Create an FP account to save articles to read later and in the FP mobile app.

Sign Up

ALREADY AN FP SUBSCRIBER? LOGIN

By identifying key players, quantifying relative influence, and assessing the competitive landscape, FP Analytics breaks down complex foreign policy issues by mapping out spheres of influence and the risks and opportunities these topics present. LEARN MORE

5G Explained

Part Three: National Security

UPDATED: Feb. 23, 2021
PUBLISHED: Mar. 31, 2020

Part II of FP’s 5G series, The Competitive Landscape, outlined the confrontations taking place along the 5G supply chain and broke down the economic costs to countries and companies competing in the 5G space. In Part III of our series, we conclude by outlining the critical national security threats accompanying 5G technology for all countries implementing 5G. We dig beneath the headlines of U.S. allegations against Huawei, including the recent racketeering charges, and assess concrete evidence that points toward real national security threats accompanying 5G technology beyond the U.S.-China confrontation.

Read Executive Summary

Executive Summary

This report was written by FP Analytics, the independent research division of Foreign Policy; access to the executive summary of 5G Explained is made possible with support from Nokia.

5G technology is set to revolutionize the Internet as we know it. It will increase network speeds, enable the Internet of Things (IoT) by bringing billions of more devices online, and advance new technologies such as artificial intelligence (AI) and machine learning. Despite this transformative impact, the majority of businesses still do not know what 5G is and what it could do.

The “race to 5G” has been widely publicized (and the state of development wildly embellished), but the fundamental issues and realities underpinning the transition to 5G technology are still widely misunderstood. Building 5G networks requires extensive global coordination among governments, private companies, and regulatory bodies. It is an ongoing process that will unfold over the next decade at different paces in different countries. As this process occurs, understanding the stages of 5G development in different markets and accurately timing investments will be crucial for businesses. 5G technology will bring broad benefits and widespread risks globally, but there will likely not be one clear-cut winner. Nevertheless, intense geopolitical competition surrounding 5G is developing, and the results of this competition will have long-lasting and far-reaching effects.

While innovation on 4G networks was largely dominated by the United States and other Western countries, since 2012, China has made a coordinated effort to dominate the build-out of 5G networks and determine operating standards around the world. Chinese omnipresence in 5G infrastructure rollout, embodied in its national telecommunications leader, Huawei, has raised security concerns for Western and other countries and has moved the 5G debate from the technical realm into geopolitics.

China’s push to lead in 5G infrastructure development, combined with long-running U.S. concerns over Huawei’s alleged intellectual property theft, prompted President Donald Trump’s signing of an executive order banning Huawei from accessing U.S. supply chains in May of 2019. The move sparked a direct confrontation between the U.S. and China over 5G, putting the two countries directly at odds over 5G technology platforms and forcing other countries to take sides. The U.S. has succeeded in pushing Huawei out of a number of key EU markets, including the UK and France, but Huawei’s omnipresence throughout most of the developing world continues to drive conflict.

Huawei’s competitive position has diminished since the start of 2020, but it still holds some formidable advantages. Huawei’s 2019 revenue was four times greater than Nokia’s or Ericsson’s, and it owns more patents on essential telecom technology than any of its competitors. Further, Huawei played an essential role in the development of 4G networks globally and has its equipment and services already deployed in 170 countries—countries banning Huawei face a high cost for removing its existing equipment. Despite falling behind competitors in signed 5G contracts, Huawei will remain a major player in global 5G development, setting the stage for a prolonged international struggle and potentially fracturing the future 5G Internet into two separate spheres.

In FP Analytics’ three-part Power Map Series, 5G Explained, we break down the key issues surrounding the development of 5G networks and the confrontation between the U.S. and China over 5G by:

Identifying the key players in 5G technology and infrastructure development;
Detailing the global competitive landscape, including issues along supply chains, influence on standards, and forces driving investment decisions in markets around the world;
Pinpointing key national security concerns, many of which are currently going unaddressed;
Breaking down the emerging geopolitical competition over 5G; and
Cataloguing a range of risks and opportunities for businesses.

This FP Analytics Power Map provides the most comprehensive assessment of the issues surrounding 5G to date and provides critical 5G analysis across the technical, economic, geopolitical, and security realms. Beyond the hype and hyperbole, this comprehensive overview provides businesses with an indispensable tool to help better understand the risks and opportunities with 5G.

PART ONE OF THREETechnology and Infrastructure

PART TWO OF THREEThe Competitive Landscape

PART THREE OF THREENational Security

Introduction
Huawei, 5G, and the Clash Over Security
Critical Vulnerabilities in 5G Network Design
Security Snapshot: Addressing Tomorrow’s Vulnerabilities Today
Risks and Opportunities for Stakeholders

Introduction

The development of 5G technology will be accompanied by additional serious security concerns for companies and individuals outside the realm of geopolitics. In our final installment, we lay out the inherent security risks associated with 5G’s role in the digitization of the global economy and break down the critical issues for which companies and individuals need to prepare.

