3rd Party Risk Management , Critical Infrastructure Security , Cyberwarfare / Nation-State Attacks
Government Watchdog Calls for 5G Cybersecurity StandardsGAO: Challenges Could Affect the Performance of US 5G Wireless Networks
The U.S. Government Accountability Office is urging policymakers to adopt coordinated cybersecurity monitoring of 5G networks to ensure a safe rollout of the new technology.
The federal watchdog agency released a study titled "Capabilities and Challenges for an Evolving Network," to discuss how the performance goals and expected uses are to be realized in U.S. 5G wireless networks, the challenges that could affect the performance or usage, and the policy options to address those challenges.
The agency called for a coordinated monitoring program that ensures the entire wireless ecosystem stays knowledgeable about evolving threats, in close to real time; identifies cybersecurity risks; and allows stakeholders to act rapidly in response to emerging threats or actual network attacks.
The report also states that carriers may not be comfortable reporting incidents or vulnerabilities, and determinations would need to be made about what information is disclosed and how the information will be used and reported.
The government watchdog met with officials from selected federal agencies and companies involved with the development, deployment or effects of 5G networks. The agency states, "We also met with the four largest U.S. wireless carriers (AT&T Inc., Sprint Corporation, T-Mobile US, Inc., and Verizon Communications Inc.), industry organizations, standards bodies, and policy organizations."
In addition, the officials at the agency met with representatives of four university wireless research programs and toured one of them. During the interviews with officials and representatives, GAO officials discussed 5G performance goals, 5G applications, the status of key technologies that will enable the performance or usage of 5G networks, challenges to the performance or usage of 5G in the U.S. and policy options to address those challenges, according to the report.
"5G potentially introduces new modes of cyberattack and an expanded number of points of attack and it will likely exacerbate privacy concerns due to the increased precision of location data and the proliferation of IoT devices," the GAO notes.
GAO also cited a report by the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, which states that advanced security features in 5G protocols and technologies will improve communications security but will require proper configuration and implementation.
The report further notes, "as municipalities, companies, and organizations build their own local 5G networks, it is possible they will not properly implement 5G security enhancements, making equipment and networks vulnerable to interception, disruption, and manipulation."
The 3rd Generation Partnership Project, or 3GPP, which is the umbrella term used to describe the standards organizations that develop mobile telecommunications protocols - including for 5G - recently introduced a new framework for authentication, which is a process for verifying the identity of a user or device before allowing access to the network.
The agency states, "the new framework will use the same authentication methods for both 3GPP (namely, 5G radio access) and non-3GPP (e.g., Wi-Fi) networks, allowing carriers to use the same authentication framework for both networks instead of using different frameworks. When a user device needs to authenticate over an untrusted non-3GPP access network, such as Wi-Fi, the device will connect via a function called the non-3GPP interworking function, which establishes an encrypted connection when the device is connected to the 5G core."
The China Problem
In June, the U.S. Department of Commerce sought to correct the problem by issuing a new rule that allowed U.S. technology companies to work with any company, including Chinese manufacturing giant Huawei, on telecommunications sector standards development activities.
The ability of U.S. organizations to influence the direction and protocols underpinning the next-generation mobile networking standards has been at risk, as they are already late to the 5G race.
One challenge for U.S. technology firms, however, stems from May 2019, when the Commerce Department placed Huawei and 68 of its non-U.S. affiliates on an "entity list," which prohibits them from procuring U.S. goods or services without an export license.
While the agency temporarily relaxed those restrictions - in some cases - the move immediately led to corporations such as Alphabet no longer sharing with Huawei any hardware, software and technical services, including Android operating system updates, beyond what is available through open source standards (see: White House: US Firms Can Work With Huawei on 5G Standards).