Embed Size (px)
Citation preview
ISSA DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY
The global race to implement 5G raised many public policy and cybersecurity issues. This article tackles some of the public policy issues associated with the 5G rollout in the US and offers a glimpse of the international perspective as well.
By Glorin Sebastian, CISSP, CISA
Public Policy and Cybersecurity: The Impact of International Trade in 5G products
I – Issue description
5G is the fifth-generation technology standard for broad-band cellular networks. With speeds that range from 50 Mbit/s to 1 gigabit/s, low latency communication and
higher data caps, the 5G networks are expected to transform many industries and provide support to cutting-edge technol-ogies such as Artificial Intelligence, self-driving cars, virtual reality, etc. With 5G being rolled out throughout the globe the US is in a race with other world nations to get 5G technology deployed. To enable this, the FCC (Federal Communications Commission) has created the “5G Fast plan,” which is a comprehensive strategy to enable the faster deployment of 5G across the United states. Given that the 5G infrastructure has many components, and some of these components are manu-factured by foreign companies, the public policy question becomes, to enable this quick deployment of 5G infrastruc-ture in the US, should the US allow foreign 5G components to be part of the national infrastructure. This article tries to enable an unbiased discussion on this topic.The 5G Fast Plan, put forward by the FCC, focusses on three main steps. First, making high, preferably mid, and low band spectrums available, which includes spectrum reallocation from various stakeholders including the U.S. military.1 Second, getting the infrastructure policy updated, which will reduce federal regulatory impediments to deploying small cells. Third, updating outdated regulations including restor-
ing internet freedom, speeding the IP transition, and adopt-ing rules banning the use of taxpayer dollars to purchase equipment or services from companies that pose a national security threat to the integrity of American communications networks or the communications supply chain2.The first factor that makes 5G vulnerable to attacks is the fact that supply chain for 5G infrastructure consists of many different components, with companies headquartered in different countries having leading market share in different parts of that supply chain. When we refer to 5G products, we are referring to 5G equipment. The three main 5G equipment categories are:• Radio access network: Dominated by foreign companies
(eg: Huawei, ZTE, also Nokia, Ericsson)• Core network (routers): Mostly US companies such as
Cisco and Juniper and Huawei• Chipsets: Dominated by US companies such as Qual-
comm, Intel, BroadcomThe second factor that increases the attack surface for 5G is its move from hardware switching to digital-software-defined routing3 that makes it vulnerable to more cyber threats due to the increased virtualization made use of in 5G networks compared to earlier generations.
14 – ISSA Journal | Febuary 2021
Even though there are many cyber threats to the 5G network, the threat to the US 5G infrastructure from foreign equipment is often the most talked about and discussed. Hence it is inter-esting to review this further from a Public Policy perspective.
II – Public policy conflicts:The main conflicting parties in this issue are the government administration and the industry players, and to a small extent the foreign companies such as ZTE, Huawei, Samsung etc. even though the foreign companies have limited say in this conflict. The main strife as you would expect in most cybersecurity related issues is between the government administration, who want to ensure the safety of the 5G infrastructure and the private industry players, since 5G deployment in the US is led by private industry players supported by the government. The discussions by the government to secure the 5G infra-structure along with the novelty of the technology has led to conservative statements such as from the Airforce General Spalding, who called for the nationalization of 5G infrastruc-ture causing uproar from industry.4 This difference is mainly based on different normative views of distribution of economic costs and benefits. Industry gives prominence to profits and less expensive options, while the government tries (to a very large extent) to push for general welfare and security of the country and its people. This is the reason (at least in my opinion) that most cybersecurity direc-tives have little impact to industry-leading practices until it is being mandated by law and fines. For example, Privacy by Design (PbD), a methodology that was suggested in 2010, to include privacy during the software design discussions, was not considered by the private players until it was mandated by GDPR (General Data Protection Regulation), Section 25.Also, there is some ideological factor involved, since US sees Communist China as a competitor who is not an ally and hence fears that China could use the 5G infrastructure of Chinese companies like Huawei and ZTE for espionage.