Huawei, 5G, and the Clash Over Security

The U.S. government first raised national security concerns over Huawei equipment in 2012, following a congressional investigation that concluded that Huawei equipment posed a threat. Since then, national security concerns with respect to Huawei have escalated, culminating in the U.S. leveling racketeering charges against the company in February of 2020, alleging that Huawei stole intellectual property from U.S. companies. In June of 2020, the FCC officially designated Huawei and ZTE as national security threats. As a result, U.S. cellular businesses will no longer be permitted to spend federal funds on equipment from either company. The U.S. has repeatedly raised concerns abroad, but initially it appeared that its concerns would go largely unaddressed due to its muddled domestic response and waning international influence. However, since the outbreak of COVID-19, Huawei has been under increasing scrutiny from EU countries, such as the UK, France, Poland, and Belgium, where it was initially welcomed, and it has now been pushed out of many key EU markets after countries’ internal security reviews were conducted.

Key Takeaways

The U.S.’s recent racketeering charges against Huawei escalate their prolonged confrontation

In February of 2020, the U.S. formally filed racketeering charges against Huawei for intellectual property theft and further ratcheted up security-related tensions among Huawei, China, and the U.S. in June of 2020 by officially designating Huawei a national security threat. China has denied the charges, setting the stage for a drawn-out legal battle.
Huawei poses security threats to the international community beyond U.S. allegations

While the U.S. has been focused on the cybersecurity threats associated specifically with Huawei and the Chinese government, the more immediate cybersecurity threat from Huawei may be from general vulnerabilities in its software systems. In its rush to lead in 5G development, Huawei’s software systems have proven to have significant vulnerabilities that could be exploited by any bad actors, not just the Chinese government.
What’s at Stake

The escalating tensions between the U.S. and China could have wide-ranging security consequences for the U.S. and key allies that share critical intelligence information. Neither the UK nor France is moving forward with Huawei, but other key U.S. allies, such as Germany and Brazil, are still considering pushing forward with using Huawei equipment. All countries currently implementing Huawei 5G equipment run general security risks, from the current quality of the software to ongoing concerns related to intellectual property.

The Breakdown

Breaking Down the U.S.–Huawei Security Confrontation
Huawei has been under constant legal scrutiny from the U.S. government.

Click to to read why

Huawei began collaborating with U.S. companies in 2001, setting up U.S. offices and entering into the U.S. smartphone market through collaborations with Android and Alphabet (Google). The first legal dispute came in 2003, when Cisco accused Huawei of patent infringement for copying its router and network switch code. While the lawsuit ended in a settlement between Cisco and Huawei, U.S. concerns about Huawei continued. In May of 2013, unpublished documents, leaked by whistleblower Edward Snowden, revealed that the NSA had been spying on Huawei and its founder, Ren Zhengfei, since 2009, as part of “Operation Shotgiant.” The U.S. spying efforts did not find conclusive evidence that Huawei had been spying for the Chinese government, but U.S. concerns over Huawei continued and intensified. In August of 2010, eight Republican senators sent an open letter to various government departments and media organizations alleging that the company had been supplying telecom equipment to Saddam Hussein’s regime in Iraq, which violated UN trade sanctions. However, those accusations could not be substantiated at the time. But additional documents, leaked in July of 2019, revealed that, in 2008, Huawei had potentially violated a U.S. export ban by working with Panda International Information Technology to secretly build and maintain North Korea’s wireless mobile system. With concerns mounting, in 2012, the U.S. House Permanent Select Committee on Intelligence (HPSCI) declared Huawei and ZTE to be threats to national security. In 2014, Huawei again ran afoul of the U.S. legal system, as T-Mobile sued it over corporate espionage involving the theft of a robot design used to test touchscreens. A federal jury in Seattle ultimately awarded T-Mobile $4.8 million in damages, a small fraction of what T-Mobile had requested, but did not admit guilt.

Full Timeline of U.S.-Huawei Security Events

2003

Cisco sues Huawei for intellectual property theft; the lawsuit is settled in 2004.

2004

A Huawei employee is caught photographing the circuit boards of an optical networking device owned by Fujitsu at the Supercomm telecom trade show.

2005

RAND Corp. reports that Huawei worked closely with China’s military, stating that Huawei received staff and funding from the military, state banks, and other agencies. Huawei denies these allegations.

2007

The FBI interviews Huawei’s Ren Zhengfei in July about breaching U.S. trade sanctions with Iran. In the 2019 U.S. fraud indictment against Huawei CFO Meng Wanzhou, the FBI concludes that Ren Zhengfei lied in the original interview.

The NSA hacks Huawei and spies on its executives’ e-mails but is unable to conclude that Huawei is spying on the U.S. government.

2008

The U.S. blocks Huawei from buying part of 3Com, a U.S. firm selling networking security software to the U.S. military.

2010

The U.S. government stops Huawei from buying tech company 3Leaf.

A Huawei worker is accused of sending his CEO technical documents marked “Motorola Confidential Proprietary” on every page. Motorola sue, accusing Huawei of stealing its SC300 base station technology. Huawei countersued Motorola in 2011 for using its technology without consent, and the two sides settled in 2011.

2012

The U.S. House Permanent Select Committee on Intelligence names Huawei a threat.

Australia bars Huawei from tendering for broadband.

Huawei employees target Tappy, T-Mobile’s smartphone robot.

2013

A company linked to Huawei tries to sell U.S. equipment to Iran, in violation of U.S. sanctions. In 2019, the U.S. leveled fraud charges against Huawei executive Meng Wanzhou alleging that she concealed this information from banks.

2017

Huawei-installed technology at African Union headquarters was reported to have been hacked for five years. Huawei denies any involvement.

A Huawei employee alleges that the company ordered him to use a fake company name to infiltrate a closed Facebook telecom meeting.

