Some politicians think keeping Huawei out of U.S. networks ensures security. I believe that does very little. The Chinese government does not need to compromise Huawei because there are so many other ways to crack the systems. Former FCC Chair Tom Wheeler and his security lead, Rear Admiral David Simpson note
"Never have the essential networks and services that define our lives, our economy, and our national security had so many participants, each reliant on the other—and none of which have the final responsibility for cybersecurity,"
5G networks will be vastly more complicated, with far more points of attack. Software-defined networks are harder to protect than traditional, known hardware. Control - and vulnerability - is more distributed. Running on commodity hardware and software offers more ways in.
That 5G is not secure is well known. Congress was told that by Ericsson’s Lynn Starr, Barbara Baffer, and Jason Boswell, presumably informed by the engineers building about half of U.S. 5G networks.
"5G is ultra-reliable" is a lie.
From Simpson and Wheeler
There are five ways in which 5G networks are more vulnerable to cyberattacks than their predecessors:
- The network has moved away from centralized, hardware-based switching to distributed, software-defined digital routing. Previous networks were hub-and-spoke designs in which everything came to hardware choke points where cyber hygiene could be practiced. In the 5G software defined network, however, that activity is pushed outward to a web of digital routers throughout the network, thus denying the potential for chokepoint inspection and control.
- 5G further complicates its cyber vulnerability by virtualizing in software higher-level network functions formerly performed by physical appliances. These activities are based on the common language of Internet Protocol and well-known operating systems. Whether used by nation-states or criminal actors, these standardized building block protocols and systems have proven to be valuable tools for those seeking to do ill.
- Even if it were possible to lock down the software vulnerabilities within the network, the network is also being managed by software—often early generation artificial intelligence—that itself can be vulnerable. An attacker that gains control of the software managing the networks can also control the network.
- The dramatic expansion of bandwidth that makes 5G possible creates additional avenues of attack. Physically, low-cost, short range, small-cell antennas deployed throughout urban areas become new hard targets. Functionally, these cell sites will use 5G’s Dynamic Spectrum Sharing capability in which multiple streams of information share the bandwidth in so-called “slices”—each slice with its own varying degree of cyber risk. When software allows the functions of the network to shift dynamically, cyber protection must also be dynamic rather than relying on a uniform lowest common denominator solution.
- Finally, of course, is the vulnerability created by attaching tens of billions of hackable smart devices (actually, little computers) to the network colloquially referred to as IoT. Plans are underway for a diverse and seemingly inexhaustible list of IoT-enabled activities, ranging from public safety things, to battlefield things, to medical things, to transportation things—all of which are both wonderful and uniquely vulnerable. In July, for instance, Microsoft reported that Russian hackers had penetrated run-of-the-mill IoT devices to gain access to networks. From there, hackers discovered further insecure IoT devices into which they could plant exploitation software.
Fifth-generation networks thus create a greatly expanded, multidimensional cyberattack vulnerability. It is this redefined nature of networks—a new network “ecosystem of ecosystems”—that requires a similarly redefined cyber strategy.