There are number of risks associated with the fledgling adoption of fifth-generation mobile networks including the introduction of technology from untrusted suppliers and pathways as well as vulnerabilities that carry over from legacy networks, the Department of Homeland Security’s cyber security agency said on Wednesday.
The Critical Infrastructure Security and Resilience Note from the Cybersecurity and Infrastructure Security Agency (CISA) is an initial risk summary related to the implementation and adoption of 5G networks, which are expected to usher in advances in autonomous vehicle use, the Internet of Things, and automation generally due to increased bandwidths and faster speeds.
The first page of the 16-page document contains four bullet points of concerns, including the use of 5G components from untrusted sources that “could expose U.S. entities to risks introduced by malicious software and hardware, counterfeit components, and component flaws cause by poor manufacturing processes and maintenance procedures.” It says that even if U.S. networks are secure, data that travels through overseas networks could be at risk.
Christopher Krebs, the director of CISA, said on Wednesday that with logistical vulnerabilities come supply chain concerns.
“Do we have sufficient trusted vendors in the marketplace?” he said at a 5G event hosted by the Center for Strategic and International Studies. “Who are the untrustworthy vendors? How do we encourage and incentivize more trustworthy diversity of options going forward?”
5G networks will also rely on more components than previous generations, increasing the attack surface, which means “security enhancements will in part depend on proper implementation and configuration,” the note says.
Vulnerabilities with 5G networks are unknown and these networks will build upon previous mobile networks that “contain legacy vulnerabilities,” the assessment says.
Finally, the assessment says 5G technologies of untrusted companies may not be standardized for interoperability, which means entities that rely on these companies may have trouble updating, repairing and replacing these technologies, which could increase lifecycle costs.
“The lack of interoperability may also have negative impacts on the competitive market as companies could be driven out if the available competitive market decreases,” the risk summary says.
The risk characterization was produced through ongoing work by CISA’s National Risk Management Center and its Information and Communications Technology Supply Chain Risk Management Task Force. The task force is a public-private partnership consisting of companies such as AT&T [T], CenturyLink [CTL], Cisco Systems [CSCO], Sprint [S], Verizon [VZ], Microsoft [MSFT], and others, as well as government agencies such as DHS, the Defense Department, the Office of the Director of National Intelligence and others.
The assessment includes six mitigations and six recommendations that the U.S. government can lead, Krebs said. These include encouraging development of trusted 5G technologies and services, development of future trusted generations of technologies, promoting consensus-based international standards that are open and transparent that don’t disadvantage trusted companies, limiting adoption of vulnerable 5G technologies, work with the private sector on identifying risks and mitigating them, and “ensuring robust security capabilities for 5G applications and services,” according to the summary.
Krebs said it’s going to take the entire government working together to mitigate risks from 5G networks, including at the strategic, policy, tactical and operational levels. Government and industry also have to coordinate closely, he said, highlighting that the private sector knows their technologies and networks better than anyone.