2017-2018

A Texas jury found Huawei guilty of stealing trade secrets from Silicon Valley start-up CNEX, after former employee Yiren Huang filed suit. He alleged Huawei rewarded staff members for stealing intellectual property and kept a secret database of stolen technology. Huawei responded by also suing Yiren Huang for theft, but the case was not upheld.

2018

AT&T and Verizon drop Huawei sales plans due to U.S. government security concerns.

The Australian Defense Department phases out Huawei smartphones.

The Pentagon orders a halt to Huawei sales on military bases.

2019

The U.S. government bars companies from doing business with Huawei without permission.

Leaked documents show that in 2008 Huawei secretly helped North Korea build its wireless mobile system, possibly breaching a U.S. export ban.

Feb. 11, 2020

The U.S. reportedly found that Huawei has backdoor access to mobile networks globally. The details of the report, which was conducted as part of an internal review of Huawei by U.S. officials, were disclosed to the UK and Germany at the end of 2019, after the U.S. allegedly noticed Chinese access to telecom networks since 2009 across Huawei’s 4G equipment. Read more

Feb. 13, 2020

The U.S. Department of Justice charged Huawei with racketeering and theft of trade secrets. Read more

March 2, 2020

Internal Huawei documents reportedly revealed Huawei’s role in shipping prohibited U.S. gear to Iran. Reviews of two Huawei packing lists, dated December 2010, included computer equipment made by Hewlett-Packard that was destined for Iran’s largest mobile-phone operator. Read more

June 4, 2020

A series of internal Huawei documents reportedly revealed that Huawei had covered up its ownership and control of an Iranian affiliate, Skycom, as part of a scheme to sell prohibited U.S. technology in Iran. Read more

June 25, 2020

The Trump administration designated Huawei as backed by the Chinese military, laying the groundwork for new financial sanctions. The designation was based on the findings of an internal Department of Defense document that listed a total of twenty Chinese companies operating in the U.S. that are alleged to be backed by the Chinese military. Read more

June 30, 2020

The U.S. Federal Communications Commission announced its final decision to classify Huawei and ZTE as national security threats. Read more

SOURCES: FCC, REUTERS, U.S. DEPARTMENT OF JUSTICE, THE WALL STREET JOURNAL, THE NEW YORK TIMES, CNBC

Following roughly a decade of growing mistrust between the U.S. and Huawei, the U.S. has stepped up its legal action against the company, culminating in recent high-profile events that have dominated the national security headlines. In December of 2018, Canadian officials arrested Meng Wanzhou, who is Huawei’s CFO and the daughter of founder Ren Zhengfei, on behalf of the United States. The U.S. leveled charges that Huawei had violated economic sanctions imposed against Iran. The extradition proceedings is still ongoing, and, in February of 2020, Ms. Meng was personally indicted by the U.S. Department of Justice for trade secret theft. She remains in Canada under house arrest on C$10 million bail. In February of 2020, the U.S. charged Huawei with racketeering and conspiracy to steal trade secrets from American companies. The charges allege that Huawei conspired to steal trade secrets from five American firms (Cisco, Motorola, Quintel, T-Mobile, and CNEX) and the Japanese firm Fujitsu, including source code and manuals for wireless technology. The DOJ alleges that the criminal activity has been ongoing since at least 1999. Most recently, in June of 2020, the Trump administration designated Huawei as one of twenty Chinese companies it claimed to be backed by the Chinese military, and the FCC designated Huawei and ZTE national security threats. These actions prevent the use of federal funds for purchasing equipment from either company, while laying the groundwork for the administration to impose far-reaching financial sanctions.

The U.S. kept up its maximum pressure campaign against Huawei since early 2020, while other governments have wavered in their views of Huawei as an imminent national security threat. The British government, like the U.S., has raised security concerns about Huawei, and an internal report from the UK’s Huawei Cyber Security Evaluation Centre (HCSEC) concluded, in March of 2019, that Huawei equipment poses significant security risks. Initially, despite the report’s conclusions, the UK announced in January of 2020 that it would move forward with allowing Huawei equipment to be used in up to 35 percent of its radio access networks (RANs). As of today, the British government announced that it will bar all Huawei equipment from its 5G networks and set a deadline of 2027 for all existing Huawei equipment to be removed from its networks. The initial decision sparked immediate pushback from the U.S., as the UK is a key ally in intelligence sharing through the Five Eyes Alliance. However, the UK’s decision to ban Huawei is a major victory for the U.S. and puts increasing pressure on China, whose relationship with Europe is already facing increasing strain due to the outbreak of COVID-19. Experts disagree as to whether excluding Huawei from core networks will mitigate its risks, since 5G technology does not rely as heavily on a centralized core network to perform data-routing functions, but European countries have been increasingly excluding Huawei from their networks due to security concerns. Since mid-2020, France, Sweden, Poland, Slovakia, the Czech Republic, Hungary, Albania, Kosovo, Bulgaria, North Macedonia, Latvia, and Cyprus have all effectively banned Huawei, and Germany has enacted regulatory barriers that will effectively push Huawei out. Despite finding increasing success in Europe against Huawei, there are still key U.S. allies, such as Saudi Arabia and Brazil, that are continuing to work closely with Huawei on the development of their 5G networks, and Huawei is actively fighting back to regain access into critical European markets.

