Part Three: National Security
PUBLISHED: Mar. 31, 2020
Part II of FP’s 5G series, The Competitive Landscape, outlined the confrontations taking place along the 5G supply chain and broke down the economic costs to countries and companies competing in the 5G space. In Part III of our series, we conclude by outlining the critical national security threats accompanying 5G technology for all countries implementing 5G. We dig beneath the headlines of U.S. allegations against Huawei, including the recent racketeering charges, and assess concrete evidence that points toward real national security threats accompanying 5G technology beyond the China-U.S. confrontation.
PART THREE OF THREENational Security
The development of 5G technology will be accompanied by additional serious security concerns for companies and individuals outside the realm of geopolitics. In our final installment, we lay out the inherent security risks associated with 5G’s role in the digitization of the global economy and break down the critical issues for which companies and individuals need to prepare.
Huawei, 5G, and the Clash Over Security
The U.S. government first raised national security concerns over Huawei equipment in 2012, following a congressional investigation that concluded that Huawei equipment posed a threat. Since then, national security concerns with respect to Huawei have escalated, culminating in the U.S. leveling racketeering charges against the company in February of 2020, alleging that Huawei stole intellectual property from U.S. companies. While the U.S. has repeatedly raised concerns abroad, its muddled domestic response and waning international influence have led to its security concerns largely being ignored.
The U.S.’ recent racketeering charges against Huawei escalate their prolonged confrontation
In February of 2020, the U.S. formally filed racketeering charges against Huawei for intellectual property theft—the most significant action to date—and ratcheted up security-related tensions among Huawei, China, and the U.S. China has denied the charges, setting the stage for a drawn-out legal battle.
Huawei poses security threats to the international community beyond U.S. allegations
While the U.S. has been focused on the cybersecurity threats associated specifically with Huawei and the Chinese government, the more immediate cybersecurity threat from Huawei may be from general vulnerabilities in its software systems. In its rush to lead in 5G development, Huawei’s software systems have proven to have significant vulnerabilities that could be exploited by any bad actors, not just the Chinese government.
What’s at Stake
The escalating tensions between the U.S. and China could have wide-ranging security consequences for the U.S. and key allies that share critical intelligence information, particularly in the case of the UK, which is both moving forward with Huawei technology and part of the Five Eyes Alliance—the security information-sharing network that consists of the U.S., the UK, Australia, New Zealand, and Canada. All countries currently implementing Huawei 5G equipment run general security risks, from the current quality of the software to ongoing concerns related to intellectual property.
Breaking Down the U.S.–Huawei Security Confrontation
Huawei has been under constant legal scrutiny from the U.S. government.
Click to to read why
Huawei began collaborating with U.S. companies in 2001, setting up U.S. offices and entering into the U.S. smartphone market through collaborations with Android and Google. The first legal dispute came in 2003, when Cisco accused Huawei of patent infringement for copying its router and network switch code. While the lawsuit ended in a settlement between Cisco and Huawei, U.S. concerns about Huawei continued. In May of 2013, unpublished documents, leaked by whistleblower Edward Snowden, revealed that the NSA had been spying on Huawei and its founder, Ren Zhengfei, since 2009, as part of “Operation Shotgiant.” The U.S. spying efforts did not find conclusive evidence that Huawei has been spying for the Chinese government, but U.S. concerns over Huawei continued and intensified. In August of 2010, eight Republican senators brought charges against Huawei, alleging that the company had been supplying telecom equipment to Saddam Hussein’s regime in Iraq, which violated UN trade sanctions. However, those accusations could not be substantiated at the time. But additional documents, leaked in July of 2019, revealed that, in 2008, Huawei had potentially violated a U.S. export ban by working with the company Panda International Information Technology to secretly build and maintain North Korea’s wireless mobile system. With concerns mounting, in 2012, the U.S. House Permanent Select Committee on Intelligence (HPSCI) declared Huawei and ZTE threats to national security. In 2014, Huawei again ran afoul with the U.S. legal system, as T-Mobile sued it over corporate espionage involving the theft of a robot design used to test touchscreens. Huawei was ultimately court-ordered by a Seattle jury to pay $4.8 million in damages, a small fraction of what T-Mobile requested, but did not admit guilt.
Full Timeline of U.S.-Huawei Security Events
Cisco sues Huawei for intellectual property theft; the lawsuit is settled in 2004.
A Huawei employee is caught photographing the circuit boards of an optical networking device owned by Fujitsu at the Supercomm telecom trade show.
RAND Corp. reports that Huawei worked closely with China’s military, stating that Huawei received staff and funding from the military, state banks, and other agencies. Huawei denies these allegations.
The FBI interviews Huawei’s Ren Zhengfei in July about breaching U.S. trade sanctions with Iran. In the 2019 U.S. fraud indictment against Huawei CFO Meng Wanzhou, the FBI concludes that Ren Zhengfei lied in the original interview.
