Enable breadcrumbs token at /includes/pageheader.html.twig

DHS Seeks To Ensure 5G Cybersecurity

Next-gen mobile grows integral to homeland security.

Fifth-generation cellular communications will be more secure than predecessor technologies but will also introduce vulnerabilities, in part because of the vast expansion of devices that is expected with the emergence of the Internet of Things. SERDTHONGCHAI/Shutterstock

Vulnerable electronic components imported from other countries can make their way into industrial control systems, such as those needed for the electric grid. Researchers with the Department of Homeland Security seek solutions to the threat. mechanic/Shutterstock

A Homeland Security Department program designed to secure fifth-generation cellular communications known as 5G could complete the last of its nine projects next year.

All cellular communications technologies come with security weaknesses. That includes 5G capabilities, which are becoming increasingly critical to the homeland security mission, according to a departmental guidebook on the Secure and Resilient Mobile Network Infrastructure program (SRMNI) and its sister program Emergency Communications Research and Development. The Homeland Security Department’s Science and Technology Directorate leads the SRMNI program to fill technology gaps identified by the Cybersecurity and Infrastructure Security Agency (CISA).

“CISA is our customer, and they are looking to get some research and development performed to fill some cybersecurity gaps in the mobile 5G infrastructure. They’re looking to secure those venues for not only the general public but for the government, for the nation,” explains Brent Talbot, a program manager within the Science and Technology Directorate’s Office of Mission Capability and Support. “We’re trying to push the boundaries of what is known, and we’re looking to protect those communications venues, especially for our frontline workers, the emergency responders.”

New 5G technologies include techniques to solve 4G security weaknesses and implement measures to meet the security requirements for the new 5G use-cases, such as enhanced mobile broadband and massive machine-type communications to support Internet of Things, machine-to-machine communications and critical communications with ultra-reliability and low latency, the guidebook explains. 5G will be cloud-native, using software and virtualization on commodity servers instead of proprietary hardware to implement network functions.

“The combination of commodity hardware and virtualization on an all-Internet protocol network and the vast expansion in the number of connected devices broadens the attack surface over previous cellular generations,” the document states.

The overarching mission of the SRMNI project is to deliver accurate, timely and useful research and solutions and knowledge that will enable risk- and cost-informed decision-making regarding capability gaps, threat identification, architectural frameworks and potential mitigations, operational and technical requirements and investment priorities for 5G implementation, the guidebook adds.

As the Homeland Security Department—and the nation—advance toward a next-generation wireless infrastructure, the

program aims to secure that infrastructure.

“A lot of the research we do here, even though it is on the applied side, is very much to protect critical infrastructure, to ensure our communications, understanding that we use not only your traditional network for Wi-Fi and cloud and others but also cellular capabilities,” notes Vincent Sritapan, who leads CISA’s Cyber Quality Service Management Office.

The department already has seen some successes with the program. For example, 4K Solutions LLC has developed a a secure voice and instant messaging solution known as GovSecure that meets sensitive but unclassified requirements and is now available on Google Play store and the Apple App Store. Because cellular calls and text messages are vulnerable to eavesdropping, the app allows secure, untraceable communications for sensitive but unclassified messages.

Through the GovSecure solution, central management, control and easy administration are implemented without specialized hardware or requiring a recall of the equipment. Also, there will be no need for controlled cryptologic item storage, safeguard or protection protocols normally associated with secure telecommunications equipment, according to a project fact sheet.

“That is an application layer end-to-end like voice and data encryption, but it does a lot more than that,” Sritapan states. “That was one that our Integrated Operations Division very much cared about for operational capability.”

The 4K Solutions project also includes a product known as EchoPTT Pro, a serverless push-to-talk voiceover Internet protocol application for Android devices. It provides encryption for all traffic and certificate-based authentication. GovSecure and EchoPTT will work with an array of devices and operating systems, can be remotely installed and secured on the fly and can be rapidly removed from a device via a centrally managed server, according to the fact sheet.

That project along with two others—Aether Argus Incorporated and GuidePoint Security LLC—was expected to be completed by June 1. The remaining six likely will end next year.

Aether Argus, which is based in Atlanta, is developing a solution for ensuring the security of imported microelectronics components. Circuit boards and other components can include vulnerabilities deliberately included by other countries—China, for example—to allow remote access to critical infrastructure systems, such as industrial control systems.

“Given the increased risk in the global supply chains, there is a clear need for products that can efficiently and effectively inspect hardware elements of connected devices and components for evidence of tampering,” the project fact sheet explains. “This need indicates a market opportunity for products to secure electronics-oriented goods, especially 5G devices, ICS and IoT,” the fact sheet adds, using the initials for industrial control systems and Internet of Things.

The technology relies on analog side-channel signals that are nondestructively collected while the device, or a specific integrated circuit, performs its normal power-up, self-test or functional testing while the system is operating normally. By monitoring and taking advantage of electromagnetic emissions, the Aether Argus solution will identify anomalies in device performance. That provides a new detection capability for supply chain attacks by tracking electromagnetic emissions both prior to deployment and while the system operates, the fact sheet adds.

The GuidePoint Security project, meanwhile, is designed to improve protection and monitoring of devices accessing mobile networks by building protective DNS capabilities and services while adhering to privacy laws and regulations. As agencies have become mobile and employees work remotely, they need DNS security without backhauling traffic through a virtual private network to agency networks and to a static trusted Internet connection, the fact sheet for this project suggests. It adds that backhauling traffic to on-premises infrastructure impedes the ability of mobile users to effectively complete their work, which can have a negative impact on the agency’s mission because of network performance issues resulting from high latency and low throughput of virtual private network implementations.

“This effort will architect, build and evaluate a mobile traffic filtering architecture using DNS routing as the underlying flows to be evaluated. In addition, determining performance at a user level will be accomplished using Android and iOS devices including both smartphones and tablets. The pilot will focus on the scaling of the user traffic to test the identified/required use cases, including enabling the use of protective DNS on mobile devices,” the document explains.

Sritapan indicates that many of the various projects focus on end-to-end security for telecommunications along with mobile network security. Mobile communications require device management, device configuration, policy enforcement and enrollment. But it also necessitates mobile threat defense, which is “end point protection on the phone,” he adds, likening DNS security to a firewall capability and stressing the need for traffic routing.

“We’re not only trying to push protective DNS security for the more traditional laptop and desktop environment; we’re also trying to do it for mobile devices,” Sritapan states. “This is new to us. It’s never been done in CISA before, so our partnership has led to a lot of good findings and results, and we’re taking that forward and putting it into practice for operations on our side.”

The SRMNI program is closely related to another collaboration between CISA’s Emergency Communications Division and the Homeland Security Department’s Science and Technology Directorate: the Emergency Communications Research and Development project. It focuses specifically on enhancing and making emergency responders more efficient and effective during missions.

The three priorities for the emergency communications research program include enhancing cybersecurity for public safety answering points and emergency communications centers; creating more effective and trusted federated identity, credential and access management capabilities for public safety community use; and developing data interoperability standards for computer-aided dispatch systems to facilitate data and information sharing across jurisdictional and responder boundaries.

As even newer mobile communications capabilities, such as 6G and 7G become available, homeland security researchers will strive to fill any cybersecurity gaps in those technologies as well. “Absolutely we’re going to look at those. As those things mature—just like all of the other Gs in the past—there are going to be vulnerabilities,” Talbot says. “It’s our job to look at where those vulnerabilities are and how we mitigate those so that the communications are protected.”