Update: Both the UK and Germany’s relationship with Huawei continues to evolve. For each country’s status as of publication, see our map in Part I.

Huawei’s Real Security Threat: Rushing Flawed Software to Market

While the security concerns surrounding Huawei’s 5G technology have predominantly concerned Huawei’s ties to the Chinese government, the potential for backdoors to be used for spying, and intellectual property theft, the most imminent security threat may actually be deficiencies in its software code. A 2012 White House review did not find any evidence of spying by Huawei, but it did find holes in Huawei’s source code, which made Huawei’s device software more vulnerable than its rivals. While Huawei denied that report, a 2019 review by the UK’s Huawei Cyber Security Evaluation Centre (HCSEC) backed it up. The HCSEC found that there were underlying defects in Huawei’s software code and security processes that could easily be exploited by governments or independent hackers. The report concludes that due to the number and severity of vulnerabilities, “if an attacker has knowledge of these vulnerabilities and sufficient access to exploit them, they may be able to affect the operation of the network, in some cases causing it to cease operating correctly.”

The HCSEC found that there were underlying defects in Huawei’s software code and security processes that could easily be exploited by governments or independent hackers.

Additionally, British officials concluded that Huawei has poor oversight of its supplier networks and does not have a clear process for reviewing the origin of component software and which suppliers are responsible for developing each piece of code. As a result, governments and companies installing Huawei equipment also do not have a clear understanding of where the code they are introducing into their networks originated from, thus handicapping their ability to isolate and trace potential threats. While the British government has explicitly raised these security concerns, as of this publication the UK has banned Huawei from participating in its 5G networks. While espionage and other security issues remain concerns, Huawei’s ability to quickly capture substantial market share has spread these vulnerabilities worldwide. That raises broader national security concerns in the development of 5G technology: 5G networks are likely to contain a wide range of general vulnerabilities, which could be exploited by any bad actor, not just the Chinese government.

Critical Vulnerabilities in 5G Network Design

With the development of 5G technology, telecom companies are working to improve 4G networks’ security using advanced end-to-end encryption and “network slicing,” which will segment 5G networks into numerous virtual networks, allowing tailored security measures for each segment. However, the development of 5G networks introduces completely new security risks that are inherent to its design, such as an increased attack surface and the required transition to a software-based core network—issues that governments and companies are still attempting to tackle.

Key Takeaways

5G will eventually move to a cloud-based software system with significantly more vulnerabilities

As 5G networks are developed, core networks will transition from hardware-based systems to cloud-based software-controlled systems. This evolution will create unique challenges for data security due to more access points in the network and less ability to regulate data flowing through the network, ultimately generating a larger attack surface for cyber threats.
The Internet of Things will generate exponentially more targets for hackers

The number of devices connected to 5G networks will create additional security risks. As the Internet of Things becomes a reality, and the market for IoT devices expands, nearly every device—from cars to refrigerators—could become a target for malicious actors.
What’s at Stake

The integrity and security of data and networks across the world. The mass-scale connectivity that 5G enables will multiply the security risk for all actors on the network, raising concerns for governments, companies, and consumers worldwide.

The Breakdown

Understanding 5G Core Networks: Their Enhanced Capabilities and Critical Vulnerabilities
5G core networks will revolutionize how data moves through networks, but they also present the most pressing security challenges in 5G development.

Click to to learn what these challenges are

5G networks consist of two main components: the radio access network (RAN) and the core network. In Part I, Technology and Infrastructure, we outlined how 5G technology would transform RANs, requiring significantly more small cell radio towers, in order to transmit data over higher spectrum frequencies. In addition to transforming the physical RAN, 5G technology will transform the design of the core networks. While the RAN functions like the nervous system of a telecom network, reaching across wide geographic areas to transmit small pieces of information to each, the core network functions as the brain of the network. All data collected through the RAN is sent to the core network, where it is then routed to the correct recipient. In previous generations, this process was controlled largely through a central hub, which contained physical network infrastructure of switches and cables, which would use software systems to effectively route the data. Under this system, networks could be secured by building in “choke points” in the physical infrastructure, which would check data flowing through the system for threats and identify potential cyberattacks. In a 5G core network, however, this activity will be done through a web of digital routers operating throughout the network, enabling faster data transmission but—importantly—negating the possibility of building in manual choke points.

While using a common programming language will make collaborating and developing on 5G networks easier, it will also make creating malicious software and breaking encryption on the network easier.

While physical telecom networks are predominantly reliant on the extensive infrastructure systems, routing information moving through this network requires computers running software systems to direct the information correctly. In 5G networks, data will be transmitted from the RAN to core networks that are predominantly software-based. While earlier wireless generations used a hardware-based centralized core network to route signals and perform network functions, 5G will make these functions cloud-based. In 5G networks, many data-processing functions that were previously performed through hardware systems in the core network will be moved to the “edge” of the core network and performed in the cloud. This “edge” network refers to a cloud-based system of servers that will virtualize 5G networks using the common language of Internet Protocol (IP). While using a common programming language will make collaborating and developing on 5G networks easier, it will also make creating malicious software and breaking encryption on the network easier.

5G Core Networks Move Data Routing into the Cloud

5G core networks rely on edge servers to route data at faster speeds through a software-based cloud system.

