5G security: Is the cheese already moved?

With 5G just around the corner, it seems that people are struggling to understand all its facets – including cybersecurity.

The 5G brings far-reaching changes, significantly different from previous generations of mobile communication networks as it will cause major modifications in technology and network architecture. This architecture will connect an enormous volume of the internet of things (IoT) devices with great downloading and uploading speed and ultra-low latency.

The greater capacity, reliability and flexibility are also 5G benefits expected by businesses. These benefits range from the advantageous use of self-driving cars and drones to remote working and home broadband. However, like with all other things in life, there is also the other side of the coin.  

Inimical features of 5G technologies

Minding the number of the IoT connected devices, one of the first concerns is linked to the (ab)use of these gadgets for forming botnets aimed at the distributed denial of service (DDoS) attacks. Mobile botnets, consisting of a large number of infected devices, can launch DDoS attacks on 5G infrastructure rendering the network functions and services unavailable.

The skyrocketing data traffic through the 5G connected devices concerns service providers as artificial intelligence (AI)-based cybercrimes will also upsurge. Mobile malware, phishing attacks and ransomware are expected to exponentially increase as the world is gravitating towards 5G adoption.

Furthermore, the fact that 5G technologies will support many legacy networks, including 2G, 3G, 4G, and Wi-Fi, suggests that this technology might take over all the security challenges of these mobile networks.

Tightly connected to the use of 5G technologies, we recently warned our readers that Deepfakes, in which AI could be used to produce fake videos of celebrities, public figures and politicians, can cause irreparable damages.

Possible dark side of 5G technologies prompted an organised exploration of the flip-side of the 5G coin. For example, the European Union Member States have lately published a joint risk assessment report into 5G technology, stating thatthe security-related effects expected to follow 5G rollouts are:

  • Increased exposure to attacks and more potential entry points for attackers.
  • Due to new characteristics of the 5G network architecture and new functionalities, certain pieces of network equipment or functions can become more sensitive.
  • Increased exposure to risks related to the reliance of mobile network operators on suppliers will result in higher number of attacks paths that might be exploited by threat actors.
  • Increased risks will come from major dependencies on suppliers.
  • Threats to the availability and integrity of networks will become major security concerns.

These are only some of the examples of the dark side of the 5G technologies but it should be sufficient to persuade nations and organisations to allocate resources (time, budget and human resources) aimed at assessing, eliminating or alleviating the 5G-related risks.

Humans in the spotlight  

Currently, phishing and malware are top threats that lead to security incidents and data breaches. These threats are poised only to increase with the full use of 5G technologies. Hence, creating right 5G cybersecurity posture also requires understanding the potential for new threats coming from the human factor.

The ZED Net recently warned that CEOs and other senior board-level executives are exposing their organisations to cyber-attacks as there is a disconnect between these executives and their cybersecurity teams.  The same report states that 54% of cybersecurity professionals believe that CEOs ignore their plans to protect their executives.

With the other four components (processing, policies, technology and automation), people are the very first element in a pragmatic cybersecurity strategy. In that regard, the problems of the 5G security might be exuberated by the fact that cybersecurity is heading into a recruitment crisis. According to the (ISC)2 report, 65% of organisations in the study say they do not have sufficient number of people working in cybersecurity. About 30% of the respondents say that they lack skilled and experienced security staff, which is one of their biggest employment worries.

Defending 5G benefits

Dealing with the larger attack surface of an enormous number of connected devices inevitably requires new, diversified cybersecurity approaches. Such a method entitles stronger encryption and identity verification as well as reducing the risk of eavesdropping devices. For example, diversified identity management is a combination of device identity and service identity. This includes both physical identity of the device, assigned by manufacturers, and service identities, which are assigned by service providers or networks.

Enterprises will, furthermore, need to take advantage of virtualisation (use of the distributed security controls) to make the network nimbler and more responsive, with the ability to provide just-in-time services. However, many enterprises are not considering this as a possibility, according to very recent AT&T Cybersecurity Insights Report.

All these are actions required from the 5G providers but it will not suffice. Organisations should do its part of unceasingly being cybersecurity aware and ready to protect their networks and informational resources. One of the important tasks will be including authentication (zero-trust) policies related to numerous IoT devices that increase defence perimeter. These must also be accompanied by the endpoint security policies.

The security and privacy features need to be built into the system design as, in long term, security is a driving factor for service and network evolution – points out often controversially criticised the Chinese giant Huawei. Security and privacy requirements are often seen as obstacles or burden in the system design but ignoring them, in the beginning, is not cost-efficient in the long run. Adding features afterwards is less effective and often more costly than including proper mechanisms from the beginning, warns recent Huawei report.

The new reality, brought by the 5G technologies, should justify newly required corporate and governmental actions:

Corporates must recognise and be held responsible for a new cyber duty of care, which includes: (1) reversing chronic underinvestment in cyber risk reduction, (2) implementation of machine learning and artificial intelligence protection, (3) starting cybersecurity with the 5G networks themselves, (4) inserting cybersecurity into the development and operations cycle, and (5) following and applying ‘best practice’.

On the other hand, governments must establish a new cyber regulatory paradigm to reflect the new realities, which relates to (1) more effective regulatory cyber relationships with those regulated, (2) recognition of marketplace shortcomings, (3) consumer transparency and awareness, (4) inspection and certification of connected devices, (5) stimulate closure of 5G supply chain gaps, and (6) re-engage with international bodies.

The ‘cyber sovereignty’ is yet another suggested approach to 5G security. Since some countries, using free service platforms, store a great amount of data outside its borders, some cybersecurity policy experts suggest that the policy-makers must have mechanisms to control their own data at work, in transit, and in storage. Would cyber sovereignty be a plausible solution? It is yet to be seen.

Machines to the rescue

The Capgemini report shows that 69% of the surveyed enterprise executives believe that artificial intelligence will be necessary to respond to cyberattacks with the majority of telecom companies (80%) saying they are counting on AI to help identify threats and thwart attacks.

Most professionals believe technology will be pivotal in the future of cybersecurity with 65% of respondents in a recent report saying that AI or machine learning (ML) will be able to solve more problems than humans. However, despite this belief, only 36% of the surveyed cybersecurity and IT executives have deployed these technologies in their environments.

According to the AT&T Cybersecurity Insight report, cybersecurity organisations relying on manual security approaches likely will have a hard time keeping up. The security that is dynamic and automated will be able to quickly and effectively address the new security threats of 5G networks, and virtualisation can help provide flexibility to respond to unknown future threats.

However, relying entirely on the AI and ML to detect, prevent and respond to cyber-attacks would not be wise decision. For example, instead of solely relying on cybersecurity firewalls, organisations should encrypt and backup their valuable data.

Where do we go from here?

The 5G proponents believe that it literally has the potential to transform not only internet broadband services, but it also to enable new applications and use cases: from connected smart devices in the IoT, to autonomous vehicles, smart cities and connected factories. The list goes on.

At the moment, however, many aspects of 5G are still uncertain. Although 5G claims a number of attributes, which are designed to advance general security (e.g. stronger over-the-air encryption, subscriber identity protection and reduced risk of eavesdropping), it also brings a multiplicity of still unexplored risks.

We at VM Advisory, hence, recommend that organisations and nations should start with the 5G-related cybersecurity preparation right now. Otherwise, they might miss the boat as, it seems, that the cheese is already moved.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s