The NSA hacks Huawei and spies on its executives’ e-mails but is unable to conclude that Huawei is spying on the U.S. government.
The U.S. blocks Huawei from buying part of 3Com, a U.S. firm selling networking security software to the U.S. military.
The U.S. government stops Huawei from buying tech company 3Leaf.
A Huawei worker is accused of sending his CEO technical documents marked “Motorola Confidential Proprietary” on every page. Motorola sue, accusing Huawei of stealing its SC300 base station technology. Huawei countersued Motorola in 2011 for using its technology without consent, and the two sides settled in 2011.
The U.S. House Permanent Select Committee on Intelligence names Huawei a threat.
Australia bars Huawei from tendering for broadband.
Huawei employees target Tappy, T-Mobile’s smartphone robot.
A company linked to Huawei tries to sell U.S. equipment to Iran, in violation of U.S. sanctions. In 2019, the U.S. leveled fraud charges against Huawei executive Meng Wanzhou alleging that she concealed this information from banks.
Huawei-installed technology at African Union headquarters was reported to have been hacked for five years. Huawei denies any involvement.
A Huawei employee alleges that the company ordered him to use a fake company name to infiltrate a closed Facebook telecom meeting.
A Texas jury found Huawei guilty of stealing trade secrets from Silicon Valley start-up CNEX, after former employee Yiren Huang filed suit. He alleged Huawei rewarded staff members for stealing intellectual property and kept a secret database of stolen technology. Huawei responded by also suing Yiren Huang for theft, but the case was not upheld.
AT&T and Verizon drop Huawei sales plans due to U.S. government security concerns.
The Australian Defense Department phases out Huawei smartphones.
The Pentagon orders a halt to Huawei sales on military bases.
The U.S. government bars companies from doing business with Huawei without permission.
Leaked documents show that in 2008 Huawei secretly helped North Korea build its wireless mobile system, possibly breaching a U.S. export ban.
Following roughly a decade of growing mistrust between the U.S. and Huawei, the U.S. has stepped up its legal action against the company, culminating in two recent, high-profile events that have dominated the national security headlines. In December of 2018, Canadian officials arrested Huawei CFO, and daughter of founder Ren Zhengfei, Meng Wanzhou on behalf of the United States. The U.S. leveled charges that Huawei had violated economic sanctions imposed against Iran. The extradition trial is still ongoing, and, in February of 2020, Meng was personally indicted by the U.S. Department of Justice for trade secret theft. Ms. Wanzhou remains in Canada under house arrest on C$10 million bail. Most recently, in February of 2020, the U.S. charged Huawei with racketeering and conspiracy to steal trade secrets from American companies. The official charges allege that Huawei conspired to steal trade secrets from five American firms (Cisco, Motorola, Quintel, T-Mobile, and CNEX) and the Japanese firm Fujitsu, including source code and manuals for wireless technology. The DOJ alleges that the criminal activity has been ongoing since at least 1999.
While the U.S. has begun a maximum pressure campaign against Huawei, other governments have not seen Huawei as an imminent national security threat. The British government, like the U.S., has raised security concerns about Huawei, and an internal report from the UK’s Huawei Cyber Security Evaluation Centre (HCSEC) concluded, in March of 2019, that Huawei equipment poses significant security risks. However, despite the report’s conclusions, the UK announced in January of 2020, that it will move forward allowing Huawei equipment to be used in its radio access network (RAN). The British government will not allow Huawei equipment in the core network for 5G development but will permit its small cell radio transmitters to build out RANs across the UK. That decision sparked immediate pushback from the U.S., as the UK is a key ally in intelligence sharing through the Five Eyes Alliance. Experts disagree as to whether excluding Huawei from core networks will mitigate its risks, since 5G technology does not rely as heavily on a centralized core network to perform data-routing functions. Other U.S. allies, such as Saudi Arabia and Germany, are continuing to work closely with Huawei on the development of their 5G networks, including on 5G trials and regulation.
Huawei’s Real Security Threat: Rushing Flawed Software to Market
While the security concerns surrounding Huawei’s 5G technology have predominantly concerned Huawei’s ties to the Chinese government, the potential for backdoors to be used for spying, and intellectual property theft, the most imminent security threat may actually be deficiencies in its software code. A 2012 White House review did not find any evidence of spying by Huawei, but it did find holes in Huawei’s source code, which made Huawei’s device software more vulnerable than its rivals. While Huawei denied that report, a 2019 review by the UK’s Huawei Cyber Security Evaluation Centre (HCSEC) backed it up. The HCSEC found that there were underlying defects in Huawei’s software code and security processes that could easily be exploited by governments or independent hackers. The report concludes that due to the number and severity of vulnerabilities, “if an attacker has knowledge of these vulnerabilities and sufficient access to exploit them, they may be able to affect the operation of the network, in some cases causing it to cease operating correctly.”
