Don’t undermine the promise of 5G with the peril of poor security
Seems like it’s getting to be all 5G all the time. It’s all over TV ads, including a number of the $5.6-million-per-30-seconds variety at the Super Bowl, claiming (paraphrasing, of course) “our 5G is better than their 5G.” And the overall message is one that everybody can understand: It’s faster and better than 4G. You know, because 5 is more than 4.
Just like your iPhone 11 is better than your iPhoneX, and much better than your anachronistic iPhone6s. Or, your shaving razor with five blades is better than the one with four.
But the “more” about the next-generation cellular protocol is, as the cliché says, a double-edged sword. It’s both more promise and more peril.
The promise? Like just about any major technological leap, 5G comes with positive possibilities almost beyond imagination — among them, jobs and money. According to Gary Shapiro, president and CEO of the Consumer Technology Association (CTA), “5G infrastructure and connectivity alone promises to deliver three million jobs and $500 billion in growth to the U.S. economy.”
Kimm Yeo, senior manager at Synopsys, said 5G is a “technological leap that will transform all business models. It will redefine entertainment, communication and how businesses and consumers connect to the internet globally.”
Indeed, some of that “redefined” communication is expected to help bring autonomous vehicles and smart homes into the mainstream.
But, no surprise, it also comes with peril — major risks that malicious actors from organized crime gangs to hacktivists to hostile nation states are eager to exploit.
And a major piece of the 5G “attack surface” is software. As multiple experts have been saying in the years-long buildup to the (still incremental) rollout of 5G, this is not just about making the same infrastructure faster and more versatile. It is an overhaul.
Don’t build on sand
In an essay published by the Brookings Institution last fall, two former Federal Communications Commission (FCC) officials — former chairman Tom Wheeler and former chief of the agency’s Public Safety and Homeland Security Bureau David Simpson — called 5G a “physical overhaul” of mobile networks, converting it to “a mostly all-software network.”
Ericsson, the Swedish networking and telecommunications giant, noted in a post last June that the dominant tendency in technology trends “is already resulting in telecom networks becoming more and more software driven.”
And, as headlines constantly remind us, software is an irresistible attack surface. Irresistible because it remains riddled with so many vulnerabilities that can be exploited for profit or damage in multiple ways — among them identity theft, corporate espionage, holding data for ransom and throwing the operation of critical infrastructure into chaos.
Jonathan Knudsen, applications engineer, senior staff at Synopsys, said 5G networks are “incredibly fertile ground for software vulnerabilities,” adding that an attacker who gets control of a telecommunications network would be able to “steal sensitive information, control or stop the flow of information, and perform large-scale surveillance.”
The number of vulnerabilities keeps increasing too, since there is so much more software being written every day.
But the rollout of 5G, given that it is still a long way from mainstream, offers a chance to get software right, or at least much better than it is now. Which is important—the stakes are obviously high. Wheeler and Simpson warned that “to build 5G on top of a weak cybersecurity foundation is to build on sand. This is not just a matter of the safety of network users, it is a matter of national security.”
They aren’t the only ones. The president’s National Security Telecommunications Advisory Committee (NSTAC) published a draft “Cybersecurity Moonshot” proposal in November 2018 calling for making the entire internet safe and secure by 2028.
“The scale, severity, and complexity of the cybersecurity threat now poses an existential risk to the future of the Nation,” the report said.
Evolution vs. devolution
So how are we doing so far?
Not so well. For starters, the link to the “moonshot” draft is now disabled.
Ericsson isn’t brimming with optimism either. “Telecommunication networks are evolving rapidly across a broad technological environment … [but] this is met by an equally broad yet deteriorating cybersecurity environment,” the company said.
One reason is that securing those networks is hard. “Telecommunications networks are devilishly complicated,” Knudsen said. “They typically include dozens of types of components from multiple vendors, deployed in staggering numbers to form the network as a whole.”
“Software vulnerabilities thrive in complexity, and the many network components and protocols present a broad attack surface,” he said.
That doesn’t have to mean all is lost. Getting it right, or at least a lot better, is still possible. The 5G standards are, relatively speaking, in their infancy, still evolving and being defined by standards bodies such as 3GPP (3rd Generation Partnership Project).”
But to make software better, security has to move from afterthought to priority.
Wheeler and Simpson call for “the oversight necessary to assure that the promise of 5G is not overcome by cyber vulnerabilities, which result from hasty deployments that fail to sufficiently invest in cyber risk mitigation.”
Cheaper, faster, better
Ironically, even without government oversight, there are already economic incentives to invest in security. For more than a decade, one of the major messages at every cybersecurity conference in the world has been that it is both cheaper and faster to “shift left” and “build security in” throughout the software development life cycle (SDLC) than it is to try to patch it on at the end or, worse, spend much more time and money on response and recovery from a catastrophic breach.
The reason those buzz phrases have become so common is that proactive security testing works. Yes, it costs time and money, but so does putting physical safety components, like seatbelts, in vehicles, and nobody questions the necessity of every vehicle manufacturer doing that.
There is no single magic tool, or even group of tools, that will correct every human design or coding error and make software bulletproof. But the right combination can bring it pretty close.
One of them, fuzz testing, which involves blasting software with intentionally malformed inputs to see if it will fail, is “critically important to managing the security of network components,” Knudsen said.
An advanced version, called “generational fuzzing,” means the fuzzing tool “understands the protocol being fuzzed, which allows it to generate the most difficult types of inputs — those that appear nearly correct but are wrong in some way.”
That capability, he said, “is a powerful method for uncovering vulnerabilities deep inside software implementations.”
Fuzzing, along with other tools — static, dynamic and interactive application security testing as those applications are being built, plus software composition analysis to help find and fix vulnerabilities and potential licensing conflicts with open source components — are aninvestment.
Like any good investment, it costs something up front but pays much greater dividends later.
With 5G, those dividends go well beyond money. The risks of the next-gen cellular protocol can lead not just to data theft or surveillance but to physical damage as well.
Autonomous vehicles are one of the most obvious examples. If hackers can get control of a vehicle’s sensors and operations, they can cause injury or death. If they can hack into a municipal or regional traffic control system, they can create widespread chaos and injury.
In spite of all that, the storyline about 5G seems mainly focused on the “race” to see who can deploy it first, which Wheeler and Simpson contend is the wrong focus.
As they put it, “The real ‘5G race’ is whether the most important network of the 21st century will be sufficiently secure to realize its technological promises.”