Understanding 5G Core Networks: Their Enhanced Capabilities and Critical Vulnerabilities

Source: Why Edge Computing is Key to 5G in 2020

General Vulnerabilities in 5G Networks

5G networks’ switch from hardware-based core networks to software-dictated cloud-based core networks creates new, and potentially greater, cybersecurity risks than with 4G networks. An attack on either the core network or the RAN can disrupt and intercept data flow, allowing malicious actors to hijack information or shut down key infrastructure. Additionally, since 5G networks will eventually be managed by artificial intelligence-based software (AI), an attacker who gains control of the software could also gain control over the entire network. Since an AI-controlled software system would coordinate each separate server cluster, access to the overarching AI system would allow access to data originating anywhere within the network. The broad reach of 5G networks’ infrastructure, and the mass-scale connectivity create an increased attack surface through multiple vectors. With more lines of software being used to dictate the flow of data through the system, the volume of data will almost certainly exceed telecom companies’ capacity to physically monitor everything that is flowing through the network, making cyber threats more difficult to detect. These vulnerabilities require coordination among all actors involved in security. Governments can set security standards and directives, but ultimately telecom providers, third-party firms, companies, and individuals will all be responsible for securing their own networks.

In addition, with the increased number of small cell radio towers needed to operate 5G networks, there are potentially thousands more access points for threats to access the network through. Backdoors can be installed in the mobile base stations that make up the RAN, and they are nearly impossible to detect once installed. In cybersecurity terms, a backdoor is a method of bypassing normal authentication or encryption in a computer system or another physical product and is used for obtaining remote access and control over that computer system or device. In addition to increased access to the network, the number of connected devices that could potentially be tapped into will increase exponentially with the Internet of Things, and Internet-connected devices, such as Nest, are already being hacked frequently. In the near term, the impact from backdoor attacks is likely to be minimal, with the most obvious effect being a slowdown in Internet and download speeds or a loss of phone service. However, when 5G enables entire electric grids and sewer systems to be put online, that sort of cyberattack could eventually cause mass-scale disruption and shut down entire cities. Ultimately, those vulnerabilities mean that the security threat on 5G networks comes not only from the potential of Chinese interference—as is the focus of governments’ and most media attention—but from any bad actor with the technical capability to exploit 5G networks’ increased vulnerability.

Supply Chain Vulnerabilities

As outlined in Part II of our series, The Competitive Landscape, the 5G supply chain is far-reaching and complicated. That is true for both the hardware and software components used in developing 5G networks. Before a component is placed into a 5G telecom network, it will have been through multiple suppliers and integrators. The components used in final products range from resistors and capacitors to CPUs and are manufactured in nearly every country in the world. The supplier of each of those components also provides accompanying software, generally in the form of a microcode inside a processor. That microcode is called “firmware,” the software programs permanently coded into a hardware device such as a keyboard, a hard drive, or the smaller components used in building RAN equipment. It is programmed to give permanent instructions to communicate with other devices and perform basic commands and functions. Firmware interfaces with the hardware and operating systems to run application software on 5G telecom equipment. Just like the hardware components used to assemble 5G telecom equipment, the accompanying software components are passed through the supply chain and built upon before making their way to the original equipment manufacturer (OEM), such as Huawei, Nokia, Ericsson, or Samsung, who ultimately supplies the telecom hardware to the network providers. The OEM is responsible for integrating all of the external firmware and additional software built into each component with its custom software and any other software from third-party suppliers. Huawei uses two suppliers for each individual component used in its product and works with a total of 92 companies from at least ten different countries. That means that by the time the OEM, such as Huawei, ships a telecom product to the end-user, the product will contain software written by potentially thousands of engineers at dozens of companies from around the globe, which means that even for companies such as Huawei, Ericsson, and Nokia, it is difficult to track where each part of their software code originates from.

Huawei’s telecom equipment had the most firmware backdoors embedded into its equipment of all OEM’s, with 55 percent of all equipment analyzed containing at least one potential backdoor.

The complexity of this supply chain system introduces multiple points of entry for actors looking to hack into telecom systems. There are two primary ways in which potential bad actors can exploit the supply chain: 1) installing hardware backdoors; and 2) installing firmware and software backdoors. Hardware backdoors, as their name implies, are installed into the hardware and allow an actor to monitor the network without detection. Additionally, hardware backdoors need to be physically removed, since they cannot be eliminated through software, making them significantly more difficult to combat than software backdoors. The most widely publicized use of hardware backdoors regards Edward Snowden’s allegations against the NSA, alleging that it used backdoors in Cisco routers to intercept communications on telecom networks. While hardware backdoors are more effective, firmware backdoors are much easier to enable due to device firmware’s tendency to be full of vulnerabilities already. But, while firmware backdoors are easier to detect overall than hardware backdoors, it is nearly impossible to detect their origin, allowing actors to deny culpability more plausibly if the backdoor is discovered. Due to the number of potential actors who could install firmware or hardware backdoors into 5G network equipment, it is difficult to isolate and focus on any one actor as a primary threat. However, a quantitative research review of major OEM component providers by the supply chain security consulting firm Finite State concluded that Huawei’s telecom equipment had the most firmware backdoors embedded into its equipment of all OEM’s, with 55 percent of all equipment analyzed containing at least one potential backdoor.

Huawei Vulnerabilities Compared to Key Competitors

Huawei’s 5G core network routing equipment was found to have significantly more software vulnerabilities than that of competitors.