Additionally, British officials concluded that Huawei has poor oversight of its supplier networks and does not have a clear process for reviewing the origin of component software and which suppliers are responsible for developing each piece of code. As a result, governments and companies installing Huawei equipment also do not have a clear understanding of where the code they are introducing into their networks originated from, handicapping their ability to isolate and trace potential threats. While the British government has explicitly raised these security concerns, the UK is pressing ahead toward using Huawei in its RAN. While espionage and other security issues remain concerns, Huawei’s ability to quickly capture substantial market share has spread these vulnerabilities worldwide. That raises broader national security concerns in the development of 5G technology: 5G networks are likely to contain a wide range of general vulnerabilities, which could be exploited by any bad actor, not just the Chinese government.
Critical Vulnerabilities in 5G Network Design
With the development of 5G technology, telecom companies are working to improve 4G networks’ security using advanced end-to-end encryption and “network slicing,” which will segment 5G networks into numerous virtual networks, allowing tailored security measures for each segment. However, the development of 5G networks introduces completely new security risks that are inherent to its design, such as an increased attack surface and the required transition to a software-based core network—issues that governments and companies are still attempting to tackle.
5G will eventually move to a cloud-based software system with significantly more vulnerabilities
As 5G networks are developed, core networks will transition from hardware-based systems to cloud-based software-controlled systems. This evolution will create unique challenges for data security due to more access points in the network and less ability to regulate data flowing through the network, ultimately generating a larger attack surface for cyber threats.
The Internet of Things will generate exponentially more targets for hackers
The number of devices connected to 5G networks will create additional security risks. As the “Internet of Things” becomes a reality, and the market for IoT devices expands, nearly every device—from cars to refrigerators—could become a target for malicious actors.
What’s at Stake
The integrity and security of data and networks across the world. The mass-scale connectivity that 5G enables will multiply the security risk for all actors on the network, raising concerns for governments, companies, and consumers worldwide.
Understanding 5G Core Networks: Their Enhanced Capabilities and Critical Vulnerabilities
5G core networks will revolutionize how data moves through networks, but they also present the most pressing security challenges in 5G development.
Click to to learn what these challenges are
5G networks consist of two main components: the radio access network (RAN) and the core network. In Part I, Technology and Infrastructure, we outlined how 5G technology would transform RANs, requiring significantly more small cell radio towers, in order to transmit data over higher spectrum frequencies. In addition to transforming the physical RAN, 5G technology will transform the design of the core networks. While the RAN functions like the nervous system of a telecom network, reaching across wide geographic areas to transmit small pieces of information to each, the core network functions as the brain of the network. All data collected through the RAN is sent to the core network, where it is then routed to the correct recipient. In previous generations, this process was controlled largely through a central hub, which contained physical network infrastructure of switches and cables, which would use software systems to effectively route the data. Under this system, networks could be secured by building in “choke points” in the physical infrastructure, which would check data flowing through the system for threats and identify potential cyberattacks. In a 5G core network, however, this activity will be done through a web of digital routers operating throughout the network, enabling faster data transmission but—importantly—negating the possibility of building in manual choke points.
While physical telecom networks are predominantly reliant on the extensive infrastructure systems, routing information moving through this network requires computers running software systems to direct the information correctly. In 5G networks, data will be transmitted from the RAN to core networks that are predominantly software-based. While earlier wireless generations used a hardware-based centralized core network to route signals and perform network functions, 5G will make these functions cloud-based. In 5G networks, many data-processing functions that were previously performed through hardware systems in the core network will be moved to the “edge” of the core network and performed in the cloud. This “edge” network refers to a cloud-based system of servers that will virtualize 5G networks using the common language of Internet Protocol (IP). While using a common programming language will make collaborating and developing on 5G networks easier, it will also make creating malicious software and breaking encryption on the network easier.
5G Core Networks Move Data Routing into the Cloud
5G core networks rely on edge servers to route data at faster speeds through a software-based cloud system.
General Vulnerabilities in 5G Networks
5G networks’ switch from hardware-based core networks to software-dictated cloud-based core networks creates new, and potentially greater, cybersecurity risks than with 4G networks. An attack on either the core network or the RAN can disrupt and intercept data flow, allowing malicious actors to hijack information or shut down key infrastructure. Additionally, since 5G networks will eventually be managed by artificial intelligence-based software (AI), an attacker who gains control of the software could also gain control over the entire network. Since an AI-controlled software system would coordinate each separate server cluster, access to the overarching AI system would allow access to data originating anywhere within the network. The broad reach of 5G networks’ infrastructure, and the mass-scale connectivity create an increased attack surface through multiple vectors. With more lines of software being used to dictate the flow of data through the system, the volume of data will almost certainly exceed telecom companies’ capacity to physically monitor everything that is flowing through the network, making cyber threats more difficult to detect. These vulnerabilities require coordination among all actors involved in security. Governments can set security standards and directives, but ultimately telecom providers, third-party firms, companies, and individuals will all be responsible for securing their own networks.
