I moderated the final panel of GSMA’s Mobile 360 Security for 5G event last week on a topic with potentially high controversy value: Certification and securing the 5G supply chain.

It was the starting point for four security veterans to debate the pros and cons of certification and, of course, touching on implications for the 5G supply chain given the current US-China political climate.

That this panel session also allowed anonymous questions to be asked only added to a sense of danger that the topic could be hijacked by geopolitical discussions.

What came out of the panel was more constructive than I had anticipated. Our head of GSMA Intelligence, Peter Jarich, summarised the key messages from the event’s first day via last week’s blog on why security needs to be top of mind for 5G. However, our panel, on top of highlighting the specific risks arising from a 5G supply chain and discussing certification, offered three additional takeaways for individuals, the telecoms industry and the wider 5G ecosystem regarding the provision of the security assurance necessary for a resilient 5G supply chain.

Certification should lead to building a company’s cyber-resilience
The GSMA’s Network Equipment Security Assurance Scheme (NESAS) is an existing voluntary framework jointly defined with the 3GPP to provide a security baseline which demonstrates network equipment satisfies security requirements in vendor development and product lifecycle processes.

In March, the European Commission announced the EU Cybersecurity Act, which will include a European-wide cybersecurity certification framework related to 5G.

These schemes provide the necessary security assurances from network equipment manufacturers to operators, but also the visibility of the security status of network equipment to the other up- and downstream suppliers. These are only two examples of certification designed to provide an industry-accepted guidance for operators and equipment manufacturers to gain awareness of the security risks that may reside in their 5G systems as they deploy the networks.

With these schemes focused on certifying network components in a way that is achievable by the ecosystem, the scope and intent of certification may therefore be limited and give the wrong impression. The panel warned about the real possibility that individuals and companies would perceive certification as a tick-the-box exercise. Instead, they suggest certification should be framed to influence the behaviours of individuals and companies that entrench and practice “good” security habits. These desired outcomes exceed the scope of NESAS or the EU Cybersecurity Act certification framework, going beyond technology to include assurances on the company’s security operations and business culture.

What is needed is to reframe the security question: our industry should consider a metric that indicates a company’s cyber-resilience in a 5G era. While it is difficult to define something enabling like-for-like comparison, some kind of measure is essential, if only to be able to contribute to the telecoms sector and the wider 5G ecosystem security awareness.

I will be keen to explore how a 5G trust model might facilitate building a more resilient 5G network: watch this space.

Experiment, learn, iterate; then collaborate, cooperate and cultivate
A clear message from the event was that specific 5G security and service requirements are currently unknown to both enterprises and the ecosystem of operators, network equipment manufacturers and software vendors. In the UK, the Department of Culture, Media and Sport (DCMS) runs 5G testbeds and pilots to help discover use cases including enterprise needs and security requirements. Such experiments are also being conducted by various cross-industry organisations, including efforts from GSMA. The panel called for wider dissemination of learning points across the 5G ecosystem, to build the wealth of security research for 5G network systems.

An area of experimentation currently not yet explored in great detail is the possibility of security testing for failure. Our panel offered the example of the Chaos Monkey tool, an engineering concept of deliberately testing for network resilience by randomly disabling computers. Such an idea may be contrary to traditional telecoms principles, but the learning points at this initial 5G experimentation stage could enhance the scope of available security research of 5G systems.

Change the incentives
In the run-up to this event, I filled in for Peter on GSMAi’s weekly Data Point covering revenue for IoT security. Our IoT data estimates the share of security revenue to total revenue would grow from 1 per cent in 2018 to only 3 per cent by 2025, to reach $28 billion. For a comparison, IoT connectivity revenue is expected to make 5 per cent by 2025.

The 3 per cent understates the actual importance of IoT security, but also reflects the challenges in building the RoI case for investing in security.

Though 5G is more than IoT, the incentives equation remains the same. What is the best way for companies to build their business case to request additional funding to address 5G security issues?

As operators and the broader 5G ecosystem consider what enterprise will require as 5G security services, another alternative to the incentive challenge is to consider offering bug bounties. The panel suggested operators and network equipment manufacturers could encourage white hat hackers to conduct security research on 5G networks, an activity with much higher entry barriers than traditional enterprise IT security research. The learnings will form the knowledge base on which the broader 5G ecosystem of operators, equipment vendors, software providers, cloud services and vertical industry companies can build their awareness and visibility of security risks.

By the end of the event, I sensed the conversation around security for 5G is only just beginning. Being at this early start of the journey means we are still able to experiment and refine our efforts to build cyber-resilience in our 5G systems and the kind of services we as individuals and companies would consume.

I have received compliments for a candid and wide-ranging panel discussion, but all the good work comes from the panellists who conducted a rather lively exchange of views on this topic. See for yourself here.

– Yiru Zhong – lead analyst, IoT and Enterprise, GSMA Intelligence

The editorial views expressed in this article are solely those of the author and will not necessarily reflect the views of the GSMA, its Members or Associate Members.