Intelligence Brief: Should we worry about 5G security? – Mobile World Live

Intelligence Brief: Should we worry about 5G security?

29 MAY 2019

As I’ve highlighted a few times on my Data Point videos, I spent some time this week at the GSMA’s Mobile360 Security for 5G event in The Hague.

What did I do there? Ate some stroopwafels. Moderated the first two sets of keynotes. Did a taste test of different types of stoopwafels. Moderated a panel of security experts. Bought some stroopwafels to take home. I mean, the security stuff is super-important, sure. But…priorities, right?

In addition to weighing down my carry-on bag with delicious Dutch desserts, I did manage to pick up a few insights into the conference topic. If only thanks to osmosis, the caliber of the speakers and the frankness of the discussions, it would have been hard not to. And, all joking aside, anyone interested in 5G, either rolling out networks or services, needs to be concerned with how we’ll secure it. While not necessarily exhaustive, here’s what I’m now paying more attention to.

5G imperative. I kicked off the keynote panel with a simple question: “Why has 5G brought the question of security to the fore?” What’s different about 5G versus 4G or 3G that makes security so much more important? The panelists’ answers centered on the attention 5G is getting from operators and regulators and consumers. The real answer, however, is implicit in that attention: it implies a massive amount of connected devices (potentially unsecure endpoints) as well as the critical digital systems expected to run on 5G.

To worry or not. If we expect lots of critical systems to run on 5G (from connected cars to connected industries) then we need to be really worried about the security of 5G networks, right? Doomsday scenarios of power grid shutdowns and cars getting hijacked, are more than just abstract concepts, they’re real world possibilities that should be keeping us all up at night. Maybe. While these might all be connected by 5G, it’s silly to believe that the only security applied to them will be in the 5G network. The services running over the 5G networks will need to be secured as well. We hear a lot about multi-layer security architectures. If we believe that they are indeed necessary, then we can’t pin all 5G security responsibilities on the 5G network alone.

Dangerous cost cutting (aka, security RoI). I’m cheap. Just ask my boss, my team, or my wife. So, when I went shopping for a home security camera on Amazon, I opted for the low-cost option, then wondered about how secure it would be and if I could trust its cloud services. The same applies to network security. Policies, products, and architectures optimised for costs may come with security risks. Or, rather, security policies, products and architectures optimised for costs may be ineffective, incurring their own costs. Ultimately, the issue is one of RoI, recognising that security outlays need to be seen as investments that deliver returns in terms of network protection, service integrity, and customer satisfaction.

SOS (Same Old Skills gap). The concept of a “skills gap” among operators is not new. Years ago when I did some work on barriers to implementing virtualisation, a lack of internal skills was cited as critical. Fast forward and the same thing exists for security skills, forcing operators to rely on the skills of their vendor partners.

Skills gap, meet innovation gap. Where a skills gap forces operators to rely on their vendors, we are forced to acknowledge a long-term evolution in the vendor landscape. Where there was once a large set of major mobile network vendors, the market is now largely concentrated amongst three main ones, especially in the RAN. Why is this a problem? Put aside theoretical arguments around the impact on pricing and incentives to innovate. If operators have a smaller set of vendors to choose from, then they have little option but to live with the decisions those vendors make around security (or how well they secure their own solutions).

Deadly rotten eggs. Apparently, connected egg trays are a real thing. If you live in a civilised country where eggs are stored in the fridge, you might now worry about how long your eggs have been around. If you keep your eggs in the pantry like a Neanderthal, however, then a tray that lets you know how long they’ve been around might make sense (note to self: Connected Neanderthal would be a great band name). But where the issue of 5G Security often revolves around critical infrastructure or connected industries, securing the lowly connected egg tray might seem unnecessary. I’d thought we’d got past that thinking, recognising that anything connected to the network becomes part of a potential attack surface. Regardless, potential threat examples ranging from light bulbs to aquarium heaters, to egg trays all got invoked as a reminder.

Moving beyond generalities. If we need 5G security to be a topic that everyone pays attention to (everyone owns in some way), then we need a broad set of stakeholders at conferences, learning about it. Simple enough. But that means the way we talk about it (technical versus strategic) will need to accommodate them all. That’s problematic, because talking about security in terms of broad trends and generalities won’t result in real, on the ground, solutions to real problems. Does that mean we exclude the less technical folks (like myself) from these conversations? No. It means we need to all get smarter and become conversant in security the way we are for RAN or device specs.

AI imperative. Another “imperative,” I know. But just as much as 5G has increased the profile of network security, network security has elevated the profile of AI. IBM highlighted this when noting the sheer volume of security notices, updates and research produced on a daily basis (around 7,000 pages). The takeaway: we need good AI tools to help us identify what matters and to help find the data we need when we need it. Beyond discovery, though, there’s a role for AI in helping us adapt to evolving threat tactics and strategies.

5G for good. In presenting the value that 5G and mobile networks can bring (and the importance of getting them right), the GSMA’s Director General Mats Granryd pointed to the promise of enhanced connectivity combined with AI and Big Data to do things like mitigate or halt tuberculosis outbreaks. It’s an important reminder, and not just because he’s my bosses’ boss. But, it also highlights an important knock-on requirement.

Trust, trust, trust. Security is different from privacy. They are two different sets of issues with different requirements and associated risks. But if 5G will be connecting us all and leveraging data to do great things, then users need to have trust in the privacy of their data, or at least trust in the way that their data is being used. Again, these issues are different from security, and they may be more difficult to tackle, requiring consumers to pay attention. But, if we want to execute on the 5G promise, they may be the most important issues.

– Peter Jarich – head of GSMA Intelligence

The editorial views expressed in this article are solely those of the author and will not necessarily reflect the views of the GSMA, its Members or Associate Members.