Illustrative image of a hacker. Photo Credit: Gettyimages.
By: Daniel Zhang, Columnist
The US government has launched a concerted campaign both domestically and internationally to block Huawei from building Next-Generation (5G) wireless networks. These efforts are, however, insufficient to address wider network security concerns. Keeping Huawei hardware out of the US 5G network does not equate to successfully preventing foreign cyber threats. The current administration must, therefore, implement further robust measures to address the much larger issues posed by the 5G rollout.
The U.S., along with other Western nations, has long alleged that Huawei equipment poses risks, especially as tensions between China and the U.S. have risen over the past few years due to national security concerns. A Trump administration May executive order blocks US companies from purchasing telecommunications equipment from sources deemed to be national security threats. One of the results has been an effective ban on Huawei products entering the US market.[i] Critics of Chinese 5G technology argue that Chinese companies are obliged to assist their government under the Chinese National Intelligence Law. Given this concern, one worrisome scenario would be Huawei installing deeply implanted flaws in the 5G network, providing Chinese intelligence services a menu of vulnerabilities to exploit.[ii]
Moreover, the fact that Huawei’s products are cheap and gaining popularity across the globe worries the administration, as it suggests that the U.S. is lagging in the global race to roll out 5G technology.[iii] In 2018, the Trump administration blocked Singapore-based Broadcom’s proposed $105 Bn acquisition of Qualcomm, a US semiconductor and telecommunications equipment company, citing concerns about the deal’s effect on America’s ability to compete with China in 5G technology.[iv] Specifically, the administration invoked national security concerns to block the deal in fear that Broadcom would breakup Qualcomm for short-term financial gain and thereby undermine the US ability to compete with China in semiconductor and 5G technology by stifling Qualcomm’s ability to innovate.[v]
The truth is, however, that regardless of who builds the American 5G network, there will be cybersecurity risks. Hardware, like that offered by Huawei, is but one part of 5G. Focusing exclusively on preventing Chinese hardware from supporting US networks would create a false sense of security that ignores the risks to other parts of the next-generation network, namely the software and applications. Both Russia and North Korea have successfully infiltrated networks in the U.S. without exploiting Chinese hardware. So, to effectively protect the security of its 5G networks, the U.S. should conduct a national risk assessment of 5G infrastructures on a larger scale, assessing if the current security requirements for network providers are sufficient to ensure the security of next-generation networks.
The administration must work with telecommunications companies to develop a secured 5G standard. While current 5G technologies promise faster speeds and greater reliability, security measures are not being adapted to the new 5G standards. A recent study of 5G authentication by scientists from ETH Zurich, the University of Lorraine, and the University of Dundee found that the current standard, developed by the 3rd Generation Partnership Project (3GPP), an international organization comprised of telecommunication companies, lacks security goals and precision.[vi] According to the research, the Authentication and Key Agreement (AKA), a security protocol used in 5G networks, has vulnerabilities that allow malicious actors to steal data and intercept communications. Such vulnerabilities could be exploited by foreign adversaries to attack critical infrastructures in the U.S. While the administration does not have direct control over 5G standard-setting, it must work with telecommunications companies to test the network and ensure its cybersecurity before rollout.