III – Applicable US regulations, laws, and norms:Given the novelty of 5G technology, there is a requirement for a new law or regulation for governance. While there is little conflict on the requirement of a 5G cybersecurity infra-structure and strategy, which is being worked on by the CISA (Cybersecurity and Infrastructure Security Agency), there have been contentions on the Executive Order #13873, which restricts the inclusion of communication technology devel-oped by companies under jurisdiction of foreign adversaries.The cybersecurity concerns for 5G are high, and since it would be used for supporting new technologies such as the Internet of Things (Iot), it adds to those concerns since it puts private and mission critical data on public infrastructure. This includes data from insurance, healthcare, and energy utilities where cyber disruption of capabilities could be criti-cal. The mobile network providers are responsible for secur-ing the transmission of data across their network. But there
is also the problem of security of 5G devices, IoT endpoints, and cloud applications, which the industry is responsible for. The main rules, laws, or regulations that are relevant to this conflict are included below:Cybersecurity and Infrastructure Security Agency (CISA) releases 5G Infrastructure and Cybersecurity Strategy:Given that U.S. is in a race to get the 5G technology deployed, the nation’s top federal risk adviser, CISA, has released its strategy for securing the new infrastructure. CISA’s strategic vision focuses on a combination of commerce, security, and global relations. It lists three basic priorities as the bedrock of its approach5:• Risk management: Support 5G standards and develop-
ment by expanding awareness around 5G supply chain risks.
• Stakeholder engagement: Partner with stakeholders to secure existing infrastructure; foster innovation through promotion of trusted vendors. Untested components and vendors with higher risk need to be identified and extra scrutiny applied.
• Technical assistance: Share information on effective risk management strategies
CISA’s role with state and local governments will involve part-nerships to share information on the latest vulnerabilities, and continuous communication on policy, technical, and legal issues that could inhibit secure 5G deployment. The report also mentions that CISA will work with telecom vendors rolling out 5G to identify vulnerabilities and ensure cyber-security is prioritized within the design and development of 5G technology. The multi-layered approach, identifying the interconnectivity of devices and its physical environment, as well as deploying virtualization and automation among other defenses, will help to lessen risk and prepare organizations for the promises of IoT in a 5G world. 5G has more sophisticated encryption features than earlier technologies, and it has a new ‘Security Edge Protection Proxy’ that prevents threats from less-secure interconnected networks (such as SS7) from harming 5G networks.5Secure 5G and beyond ActIn March 2020, the US government signed into law the “Secure 5G and beyond Act” that mandates formulation of a strategy to ensure the security of next-generation mobile telecommu-nications systems and infrastructure in the United States and to assist allies and strategic partners in maximizing the secu-rity of next-generation mobile telecommunications systems, infrastructure, and software, and for other purposes.6 E.O 13873 - Executive Order on Securing the Information and Communications Technology and Services Supply ChainE.O 13873 authorizes authorities to prohibit transactions involving ‘communications technology’ designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adver-saries that augments the ability of foreign adversaries to create
February 2021 | ISSA Journal – 15
Public Policy and Cybersecurity: Impact of International Trade in 5G products | Glorin Sebastian
and exploit vulnerabilities in information and communica-tions technology or services, with potentially catastrophic effects, and thereby constitutes an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.7
The White House issues an executive order, barring US compa-nies from doing business with Huawei due to national security concerns about the Chinese firm supplying equipment for network infrastructure. These concerns stem from two sources:
• The concerns around espionage by the Chinese government: The companies ZTE and Huawei are both headquar-tered in the PRC and hence come under the Chinese national intelligence Law of 2017, which requires organizations and citizens to support, assist, and cooperate with state intelligence work. There is also the 2014 Counter-Espionage Law that states that when the state security organ investigates and under-stands the situation of espionage and collects relevant evidence, the relevant organizations and individuals shall provide it truthfully and may not refuse.8
• The poor design or cybersecurity vulnerabilities in the Chinese 5G equipment:Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board report from the UK government, an organization set up by the UK’s National Cyber Secu-rity Centre to evaluate the security risks posed by using Huawei’s equipment in critical national infrastructure says that there has not been any direct evidence of state-backed espionage. However, the code has been called ‘sloppy’ or that which lacks “basic engineering competence and cybersecurity hygiene” and could be exploited by a future cybersecurity attack.9
The foreign companies such as ZTE and Huawei have denied all espionage allegations, and Huawei even offered to sell the 5G technology to any US firm10 as a gesture of goodwill. It is to be pointed out that no strong evidence has been found to support the claim of espionage, and also banning foreign 5G equipment could harm the US in the long run, given US compa-nies benefit directly from a global trade in 5G products. However, the US government has stood by its initial decision to ensure foreign players are kept out of the 5G supply chain to ensure its integrity. While it is hard to argue with the US government stand as the security of the country should obviously be the primary concern, the cons to this protectionism would mainly be that there would be lesser global trade in 5G equipment and given US companies are among the major manufacturers of core routers and chipsets, they could be adversely affected.