■ Huawei
■ Arista
■ Juniper

Vulnerability	Description
Credentials	Login information that is stored into the software allowing outside actors access.
Crypto (Cryptographic Keys)	A string of data that is used to lock or unlock cryptographic functions, including authentication, authorization, and encryption. The presence of cryptographic keys creates the potential for the user who embedded the key to access the device.
Common Vulnerabilities and Exposures (CVE’s)	A dictionary-type reference system or list for publicly known information-security threats. This list of common security vulnerabilities is maintained by the MITRE Corporation and sponsored by the National Cyber Security Division (NCSD) of the Department of Homeland Security.
Memory Corruptions	A vulnerability that occurs in a computer system when its memory is altered without an explicit assignment due to programming error. When the corrupted memory contents are used later in that program, it leads either to a program crash or erratic, disruptive operation.
Configuration Management	A process to systematically manage, organize, and control the changes in the documents, codes, and other entities during the Software Development Life Cycle. Using different and older versions of the OpenSSL library increase risk.

Source: Huawei Supply Chain Assessment

Security Snapshot: Addressing Tomorrow’s Vulnerabilities Today

The inherent security issues built into 5G networks will create new opportunities for attacks and new security challenges for governments, companies, and individuals operating on 5G networks. Understanding the complexity of the challenges presented by 5G security issues, as well as the responses being taken in response to these issues, is critical for companies that hope to take full advantage of 5G networks’ capabilities.

Key Takeaways

5G technology will allow cyberattacks to pinpoint specific sectors

Due to the decentralized design of 5G server networks, 5G will make it easier for attackers to target specific sectors within a larger network. Under that design, malicious actors could target and take out specific online systems, such as cities’ electrical grids, air-traffic control systems, stock exchanges, and more—all with potentially catastrophic and cascading impacts.
No single actor can guarantee 5G networks’ security

While security actions should be coordinated at every level—across governments, companies, and individuals—there is no perfect solution for ensuring 5G network security. Therefore, companies and individuals should be proactive in implementing their own security measures instead of waiting for system-wide solutions.
What’s at Stake

Governments’ and corporations’ ability to effectively secure their own networks and critical operating infrastructure is at risk. With increasing amounts of critical infrastructure operating online, from hospital networks to defense systems, the risks from shutdown carry increasing economic and real-life consequences.

The Breakdown

Increased Cyberattack Opportunities and Implications
Cyberattacks already account for billions of dollars in losses globally. 5G will make securing against those attacks even more difficult.

Click to learn more

A 2019 survey of cybersecurity and risk-management leaders revealed that 80 percent believed that 5G technology will make their enterprises more vulnerable to attack. Industry leaders stated that the largest risks they saw associated with 5G technology were more targeted IoT attacks, 5G firmware hacking, and a larger attack surface providing more opportunities for hackers. Crucially, all of those concerns are unique to development of 5G technology and do not have definitive solutions, and the majority of governments around the world do not have high-level security planning directives in place to address them. While concern is increasing around the risks associated with 5G security and cyberattacks, the implications from those attacks—and why they have the potential to be significantly more devastating that cyberattacks on 4G networks—are still not spurring the necessary coordinated action.

Once hospital systems rely on 5G technology for critical surgeries, for example, and traffic systems require 5G speeds to operate autonomous vehicles, that type of targeted attack could effectively shut down entire segments of the economy or entire cities.

The 5G networks design relies on clusters of edge servers connecting to physical radio towers, which transmit data via the cloud to each other and to the core network. That system makes it possible for cyberattacks to target critical infrastructure operating on 5G networks with increased precision. An attack can be aimed at the server, or cluster of servers, being used to connect specific systems to the broader 5G networks, without needing to launch an attack at the centralized core of the network. In practice, an attack targeted at a specific server could cripple critical systems relying on 5G speeds by either knocking them offline or constraining their operability by downgrading them to 4G speeds. While 4G speeds are able to support much of our current communications infrastructure, future systems using advanced technology, such autonomous vehicles, would be unable to operate at 4G speeds. For individual consumers, such an event would likely not create major problems, as the most noticeable effect would likely be device download speeds slowing. However, as an increasing number of industries begin relying on 5G technology, the implications of that type of targeted attack become significantly greater. Once hospital systems rely on 5G technology for critical surgeries, for example, and traffic systems require 5G speeds to operate autonomous vehicles, that type of targeted attack could effectively shut down entire segments of the economy or entire cities. In the worst-case scenario, those attacks could be paired with physical attacks. Imagine a terrorist organization shutting down a city’s ability to communicate before executing a physical strike. The potential ramifications from a targeted attack illustrate the pressing need to make 5G security a priority. Yet, general network security remains an overwhelming challenge for most companies and governments.

The Prevalence and Economic Impact of Cyberattacks

Cyberattacks have caused billions of dollars in losses to companies across the globe and have exposed millions of individuals’ sensitive information to criminals.