In addition, with the increased number of small cell radio towers needed to operate 5G networks, there are potentially thousands more access points for threats to access the network through. Backdoors can be installed in the mobile base stations that make up the RAN, and they are nearly impossible to detect once installed. In cybersecurity terms, a backdoor is a method of bypassing normal authentication or encryption in a computer system or another physical product and is used for obtaining remote access and control over that computer system or device. In addition to increased access to the network, the number of connected devices that could potentially be tapped into will increase exponentially with the Internet of Things, and Internet-connected devices, such as Nest, are already being hacked frequently. In the near term, the impact from backdoor attacks is likely to be minimal, with the most obvious effect being a slowdown in Internet and download speeds or a loss of phone service. However, when 5G enables entire electric grids and sewer systems to be put online, that sort of cyberattack could eventually cause mass-scale disruption and shut down entire cities. Ultimately, those vulnerabilities mean that the security threat on 5G networks comes not only from the potential of Chinese interference—as is the focus of governments’ and most media attention—but from any bad actor with the technical capability to exploit 5G networks’ increased vulnerability.
Supply Chain Vulnerabilities
As outlined in Part II of our series, The Competitive Landscape, the 5G supply chain is far-reaching and complicated. That is true for both the hardware and software components used in developing 5G networks. Before a component is placed into a 5G telecom network, it will have been through multiple suppliers and integrators. The components used in final products range from resistors and capacitors to CPUs and are manufactured in nearly every country in the world. The supplier of each of those components also provides accompanying software, generally in the form of a microcode inside a processor. That microcode is called “firmware,” the software programs permanently coded into a hardware device such as a keyboard, a hard drive, or the smaller components used in building RAN equipment. It is programmed to give permanent instructions to communicate with other devices and perform basic commands and functions. Firmware interfaces with the hardware and operating systems to run application software on 5G telecom equipment. Just like the hardware components used to assemble 5G telecom equipment, the accompanying software components are passed through the supply chain and built upon before making their way to the original equipment manufacturer (OEM), such as Huawei, Nokia, Ericsson, or Samsung, who ultimately supplies the telecom hardware to the network providers. The OEM is responsible for integrating all of the external firmware and additional software built into each component with its custom software and any other software from third-party suppliers. Huawei uses two suppliers for each individual component used in its product and works with a total of 92 companies from at least ten different countries. That means that by the time the OEM, such as Huawei, ships a telecom product to the end-user, the product will contain software written by potentially thousands of engineers at dozens of companies from around the globe, which means that even for companies such as Huawei, Ericsson, and Nokia, it is difficult to track where each part of their software code originates from.
The complexity of this supply chain system introduces multiple points of entry for actors looking to hack into telecom systems. There are two primary ways in which potential bad actors can exploit the supply chain: 1) installing hardware backdoors; and 2) installing firmware and software backdoors. Hardware backdoors, as their name implies, are installed into the hardware and allow an actor to monitor the network without detection. Additionally, hardware backdoors need to be physically removed, since they cannot be eliminated through software, making them significantly more difficult to combat than software backdoors. The most widely publicized use of hardware backdoors regards Edward Snowden’s allegations against the NSA, alleging that it used backdoors in Cisco routers to intercept communications on telecom networks. While hardware backdoors are more effective, firmware backdoors are much easier to enable due to device firmware’s tendency to be full of vulnerabilities already. But, while firmware backdoors are easier to detect overall than hardware backdoors, it is nearly impossible to detect their origin, allowing actors to deny culpability more plausibly if the backdoor is discovered. Due to the number of potential actors who could install firmware or hardware backdoors into 5G network equipment, it is difficult to isolate and focus on any one actor as a primary threat. However, a quantitative research review of major OEM component providers by the supply chain security consulting firm Finite State concluded that Huawei’s telecom equipment had the most firmware backdoors embedded into its equipment of all OEM’s, with 55 percent of all equipment analyzed containing at least one potential backdoor.
Huawei Vulnerabilities Compared to Key Competitors
Huawei’s 5G core network routing equipment was found to have significantly more software vulnerabilities than that of competitors.
- ■ Huawei
- ■ Arista
- ■ Juniper
|Credentials||Login information that is stored into the software allowing outside actors access.|
|Crypto (Cryptographic Keys)||A string of data that is used to lock or unlock cryptographic functions, including authentication, authorization, and encryption. The presence of cryptographic keys creates the potential for the user who embedded the key to access the device.|
|Common Vulnerabilities and Exposures (CVE’s)||A dictionary-type reference system or list for publicly known information-security threats. This list of common security vulnerabilities is maintained by the MITRE Corporation and sponsored by the National Cyber Security Division (NCSD) of the Department of Homeland Security.|
|Memory Corruptions||A vulnerability that occurs in a computer system when its memory is altered without an explicit assignment due to programming error. When the corrupted memory contents are used later in that program, it leads either to a program crash or erratic, disruptive operation.|
|Configuration Management||A process to systematically manage, organize, and control the changes in the documents, codes, and other entities during the Software Development Life Cycle. Using different and older versions of the OpenSSL library increase risk.|
Security Snapshot: Addressing Tomorrow’s Vulnerabilities Today
The inherent security issues built into 5G networks will create new opportunities for attacks and new security challenges for governments, companies, and individuals operating on 5G networks. Understanding the complexity of the challenges presented by 5G security issues, as well as the responses being taken in response to these issues, is critical for companies that hope to take full advantage of 5G networks’ capabilities.
