The European Commission in December 2019 declared that “an ambitious 5G introduction is essential for Europe to have a leading position and to take early advantage of the new market opportunities”. 5G will be a physical overhaul of essential networks that will have decades-long impact: it will entail the conversion to a mostly all-software network and future upgrades will be software updates much like the current upgrades to smartphones. Because of the cyber vulnerabilities of software, the tougher part of the real 5G “race” is retooling how to secure the most important network of the 21st century and the ecosystem of devices and applications that sprout from that network.
Effective progress toward achieving minimally satisfactory 5G cyber risk outcomes is compromised by a hyperfocus on legitimate concerns regarding Huawei equipment in U.S. and European networks. While the Trump administration has continued an Obama-era priority of keeping Huawei and ZTE out of domestic networks, for instance, it is only one of the many important 5G risk factors. The hyperbolic rhetoric surrounding the Chinese equipment issues is drowning out what should be a strong focus on the full breadth of cybersecurity risk factors facing 5G.
Policy leaders from Washington, D.C. to Brussels should be conducting a more balanced risk assessment, with a broader focus on vulnerabilities, threat probabilities, and impact drivers of the cyber risk equation. This should be followed by an honest evaluation of the oversight necessary to assure that the promise of 5G is not overcome by cyber vulnerabilities, which result from hasty deployments that fail to sufficiently invest in cyber risk mitigation. As a matter of facts, fifth-generation networks create a greatly expanded, multidimensional cyberattack vulnerability. Therefore, the redefined nature of these networks requires a similarly redefined cyber strategy.
The recommendations that follow are both important and not without cost. In normal times, such suggestions might be judged too much of a departure from traditional practices. These are not normal times, however. The outlook for a future that relies on 5G and other new digital pathways is cyber-defined. Both the United States and European Union have moved into a new era of non-kinetic warfare and criminal activity by nation-states and their surrogates. This new reality justifies the following corporate and governmental actions.
Companies must recognize and be held responsible for a new cyber duty of care
The first of this two-part proposal is the establishment of a rewards-based (as opposed to penalty-driven) incentive for companies to adhere to a “cyber duty of care.” Traditionally, common law established that those who provide products and services have a duty of care to identify and mitigate potential harms that could result. There needs to be a new corporate culture in which cyber risk is treated as an essential corporate duty and rewarded with appropriate incentives, whether in monetary, regulatory, or other forms. Such incentives would require adherence to a standard of cyber hygiene which, if met, would entitle the company to be treated differently than other non-complying entities. Such a cyber duty of care includes the following:
- Reversing chronic underinvestment in cyber risk reduction Proactive cyber investment today is the exception rather than the rule
- Implementation of machine learning and artificial intelligence protection The speed and breadth of computer-driven cyberattacks requires the speed and breadth of computer-driven protections at all levels of the supply chain.
- Shifting from lag indicators of cyber-preparedness (post-attack) to leading indicators The 5G cyber realm needs to adopt leading indicator methodology to communicate cyber-preparedness between interdependent commercial companies and with government entities charged with oversight responsibilities.
- Cybersecurity starts with the 5G networks themselves All the networks that deliver 5G—whether big brand names, small local companies, wireless ISPs, or municipal broadband providers—must have proactive cyber protection programs.
- Insert security into the development and operations cycle Software companies and those providing innovative, software-based products and services are beginning to insert cybersecurity in the process as a design, deployment, and sustainment consideration for every new project.
- Best practices While industry-developed best practices are a step in the right direction, they are only as strong as the weakest link in the industry and continue to place the burden on poorly informed consumers to know whether the best practices are being fulfilled. The 5G commercial sector needs to acknowledge the limits of consumer-based actions, own the residual risk, and work together with government oversight to assign cross-sector mitigation responsibilities.
Government must establish a new cyber regulatory paradigm to reflect the new realities
Current procedural rules for both U.S. and European agencies were developed in an industrial environment in which innovation and change—let alone security threats—developed more slowly. The fast pace of digital innovation and threats requires a new approach to the business-government relationship.
- More effective regulatory cyber relationships with those regulated A new cybersecurity regulatory paradigm should be developed that seeks to de-escalate the adversarial relationship that can develop between regulators and the companies they oversee. It would be designed to reward sectors where participants have organized and are clearly investing ahead of failure to address risk factors. Conversely, where sectors are ignoring cyber risk factors, graduated regulatory incentives can change corporate risk calculus to address consumer and community concerns.
- Recognition of marketplace shortcomings A rewards-based policy would amplify the value of cyber duty of care participation, especially when others fall short. It would also provide forward-looking incentive for risk reduction and a more useful feedback loop when breaches invariably occur.
- Consumer transparency Consumers should be given the tools with which to make informed decisions. “Nutritional labeling” about cyber risks or a cyber version of Underwriters Laboratories’ self-certification will help focus the attention of all parties on its importance.
- Inspection and certification of connected devices For years, the FCC and CISPR have overseen programs to certify that radio-signal-emitting devices do not interfere with authorized use of the nation’s airwaves. Why should radio networks be protected from harmful equipment, but not 5G networksfrom cyber-vulnerable equipment?
- Contracts aren’t enough Governments often seek to use their purchasing power to impose cybersecurity requirements. This is an important, proven practice, but it can only go so far. Such acquisition policies, for instance, do not reach non-government suppliers that in an interconnected network can wreak havoc by simply connecting to the network.
- Stimulate closure of 5G supply chain gaps In both the U.S. and Europe, review of mergers and acquisitions has typically failed to appreciate the potential negative impact on critical supply chains. Country of origin/ownership concerns must become relevant to both the corporate calculus that led to offshoring purchase decisions as well as to the market conditions that led to the destruction of a national capability in the first place. 5G supply chain market analysis must be continuous with regular engagement between regulators, industry, and the executive and legislative branches to properly incentivize globally competitive domestic sourcing alternatives.
- Re-engage with international bodies At present, the standards setting process for 5G is governed by the 3rdGeneration Partnership Project (3GPP), an industry group that makes decisions by consensus based on input from its members, including Chinese 5G equipment companies. Both the U.S. and E.U. should have policy-maker engagement with 3GPP.Governments should have some degree of agency in the process. This will allow for earlier issue identification and the opportunity to submit concerns, without changing the basic governance of standards setting.
To conclude, both the European Union and the United States have their own responsibility to create incentives for 5G companies to focus on the cyber vulnerabilities they create. This is especially the case when there may be a corporate or marketplace lack of motivation to prioritize a maximum cyber effort. As outlined in this article, this will necessitate replacing the rigid industrial-era relationship between government and business with more innovative and agile means of dealing with the shared problem. Yes, the “race” to 5G is on—but it is a race to secure the shared future of the United States and Europe.
A first version of this article was published at https://www.brookings.edu/research/why-5g-requires-new-approaches-to-cybersecurity/