Major Cyberattacks by Region

Major reported data breaches from each region. The U.S. accounted for 86% of the global total, however the majority of breaches likely go unreported

Source: Breach Level Index 2017

15 Largest Data Breaches

Personal data exposed through leaked account information

Impact	Company	Year
All 3 billion accounts compromised	Yahoo	2013
500 million compromised accounts	Marriott	2018
360 million compromised accounts	MySpace	2016
145 million compromised accounts	eBay	2014
143 million accounts exposed, including 209k credit card numbers	Equifax	2017
117 million emails and passwords leaked	LinkedIn	2016
110 million compromised accounts, incl. 40 million payment credentials	Target	2013
100 million compromised accounts	Quora	2018
92 million screen names and email addresses stolen	AOL	2004
80 million company records were hacked, including Social Security numbers	Anthem Inc	2015
57 million compromised accounts	Uber	2016
50 million compromised accounts	Facebook	2018
9.4 million compromised accounts, including 860k passport numbers	Cathay Pacific	2018
7.6 million compromised accounts	Blank Media	2018
133,827 compromised accounts, including payment methods	Three	2016

Source: The 15 Biggest Data Breaches in the Last 15 Years

Types of Cybercrime and Average Cost (2018)

Regardless of the type of attack, information loss and business disruption occurring from attacks have constituted the most significant losses. In 2018, information loss and business disruption combined constituted over 75 percent of total business losses from cybercrime.

Malware

Software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.

Major consequence: Information loss.
Average annual cost in 2018: $2.6M
Percent change from 2017: +11%

Web-based attacks

Target user data by using the Web to gain access to the systems that either store or interact with your data.

Major consequence: Information loss.
Average annual cost in 2018: $2.3M
Percent change from 2017: +13%

Denial-of-Service (DOS)

Occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious cyber actor.

Major consequence: Business disruption.
Average annual cost in 2018: $1.7M
Percent change from 2017: +10%

Malicious insiders

Actors who maliciously and intentionally abuse legitimate credentials, typically to steal information for financial or personal gain.

Major consequence: Business disruption and information loss.
Average annual cost in 2018: $1.6M
Percent change from 2017: +15%

Represents the average annual cost of each type of cyberattack for an individual company across industries in eleven countries studied. Based on a sample of 1,000 known cyberattacks in 2017 and 2018.

Source: Ninth Annual Cost of Cybercrime Study—Accenture

Average Annual Cost of Cybercrime by Industry

A study of 1,000 cyberattacks across eleven countries found that average annual costs of cybercrime per company is increasing significantly in nearly every industry examined

Banking

2017
$16.6M
+11%
2018
$18.4M

Utilities

2017
$15.1M
+18%
2018
$17.8M

Software

2017
$14.5M
+11%
2018
$16M

Automotive

2017
$10.7M
+47%
2018
$15.8M

Insurance

2017
$12.9M
+22%
2018
$15.8M

High tech

2017
$12.9M
+14%
2018
$14.7M

Capital markets

2017
$10.6M
+32%
2018
$13.9M

Energy

2017
$13.2M
+4%
2018
$13.8M

U.S. Federal

2017
$10.4M
+32%
2018
$13.7M

Consumer goods

2017
$8.1M
+47%
2018
$11.9M

Health

2017
$12.9M
-8%
2018
$11.8M

Retail

2017
$9M
+26%
2018
$11.4M

Life sciences

2017
$5.9M
+86%
2018
$10.9M

Media

2017
$7.6M
+22%
2018
$9.2M

Travel

2017
$4.6M
+77%
2018
$8.2M

Public sector

2017
$6.6M
+20%
2018
$7.9M

Based on a sample of 1,000 known cyberattacks in 2017 and 2018 in eleven countries

Crafting Effective Cybersecurity Procedures: An Individual and Collective Burden

Despite the clear security challenges presented by 5G technology, limited awareness of those risks and cost considerations inhibit coordination and greater investment in enhanced cybersecurity. A 2019 report from the Altran Group reported that ninety-one percent of business leaders surveyed reported that increased cybersecurity awareness at the C-level translated into their decision-making. The report also found that the majority of cybersecurity decisions are optimizing for cost, not security, with companies often underestimating the likelihood—and financial and reputational damage—of cyberattacks. Further, entities’ responsibility for securing networks also remains unclear. When cyberattacks do occur, blame is often widely dispersed, with tension between regulators and private-sector actors making it difficult to implement broad-sweeping security standards in response to hacks. As 5G networks transition to a cloud-based model for their core networks, many telecom operators will rely on collaborations with third-party companies, such as Google and Amazon, to assist with hosting their cloud services. Given the number of actors across the supply chain, assigning responsibility and liability for breaches remains exceedingly complex.

In addition to the existing technical challenges in securing 5G networks—human error, coupled with the proliferation of 5G-enabled devices, creates compounding and underappreciated security challenges. Currently, the largest source of cybersecurity attacks is “phishing” attacks—generally defined as attacks that use a false website or link to lure users into revealing sensitive information—which account for roughly one-third of all cyberattacks. An Accenture report on the cost of cybercrime, of which phishing is the most common form, found that the average cost of an attack has increased by an average of 166 percent per year over the past five years. The average attack cost companies $1.4 million in 2013, and $13 million in 2018. The proliferation of phishing attacks, along with the diffusion of responsibility for cybersecurity along the supply chain, means that securing 5G networks will be a burden shared among governments, companies, and individuals.

