After years of hype and anticipation, we are now seeing concrete, critical decisions being made to speed 5G advancement in the US.
The FCC has prioritized efforts to modernize outdated regulations and update infrastructure policy to promote and encourage investment in 5G networks. In September it made additional spectrum available for 5G services, auctioning off more than $4.5 billion in priority-access licenses, and it has launched a range of 5G-focused initiatives – from creating playbooks that help streamline the installation of new network infrastructure to incentivizing carriers to deploy advanced 5G services in rural America.
Organizations and businesses understandably want to drive efficiencies and create new conveniences for customers and their own operations, but amid this "race" to 5G, security concerns have become an increasingly squeaky wheel. As we move towards a digitally interconnected smart world, it is critical to recognize that just one exploited device can weaponize a network and potentially jeopardize critical systems the public relies upon, such as water treatment plants.
Device and data exposure
In the early 2010s, Western intelligence communities identified multiple concerns about the lead China-based manufacturers like Huawei had developed in 5G. In response, several of those governments established working groups focused on the potential vulnerabilities that could be introduced through the hardware and software being used.
Although the Huawei issue has dominated much of the 5G security discussion, the scale and scope of risk is much broader and deeper. For all the transformative potential 5G holds, its ability to magnify and exacerbate cybersecurity challenges cannot be overlooked.
With the IoT now commonplace across enterprise environments, exploiting just one device holds the potential for mass weaponization across the wider network. This applies not just to the devices themselves, but also to the data that each device collects and stores.
When the 5G rollout is complete, today’s traditional security threats will seem quaint. Businesses will be exposed to greater levels of risk due to the sheer number of vectors through which hackers can potentially attack, and they will need to respond differently – relying on alternative types of mitigation techniques and working faster to stop attacks from spreading, all while ensuring measures are in place to protect the data their devices are host to.
'Compromised by design'
By deploying 5G-enabled IoT devices at scale, organizations are creating new – and in many cases, unmanaged – points of entry. Add to this the reality that many connected devices are still being manufactured with poor security standards.
In response, organizations must work from the assumption that every aspect of 5G infrastructure is 'compromised by design' and therefore develop methodologies to establish security and encryption outside the boundaries of the 5G infrastructure.
As 5G speeds continue to approach and eclipse the usable speeds of cable and DSL broadband, it will continue to become more common and new security threats will continue to emerge. While core 5G security principles will continue to be outlined at the government level, businesses must take proactive measures to boost protection levels, and security teams must educate themselves on the policies, procedures and standards required to successfully assess risk.
A secure revolution
Much has been said about how 5G could affect our lives. From the way we drive (or don't drive) our cars, to how we manage chronic health conditions, the transformational potential is monumental.
Beyond smart cities, driverless cars and drones, 5G will also revolutionize the way we work. And while these changes will not happen overnight, we are already seeing the impact of 5G on businesses' ability to transform, innovate and automate at a greater rate.
Right now, as critical decisions are being made that will allow 5G infrastructure to mature and deploy more quickly, organizations must understand the risks and make the right security considerations.
Accepting fundamental vulnerabilities
The Internet itself was not created with security in mind, so organizations must assume the next generation of IoT devices and 5G infrastructure will be fundamentally vulnerable to cyber threats. To avoid becoming a target, then, they must be proactive in their approach to cybersecurity and prioritize safeguarding all IoT-based systems.
Recognizing what data needs protecting is a key factor for developing a clear and cohesive security strategy. This allows organizations to successfully focus on their more vulnerable data, processes, and models, guarding valuable information from attacks moving forward. On a more granular level, they must ensure the appropriate controls are in place for threat vulnerability and patch management while also making certain that important data is identified and encrypted.
It’s not feasible for a business to develop every single component for the technology it uses, so it is imperative to pay close attention to supply chain hygiene. Remember that the third-party vendors developing IoT devices do not exactly have a strong security track record and recognize that vulnerabilities have the potential to be deliberately planted during the manufacturing process.
No immunity for breaches
Even sophisticated enterprises with robust cyber defenses are at greater risk of mass scale data breaches as their connectivity increases. While prioritizing preparedness and fostering a strong culture of security awareness are foundational values, at the bedrock level of any successful approach is the understanding that speed cannot come before security.
Reassess and reconfigure any existing security measures and practices in place to ensure they will be effective for the hyperconnected era we are entering. Otherwise, the race to 5G could unlock as many threats as it does opportunities.
— Rodney Joffe, Senior VP and Fellow, Neustar
Rodney Joffe is a security pioneer who founded a pair of keystone organizations in the space – Genuity (first commercial Internet hosting company) and UltraDNS (first outsourced, cloud-based DNS company) – and now serves as SVP and Fellow at Neustar. He regularly contributes his insight and experience to organizations like ICANN and the U.S. government, and has sat on the cybersecurity intelligence panel and served as an advisor to the Obama White House. He's one of the first civilians to receive the FBI Director's Award for outstanding cyber investigating (due to his role in uncovering and taking down the Butterfly Botnet) and has helped establish and lead prominent engineering organizations including NANOG, ARIN, IETF and OARC, as well as numerous working groups including Conficker and M3AAWG.
Photo by Franck on Unsplash