5G technology will allow cyberattacks to pinpoint specific sectors
Due to the decentralized design of 5G server networks, 5G will make it easier for attackers to target specific sectors within a larger network. Under that design, malicious actors could target and take out specific online systems, such as cities’ electrical grids, air-traffic control systems, stock exchanges, and more—all with potentially catastrophic and cascading impacts.
No single actor can guarantee 5G networks’ security
While security actions should be coordinated at every level—across governments, companies, and individuals—there is no perfect solution for ensuring 5G network security. Therefore, companies and individuals should be proactive in implementing their own security measures instead of waiting for system-wide solutions.
What’s at Stake
Governments’ and corporations’ ability to effectively secure their own networks and critical operating infrastructure is at risk. With increasing amounts of critical infrastructure operating online, from hospital networks to defense systems, the risks from shutdown carry increasing economic and real-life consequences.
Increased Cyberattack Opportunities and Implications
Cyberattacks already account for billions of dollars in losses globally. 5G will make securing against those attacks even more difficult.
Click to learn more
A 2019 survey of cybersecurity and risk-management leaders revealed that 80 percent believed that 5G technology will make their enterprises more vulnerable to attack. Industry leaders stated that the largest risks they saw associated with 5G technology were more targeted IoT attacks, 5G firmware hacking, and a larger attack surface providing more opportunities for hackers. Crucially, all of those concerns are unique to development of 5G technology and do not have definitive solutions, and the majority of governments around the world do not have high-level security planning directives in place to address them. While concern is increasing around the risks associated with 5G security and cyberattacks, the implications from those attacks—and why they have the potential to be significantly more devastating that cyberattacks on 4G networks—are still not spurring the necessary coordinated action.
The 5G networks design relies on clusters of edge servers connecting to physical radio towers, which transmit data via the cloud to each other and to the core network. That system makes it possible for cyberattacks to target critical infrastructure operating on 5G networks with increased precision. An attack can be aimed at the server, or cluster of servers, being used to connect specific systems to the broader 5G networks, without needing to launch an attack at the centralized core of the network. In practice, an attack targeted at a specific server could cripple critical systems relying on 5G speeds by either knocking them offline or constraining their operability by downgrading them to 4G speeds. While 4G speeds are able to support much of our current communications infrastructure, future systems using advanced technology, such autonomous vehicles, would be unable to operate at 4G speeds. For individual consumers, such an event would likely not create major problems, as the most noticeable effect would likely be device download speeds slowing. However, as an increasing number of industries begin relying on 5G technology, the implications of that type of targeted attack become significantly greater. Once hospital systems rely on 5G technology for critical surgeries, for example, and traffic systems require 5G speeds to operate autonomous vehicles, that type of targeted attack could effectively shut down entire segments of the economy or entire cities. In the worst-case scenario, those attacks could be paired with physical attacks. Imagine a terrorist organization shutting down a city’s ability to communicate before executing a physical strike. The potential ramifications from a targeted attack illustrate the pressing need to make 5G security a priority. Yet, general network security remains an overwhelming challenge for most companies and governments.
The Prevalence and Economic Impact of Cyberattacks
Cyberattacks have caused billions of dollars in losses to companies across the globe and have exposed millions of individuals’ sensitive information to criminals.
Major Cyberattacks by Region
Major reported data breaches from each region. The U.S. accounted for 86% of the global total, however the majority of breaches likely go unreported
15 Largest Data Breaches
Personal data exposed through leaked account information
|All 3 billion accounts compromised||Yahoo||2013|
|500 million compromised accounts||Marriott||2018|
|360 million compromised accounts||MySpace||2016|
|145 million compromised accounts||eBay||2014|
|143 million accounts exposed, including 209k credit card numbers||Equifax||2017|
|117 million emails and passwords leaked||2016|
|110 million compromised accounts, incl. 40 million payment credentials||Target||2013|
|100 million compromised accounts||Quora||2018|
|92 million screen names and email addresses stolen||AOL||2004|
|80 million company records were hacked, including Social Security numbers||Anthem Inc||2015|
|57 million compromised accounts||Uber||2016|
|50 million compromised accounts||2018|
|9.4 million compromised accounts, including 860k passport numbers||Cathay Pacific||2018|
|7.6 million compromised accounts||Blank Media||2018|
|133,827 compromised accounts, including payment methods||Three||2016|
Types of Cybercrime and Average Cost (2018)
Regardless of the type of attack, information loss and business disruption occurring from attacks have constituted the most significant losses. In 2018, information loss and business disruption combined constituted over 75 percent of total business losses from cybercrime.