As 5G technology continues to move greater segments of the population and economy online, the ability to effectively coordinate human beings—leaders in government, industry, and other individuals—will likely prove to be 5G’s best security breakthrough or its most fatal flaw. Even in the most optimistic scenario, there is unlikely to be any systemwide coordinated effort that can effectively guarantee security on 5G networks. Already, competing interests among these stakeholders are beginning to shape an emerging conflict over data security on the internet – most notably with respect to end-to-end encryption. The best tool yet to protect online data, end-to-end encryption prevents data from being read or secretly modified by actors other than the true sender and recipient. While this prevents hackers and bad actors from intercepting personal data, it also prevents governments from accessing it. Government efforts to gain backdoor access are already in place in Australia, and are making their way through the U.S. Congress as part of the EARN IT Act. Allowing government backdoors would also create openings for other actors wishing to access the information, and effectively erode one of the most robust security measures currently available. Ultimately, organizations at all levels will need to take responsibility for their own security. By ramping up security investments, improving employee-training programs, and staying informed about technological developments and risks, organizations of all sizes and types must be proactive in mitigating financial loss and reputational damage if they are victims of a breach.

Risks and Opportunities for Stakeholders Navigating the Evolving 5G Landscape

Completing 5G infrastructure and rolling out fully operational 5G telecom networks is a process that will take years to complete. Since the original publication of FP’s 5G Power Map series, the course of 5G development has taken a number of dramatic turns due in part to the outbreak of COVID-19, escalating tensions between the U.S. and China, Europe’s evolving stance on Huawei, and China’s fraying relationship with India. As global 5G development continues, there are undoubtedly more surprises ahead. Stakeholders navigating potential roadblocks and developments in 5G should continue to carefully monitor developments as they unfold to fully understand the implications for their organization.

Key Takeaways

Foundational 5G Infrastructure Will Take Years to Complete

Despite the hype, construction and rollout will happen at considerably varying pace across different markets. Initially, 5G speeds will be inconsistent, even within countries, depending on the stage of the rollout. The majority of the infrastructure for 5G still needs to be built, with prospective delays based on market structures, regulations, and the ongoing trade and political tensions between China and the U.S. affecting equipment access.
Timing Investment is Key

Capitalizing on 5G will require stakeholders to craft coherent and flexible 5G strategies, which takes into account both the upside of investing in 5G technology, as well as an accurate timetable for when 5G technology will be available to consumers and businesses. 5G strategies should be tailored towards the key markets a business operates in, understanding that each market will present unique opportunities and challenges and requiring ongoing monitoring of developments in target markets.
What’s at Stake

5G will be a disruptive, transformative technology, but it will initially be costly and the benefits for businesses will be uneven and take time to materialize. While there will be opportunities to gain competitive advantage, but the development path is not linear and keen attention will need to be paid to ongoing developments in companies’ target markets to more fully understand when and where to engage.

Looking Ahead

5G technology will be undoubtedly be a globally transformative technological force. The ability to digitize industries, from transportation to medicine, has the potential to radically transform both the global economy and our everyday lives. However, we are still a long way from achieving that future, and the benefits of 5G are likely to arrive intermittently throughout the coming years, accompanied by real risks and potential for serious geopolitical confrontations. Since the original publication of this Power Map series, the global landscape has changed significantly, due in large part to the emergence of the COVID-19 pandemic. While the pandemic has disrupted industry and global supply chains, its impact on 5G rollouts has been mixed. In some markets, the economic conditions resulting from the pandemic have delayed 5G rollouts, but in others’, rollouts are moving forward smoothly. The COVID-19 pandemic has increased the demand for high-speed internet, and 5G technology has played a major role in combating the virus—from contact tracing and telehealth visits to enabling remote work in a wide range of industries.

Among the most disruptive impacts of COVID-19 on 5G was its role in shifting the geopolitical relationships between China and the rest of the world. At the start of 2020, it appeared Huawei would build large parts of Europe and India’s 5G markets, giving it a globally dominant presence. Today, this prospect appears unlikely, with many European countries now committed to the arduous process of physically removing Huawei equipment from their networks. This turn of events has increased the risk of 5G fracturing the internet into two separate spheres—one using Huawei and the other without it. It has also ushered in discussions in Europe and elsewhere about adopting open radio access networks (O-RAN), which would segment the 5G market into smaller pieces and dilute the market power of end-to-end vendors such as Nokia and Ericsson. In practice, this would make the 5G playing field more competitive, and open market opportunities for Samsung, Japan’s NEC, Google, Microsoft, as well as a host of smaller companies. (For more insights and analysis on this issue see FP’s “Open Networks” virtual dialogue.) While the U.S. has won a number of major victories against Huawei in Europe, much of the developing world is committed to Huawei, setting the stage for a drawn-out confrontation. Relations between the U.S and China continue to deteriorate and the ongoing cycle of retaliation between both countries will complicate 5G rollouts.

Navigating the new world that 5G technology unleashes will be a tremendously complex and circuitous process, which will play out over a long period of time. No country is likely to reap all the rewards from 5G, but there will be definitive winners and losers across nations and industries. Myriad risks accompanying 5G development will affect all actors involved, from corporations to individuals. The actors that take a more proactive approach to security will likely be better positioned to mitigate the risks and adverse impacts and capitalize on the benefits that 5G promises. Vigilant risk-monitoring and public-private collaboration on regulation will be critical—with respect not only to 5G, but also future governance of our digital economy. Rapidly evolving data localization, privacy, and content regulations will further transform the ways we live and do business. We will tackle those issues and more in future Power Maps. Stay tuned.

Written by Christian Perez. Edited by Allison Carlson. Copyedited by David Johnstone. Design and development by Andrew Baughman. Art direction by Adam Griffiths. Graphics by Colin Hayes for Foreign Policy. Photos by Getty Images.