the result of standards drafted during an earlier, “more trusting” age. “5G is different, because we’re building security into the standards from the get-go,” he relates, the first time that has ever been done with a global cellular standard.
At a recent Washington, D.C., event, Federal Communications Commissioner Jessica Rosenworcel noted the importance of baking in security from the beginning of all technology advances. “What we have learned is that retrofitting security after the fact is difficult and expensive,” she stated.
The need for the United States to be an early adopter of 5G, which she said would add “millions of new jobs” to the U.S. economy, will give the nation what she calls a first-mover advantage, much as the United States benefited from being the leader in the smartphone market.
“Countries around the world are jockeying for position and control in this emerging ecosystem,” Rosenworcel said, calling the race to 5G “a microcosm for the broader debate about global leadership and economic security.”