Software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.
Major consequence: Information loss.
Average annual cost in 2018: $2.6M
Percent change from 2017: +11%
Target user data by using the Web to gain access to the systems that either store or interact with your data.
Major consequence: Information loss.
Average annual cost in 2018: $2.3M
Percent change from 2017: +13%
Occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious cyber actor.
Major consequence: Business disruption.
Average annual cost in 2018: $1.7M
Percent change from 2017: +10%
Actors who maliciously and intentionally abuse legitimate credentials, typically to steal information for financial or personal gain.
Major consequence: Business disruption and information loss.
Average annual cost in 2018: $1.6M
Percent change from 2017: +15%
Average Annual Cost of Cybercrime by Industry
A study of 1,000 cyberattacks across eleven countries found that average annual costs of cybercrime per company is increasing significantly in nearly every industry examined
Crafting Effective Cybersecurity Procedures: An Individual and Collective Burden
Despite the clear security challenges presented by 5G technology, limited awareness of those risks and cost considerations inhibit coordination and greater investment in enhanced cybersecurity. A 2019 report from the Altran Group reported that ninety-one percent of business leaders surveyed reported that increased cybersecurity awareness at the C-level translated into their decision-making. The report also found that the majority of cybersecurity decisions are optimizing for cost, not security, with companies often underestimating the likelihood—and financial and reputational damage—of cyberattacks. Further, entities’ responsibility for securing networks also remains unclear. When cyberattacks do occur, blame is often widely dispersed, with tension between regulators and private-sector actors making it difficult to implement broad-sweeping security standards in response to hacks. As 5G networks transition to a cloud-based model for their core networks, many telecom operators will rely on collaborations with third-party companies, such as Google and Amazon, to assist with hosting their cloud services. Given the number of actors across the supply chain, assigning responsibility and liability for breaches remains exceedingly complex.
In addition to the existing technical challenges in securing 5G networks—human error, coupled with the proliferation of 5G-enabled devices, creates compounding and underappreciated security challenges. Currently, the largest source of cybersecurity attacks is “phishing” attacks—generally defined as attacks that use a false website or link to lure users into revealing sensitive information—which account for roughly one-third of all cyberattacks. An Accenture report on the cost of cybercrime, of which phishing is the most common form, found that the average cost of an attack has increased by an average of 166 percent per year over the past five years. The average attack cost companies $1.4 million in 2013, and $13 million in 2018. The proliferation of phishing attacks, along with the diffusion of responsibility for cybersecurity along the supply chain, means that securing 5G networks will be a burden shared among governments, companies, and individuals.
As 5G technology continues to move greater segments of the population and economy online, the ability to effectively coordinate human beings—leaders in government, industry, and other individuals—will likely prove to be 5G’s best security breakthrough or its most fatal flaw. Even in the most optimistic scenario, there is unlikely to be any systemwide coordinated effort that can effectively guarantee security on 5G networks. Already, competing interests among these stakeholders are beginning to shape an emerging conflict over data security on the internet – most notably with respect to end-to-end encryption. The best tool yet to protect online data, end-to-end encryption prevents data from being read or secretly modified by actors other than the true sender and recipient. While this prevents hackers and bad actors from intercepting personal data, it also prevents governments from accessing it. Government efforts to gain backdoor access are already in place in Australia, and are making their way through the U.S. Congress as part of the EARN IT Act. Allowing government backdoors would also create openings for other actors wishing to access the information, and effectively erode one of the most robust security measures currently available. Ultimately, organizations at all levels will need to take responsibility for their own security. By ramping up security investments, improving employee-training programs, and staying informed about technological developments and risks, organizations of all sizes and types must be proactive in mitigating financial loss and reputational damage if they are victims of a breach.
5G technology will be undoubtedly be a globally transformative technological force. The ability to digitize industries, from transportation to medicine, has the potential to radically transform both the global economy and our everyday lives. However, we are still a long way from achieving that future, and the benefits of 5G are likely to arrive intermittently throughout the coming years, accompanied by real risks and potential for serious geopolitical confrontations. In Part I of our series, Technology and Infrastructure, we laid out how the extensive physical infrastructure needed for 5G technology to function is still being built, and how Huawei has taken an early lead in developing this infrastructure, despite pushback from the U.S. Part II, The Competitive Landscape, illustrated how spectrum and global 5G standards will impact the development of 5G and the inability to remove Huawei from the process due to its ownership of the underlying technology used in 5G networks. And, finally, Part III, National Security, outlined the inherent security threats present in the development of 5G and the current shortcomings in coordination between government and private-sector actors to mitigate those risks.