Other countries' approach to Foreign 5G equipment:Several countries share some of the same sentiments as the US. UK bans installation of Huawei 5G equip-ment starting in September 2021. Other countries with similar bans include Sweden and Vietnam. Other countries that have not banned Huawei and ZTE technology but plan to move away from it by building local technologies include India, Germany, Serbia, and Japan.12
IV – Recommendations5G is going to transform the economy and everything asso-ciated with it, and thus the 5G infrastructure will be the backbone of this economy that would support various new technologies including IoT, driverless cars, robotic surgeries etc. Hence thinking about cybersecurity right from design is a welcome development. I think the fact that CISA would work with industry to come up with a security strategy and framework is outstanding.As noted in the Comprehensive Guide to 5G Security (2018, 1st ed.), the security for 5G will need to be guaranteed at different levels including access level, infrastructure level, and service level. For example, at infrastructure level, enabling variety of technologies like SDV (switched digital Video), NFV (Network Functions Virtualization), network slicing, etc. makes 5G infrastructure more open and programma-ble, thus driving new security requirements such as how to manage network slices securely. At the service level, the newly defined services need to be prioritized, for example eHealth is more important than augmented reality.11 As the deployment progresses, involvement of newer actors and business models will derive new service delivery and trust models.Even though the U.S. government standing to exclude foreign 5G equipment from being part of US 5G supply chain is under-standable from a national security perspective, the con to this decision is that the global trade in 5G products would be adversely affected and there could be more reactionary protec-tionist policies worldwide. The optimal solution here would be to enable the global trade in 5G equipment but enforce strict standards and quality checks for this equipment before being used as part of the 5G infrastructure. This protects the global trade and economy as well as allays any fears of international espionage via foreign 5G infrastructure components. Disclaimer: This article is an unbiased and independent anal-ysis of the Policy issues regarding the cybersecurity impact of international trade in 5G products based on security reviews and conclusions conducted by various nations.
16 – ISSA Journal | Febuary 2021
Public Policy and Cybersecurity: Impact of International Trade in 5G products | Glorin Sebastian
References:1. Horwitz, J. (2020). U.S. will reallocate military 3.5GHz spec-
trum for consumer 5G in 2021. Retrieved 29 November 2020, from https://venturebeat.com/2020/08/10/u-s-will-reallo-cate-military-3-5ghz-spectrum-for-consumer-5g-in-2021/
2. Federal Communications Commission. 2020. The FCC’s 5G FAST Plan. [online] Available at: <https://www.fcc.gov/5G> [Accessed 28 November 2020].
3. “WS-21: SDN5GSC – Software Defined Networking for 5G Architecture in Smart Communities”. IEEE Global Communications Conference. May 17, 2018. Archived from the original on March 8, 2019. Retrieved March 7, 2019.