Another security aspect to consider is the role of 5G in driving innovation in the form of Internet of Things (IoT) devices. From smart-home appliances to self-driving cars, the next-generation network is expected to support billions of new classes of devices and sensors for both public and private use. This development would greatly increase the threat to already-vulnerable IoT devices.[vii] Hackers have shown their ability to compromise IoT devices with massive Distributed Denial of Service (DDOS) attacks back in 2016.[viii] In addition, personal data collected by thousands of IoT devices could be stolen by malicious actors.[ix] All of these risks are set to be exacerbated by 5G, as IoT devices would heavily depend on the speed and accessibility of the next-generation network. The fact that a 5G network will increase internet speed means that it would take less effort for hackers to overwhelm networks due to the exponential rate of traffic directed to targets.[x] The government’s effort to mitigate such threats should center on supply chain management. Congress must pass federal legislation to ensure that security measures that prevent hacking, spying, and other cyber threats are built in from the start.So far, not only has the US government done little to enhance 5G cybersecurity, but the Republican-led Federal Communications Commission (FCC) charged with protecting public and national security in 5G networks described its role in cybersecurity as “extremely limited” and opposed efforts to “unify rules that would apply to an entire industry.”[xi] Similarly, the FCC reversed an Obama-era policy that invites leaders in 5G technologies to help incorporate cybersecurity-enhancing features into the next-generation wireless network.[xii] As the regulatory body responsible for all commercial communications in the U.S., it would be wise for the FCC to take on a larger role in regulating telecommunications. This would lead to more robust and resilient network services as part of the national security requirement and enhance emergency preparedness. To support a strongly authenticated and encrypted network, the administration and FCC must also push for a private sector-led effort to secure 5G. Funding third-party threat modeling and security audits could also ensure the proper installation of cybersecurity measures by telecommunications companies.
The good news is that the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure (SECURE) Technology Act[xiii] signed into law earlier this year was a step in the right direction. This bipartisan legislation seeks to establish a Federal Acquisition Security Council and to “provide executive agencies with authorities to mitigate supply chain risks in the procurement of information technology.”[xiv] The bill could replace the ineffective practice of blocking individual companies and adopt a more effective approach to establishing a process for managing risks to the networks, including the next-generation 5G wireless network, that serve federal government agencies and support critical U.S. infrastructure.
[i] Brian Fung, “US bans Huawei from selling telecom gear and threatens its supply chain,” CNN, May 16, 2019, https://www.cnn.com/2019/05/15/tech/trump-executive-order-telecom-security/index.html.
[ii] Elsa B. Kania, “The Pursuit of AI Is More Than an Arms Race,” Defense One (blog), April 19, 2018, https://www.defenseone.com/ideas/2018/04/pursuit-ai-more-arms-race/147579/.
[iii] Tom Wheeler, “China is Racing ahead in 5G. Here’s what that means,” MIT Technology Review, December 18, 2018, https://www.technologyreview.com/s/612617/china-is-racing-ahead-in-5g-heres-what-it-means/.
[iv] Klint Finley, “Fear of China Scuttles Deal That Didn’t Involve China,” Wired, March 13, 2018, https://www.wired.com/story/fear-of-china-scuttles-deal-that-didnt-involve-china/.
[v] Klint Finley, “Fear of China Scuttles Deal That Didn’t Involve China,” Wired, March 13, 2018, https://www.wired.com/story/fear-of-china-scuttles-deal-that-didnt-involve-china/.
[vi] David Basin et al., “A Formal Analysis of 5G Authentication,” June 27, 2018, https://doi.org/10.1145/3243734.3243846.
[vii] Joe UcHill, “Why 5G Keeps Security Experts Awake,” Axios, September 22, 2018, https://www.axios.com/5g-networks-security-concerns-6fed1b7a-e8c4-46b7-9cc6-cde16483e21f.html.
[viii] Danny Paez, “With 5G, Cybersecurity Researchers See a Hotbed of Security Risks,” Inverse (blog), August 22, 2018, https://www.inverse.com/article/48293-5g-future-cybersecurity-risks.
[ix] Roberta Rottigni, “The Growing Importance of Data Security for IoT,” Readwrite, June 18, 2018, https://readwrite.com/2018/06/18/the-growing-importance-of-data-security-for-iot/.
[xi] Tom Wheeler, “Cybersecurity Is Not Something; It Is Everything,” Brookings (blog), February 15, 2018, https://www.brookings.edu/blog/techtank/2018/02/15/cybersecurity-is-not-something-it-is-everything/.
[xiii] Rep. Hurd, Will [R-TX-23], “Strengthening and Enhancing Cyber-Capabilities by Utilizing Risk Exposure Technology Act,” Pub. L. No. H.R.7327 (2018), https://www.congress.gov/bill/115th-congress/house-bill/7327/text.
[xiv] Rep. Hurd, Will [R-TX-23].