Navigating the new world that 5G technology unleashes will be a tremendously complex and circuitous process, which will play out over a long period of time. No country is likely to reap all the rewards from 5G, but there will be definitive winners and losers across nations and industries. Myriad risks accompanying 5G development will affect all actors involved, from corporations to individuals. The actors that take a more proactive approach to security will likely be better positioned to mitigate the risks and adverse impacts and capitalize on the benefits that 5G promises. Vigilant risk-monitoring and public-private collaboration on regulation will be critical—with respect not only to 5G, but also future governance of our digital economy. Rapidly evolving data localization, privacy, and content regulations will further transform the ways we live and do business. We will tackle those issues and more in future Power Maps. Stay tuned.
Written by Christian Perez. Edited by Allison Carlson. Copyedited by David Johnstone. Design and development by Andrew Baughman. Art direction by Adam Griffiths. Graphics by Colin Hayes for Foreign Policy. Photos by Getty Images.
Learn more about how FP Analytics can enable your organization to act strategically through data-driven insights at ForeignPolicy.com/FP-Analytics.
For More FP Insights on 5G:
- Accenture (2019). The Cost of Cybercrime. Retrieved February 26, 2020, from https://www.accenture.com/_acnmedia/PDF-96/Accenture-2019-Cost-of-Cybercrime-Study-Final.pdf#zoom=50
- Bosnjak, D. (2019, May 20). Huawei & US Government Timeline: A Standoff Years in The Making. Retrieved March 4, 2020, from https://www.androidheadlines.com/2018/04/huawei-us-government-timeline-a-standoff-years-in-the-making.html
- Chappell, B. (2020, January 28). U.K. Will Allow Huawei To Build Part of Its 5G Network, Despite U.S. Pressure. Retrieved March 2, 2020, from https://www.npr.org/2020/01/28/800377277/u-k-will-allow-huawei-to-be-part-of-its-5g-network
- Crane, C. (2019, July 24). 20 Phishing Statistics to Keep You from Getting Hooked in 2019. Retrieved March 2, 2020, from https://www.thesslstore.com/blog/20-phishing-statistics-to-keep-you-from-getting-hooked-in-2019/
- Department of Defense (2019, April). The 5G Ecosystem: Risks and Opportunities for DoD. Retrieved February 2, 2020 from https://media.defense.gov/2019/Apr/03/2002109302/-1/-1/0/DIB_5G_STUDY_04.03.19.PDF
- Desjardins, J. (2019, June 27). The 15 Biggest Data Breaches in the Last 15 Years. Retrieved March 2, 2020, from https://www.visualcapitalist.com/the-15-biggest-data-breaches-in-the-last-15-years/
- Do You Understand Your Chokepoints? (2013, July 24). Retrieved March 6, 2020, from https://potsandpansbyccg.com/2013/07/24/do-you-understand-your-chokepoints/
- Finite State. Finite State Supply Chain Assessment Huawei Technologies ltd. Retrieved February 27, 2020, from https://finitestate.io/wp-content/uploads/2019/06/Finite-State-SCA1-Final.pdf
- Greenberg, A. (2017, June 3). Hacker Lexicon: What Is End-to-End Encryption? Retrieved March 30, 2020, from https://www.wired.com/2014/11/hacker-lexicon-end-to-end-encryption/
- Greenwald, G., MacAskill, E., & Poitras, L. (2013, June 11). Edward Snowden: the whistleblower behind the NSA surveillance revelations. Retrieved February 2, 2020, from https://www.theguardian.com/world/2013/jun/09/edward-snowden-nsa-whistleblower-surveillance
- Harris, S. (2019, October 24). 5G and AI Expected to Bring Heightened Cybersecurity Risks, Study Finds. Retrieved March 3, 2020, from https://www.globenewswire.com/news-release/2019/10/24/1934756/0/en/5G-and-AI-Expected-to-Bring-Heightened-Cybersecurity-Risks-Study-Finds.html
- Horowitz, J., & McLean, S. (2018, December 12). Facing extradition to the US, Huawei’s CFO is released on bail in Canada. Retrieved March 2, 2020, from https://www.cnn.com/2018/12/11/tech/huawei-meng-wanzhou-bail-decision/index.html
- Huawei cyber security evaluation centre oversight board: annual report 2019. Retrieved February 25, 2020 from https://www.gov.uk/government/publications/huawei-cyber-security-evaluation-centre-oversight-board-annual-report-2019
- Junior, J.H. (2019, July 15). Huawei says it has two suppliers for each component used in its products. Retrieved March 4, 2020, from https://www.huaweicentral.com/huawei-says-it-has-two-suppliers-for-each-component-used-in-its-products/
- Kelion, L. (2020, January 28). Huawei: What is 5G’s core and why protect it? Retrieved March 3, 2020, from https://www.bbc.com/news/technology-51178376