4. Retired general warns against letting China dominate 5G networks. (2019, January 04). Retrieved November 28, 2020, from https://www.latimes.com/business/la-fi-china-5g-networks-20190104-story.html
5. Ropek, L., 2020. CISA Releases 5G Infrastructure and Cybersecurity Strategy. [online] Govtech.com. Available at: <https://www.govtech.com/network/CISA-Releas-es-5G-Infrastructure-and-Cybersecurity-Strategy.html> [Accessed 29 November 2020].
6. Text - S.893 - 116th Congress (2019-2020): Secure 5G and Beyond Act of 2020. (2020). Retrieved 29 November 2020, from https://www.congress.gov/bill/116th-congress/senate-bill/893/text
7. Executive Order on Securing the Information and Commu-nications Technology and Services Supply Chain | The White House. (2020). Retrieved 29 November 2020, from https://www.whitehouse.gov/ presidential-actions/execu-tive-order-securing-information-communications-techno-logy-services-supply-chain/
8. (2020). Retrieved 29 November 2020, from https://www.cnbc.com/2019/03/05/huawei-would-have-to-give-data-to-china-government-if-asked-experts.html
9. UK watchdog slams Huawei over ‘serious’ cybersecuri-ty vulnerabilities. (2020). Retrieved 29 November 2020, from https://www.theverge.com/2019/3/28/18285185/huawei-uk-government-cybersecurity-report-5g-roll-out-security-concerns
10. Huawei CEO offers to sell 5G tech to any US firm in peace attempt with Trump. (2020). Retrieved 29 November 2020, from https://www.theweek.in/news/biz-tech/2019/09/13/huawei-ceo-offers-sell-5g-tech-US-firm-peace-attempt-trump.html
11. Liyanage, M., Ahmad, I., Abro, A. B., Gurtov, A., & Ylianttila, M. (2018). A Comprehensive Guide to 5G Security (1st ed.). Wiley.
12. Keane, S. (2021, January 15). Huawei ban timeline: Follow the saga of the Chinese telecommunications giant. Retrieved January 15, 2021, from https://www.cnet.com/news/huawei-ban-full-timeline-us-sanctions-china-trump-5g
About the AuthorGlorin is a Senior Cybersecurity consultant at a big-4 with close to 7 years of cybersecurity and Informa-tion risk management experience. Certified CISSP, CISA. Published author and also reviewer for inter-national cybersecurity and privacy Journals and conferences.
Owning our Futurecontinued from page 6
ConclusionThe new year gives us hope. Each of us as Cybersecurity professionals, parents, students, business owners, workers, and members of society has a part in owning our future. This means staying connected to topics, movements, events, continued education, and networking with like-minded individuals to continue the conversation within our purview. Let’s own our future because we will make a difference.
About the AuthorDr. Curtis C Campbell is VP of Atlantic Capital Bank in Atlanta, GA, serves as Director on the ISSA International Board, and is President of the ISSA Chattanooga Chapter. Curtis holds a Ph.D. in Organi-zational Leadership in Information Systems Technology and serves on the advisory board of University of TN-Chattanooga, a national Center for Academic Excellence for Cyber-Defense (CAE-CD) studies. She was named ISSA Fellow in 2020. Connect with Curtis via [email protected].
Sources:1. Tegmark, M. (2017), Life 3.0 Being Human in the Age of Arti-
ficial Intelligence, Knoph.2. Future of Life Institute, (2021), Asilomar AI Principles,
Retrieved from https://futureoflife.org/ai-principles/3. ISSA.Org
"Enjoying the Journal? Got ideas for how to improve it? Let us know by taking the official ISSA Journal Survey:https://bit.ly/3powHrBWe want the Journal to reflect what you want and be a valuable part of your ISSA membership and security career."
February 2021 | ISSA Journal – 17
Public Policy and Cybersecurity: Impact of International Trade in 5G products| Glorid Sebastian
Public Policy and Cybersecurity: Impact of International Trade in 5G products | Glorin Sebastian