- Kharpal, A. (2019, May 8). Huawei CFO's extradition case: Everything you need to know. Retrieved March 5, 2020, from https://www.cnbc.com/2019/05/08/huawei-cfo-meng-wanzhou-extradition-case-everything-you-need-to-know.html
- Lerman, R. (2017, May 18). Jury awards T-Mobile $4.8M in trade-secrets case against Huawei. Retrieved March 5, 2020, from https://www.seattletimes.com/business/technology/july-awards-t-mobile-48m-in-trade-secrets-case-against-huawei/
- Marks, J. (2020, March 30). The Cybersecurity 202: Cybersecurity experts slam child protection bill that risks rolling back encryption. Retrieved March 30, 2020, from https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2020/03/30/the-cybersecurity-202-cybersecurity-experts-slam-child-protection-bill-that-risks-rolling-back-encryption/5e80cfd5602ff10d49ad761a/
- Mccabe, D., Hong, N., & Benner, K. (2020, February 13). U.S. Charges Huawei With Racketeering, Adding Pressure on China. Retrieved March 2, 2020, from https://www.nytimes.com/2020/02/13/technology/huawei-racketeering-wire-fraud.html
- Menn, J. (2012, October 17). Exclusive: White House review finds no evidence of spying by Huawei - sources. Retrieved March 4, 2020, from https://www.reuters.com/article/us-huawei-spying/exclusive-white-house-review-finds-no-evidence-of-spying-by-huawei-sources-idUSBRE89G1Q920121017
- Newman, L.H. (2019, December 13). 5G Is More Secure Than 4G and 3G—Except When It’s Not. Retrieved March 3, 2020, from https://www.wired.com/story/5g-more-secure-4g-except-when-not/
- Pearlstine, N., Krishnakumar, P., & Pierson, D. (2019, December 19). The War Against Huawei: Why the U.S. is trying to destroy China’s most successful brand. Retrieved March 4, 2020, from https://www.latimes.com/projects/la-fg-huawei-timeline/
- Peterson, H. (2019, September 25). Wisconsin couple describe the chilling moment that a hacker cranked up their heat and started talking to them through a Google Nest camera in their kitchen. Retrieved March 2, 2020, from https://www.businessinsider.com/hacker-breaks-into-smart-home-google-nest-devices-terrorizes-couple-2019-9
- Satariano, A. (2019, March 28). Huawei Security ‘Defects’ Are Found by British Authorities. Retrieved March 4, 2020, from https://www.nytimes.com/2019/03/28/technology/huawei-security-british-report.html
- Schulze, E. (2019, March 28). Huawei's equipment poses ‘significant’ security risks, UK says. Retrieved March 3, 2020, from https://www.cnbc.com/2019/03/28/huawei-equipment-poses-significant-security-risks-uk-says.html
- Shih, G., Nakashima, E., & Hudson, J. (2019, July 22). Leaked documents reveal Huawei’s secret operations to build North Korea’s wireless network. Retrieved March 5, 2020, from https://www.washingtonpost.com/world/national-security/leaked-documents-reveal-huaweis-secret-operations-to-build-north-koreas-wireless-network/2019/07/22/583430fe-8d12-11e9-adf3-f70f78c156e8_story.html
- Spiegel, D. (2014, March 22). NSA Spied on Chinese Government and Networking Firm Huawei - DER SPIEGEL - International. Retrieved March 2, 2020, from https://www.spiegel.de/international/world/nsa-spied-on-chinese-government-and-networking-firm-huawei-a-960199.html
- Swain, J. (2020, March 5). AT&T and Google Cloud Team Up to Enable Network Edge 5G Computing Solutions for Enterprises. Retrieved March 10, 2020, from https://cloud.google.com/press-releases/2020/0305/google-cloud-att-collaboration
- Taylor, C. (2019, October 16). Germany set to allow Huawei into 5G networks, defying pressure from the US. Retrieved March 3, 2020, from https://www.cnbc.com/2019/10/16/germany-to-allow-huawei-into-5g-networks-defying-pressure-from-the-us.html
- Technology, L.E.I. (2020, January 6). Why Edge Computing is Key to 5G in 2020. Retrieved March 2, 2020, from https://www.lanner-america.com/blog/why-edge-computing-is-key-to-5g-in-2020/
- The United States District Court for the Eastern District of Texas (2003, February 5). Cisco’s Motion for Preliminary Injunction. Retrieved February 25, 2020, from https://newsroom.cisco.com/dlls/Cisco_Mot_for_PI.pdf
- Wheeler, T., & Simpson, D. (2019, October 25). Why 5G Requires New Approaches to Cybersecurity. Retrieved February 25, 2020, from https://www.brookings.edu/research/why-5g-requires-new-approaches-to-cybersecurity/
- Wheeler, T. (2019, July 9). 5G in five (not so) easy pieces. Retrieved February 25, 2020, from https://www.brookings.edu/research/5g-in-five-not-so-easy-pieces/
Have a minute? We'd love to get your thoughts on what you're reading. Help guide future Power Maps by taking a brief survey on 5G Explained.