CISA Points to Potential Cybersecurity Threats to 5G Infrastructure

The push is on for fifth-generation (5G) networks and capabilities across the nation and at federal agencies as well. As part of its mission to promote the security of federal agencies and beyond, the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security (DHS) released a paper on Potential Threat Vectors to 5G Infrastructure to identify and assesses risks and vulnerabilities introduced by 5G.

CISA’s brief stems from their collaboration with the National Security Agency (NSA) and the Office of the Director of National Intelligence (ODNI) as part of the Enduring Security Framework (ESF) cross-sector working group. The paper represents the ESF’s initial research in this area and they emphasized that their publication is not an exhaustive summary of the risks nor a technical review of possible attack methodologies.

5G Threat Vectors

CISA examined three major threat vectors in 5G­ to develop a summary and technical review of types of threats posed by 5G adoption in the United States and sample scenarios of 5G risks. The three major threat vectors covered are:

• Policy and Standards – 5G policies and technical standards drive the development of the evolving 5G communications infrastructure, including the design and architecture of new technologies, such as autonomous vehicles, edge computing, and telemedicine. Given that impact, it is critical that international standards bodies – and the standards and policies they promulgate – are open, transparent and consensus driven. Threat vectors exist when adversarial nation states attempt to exert undue influence on standards that benefit their proprietary technologies and limit competition from trusted equipment or software makers. This introduces the potential for untrusted components and software to be embedded into 5G networks in ways that are difficult to detect and replace. It also increases the potential for the uneven application of security protocols that may be exploited by attackers.
• Supply Chain – Threat actors may seek to introduce and/or exploit vulnerabilities throughout the information and communications technology (ICT) supply chain, exploiting the weakest links in a long line of suppliers. The 5G supply chain is at risk from the introduction of malicious software and hardware and counterfeit components, as well as risks due to poor design, manufacturing and maintenance processes. The rush to deploy 5G may exacerbate these risks. Entities that purchase 5G equipment from companies with compromised supply chains could be vulnerable to data interception, manipulation, or destruction and communications network disruption and failure.
• 5G Systems Architecture – 5G architectures are being designed to meet rising demand for data and communications capacity. Although technology improvements enhance security in many areas, both legacy and new vulnerabilities may be exploited by malicious actors. Further, 5G will facilitate the proliferation of the Internet of Things (IoT), adding various and potentially less secure devices into the network and driving network architectural complexity that may introduce unforeseen system weaknesses or vulnerabilities. The future 5G systems architecture that include software defined networking, cloud native infrastructure, network slicing, edge computing and others may increase the attack surface for malicious actors. Overlay of 5G onto legacy communications infrastructure may sustain inherent vulnerabilities that may be exploited.

Implications

CISA’s release comes as the White House extends the national emergency with respect to securing the information and communications technology and services supply chain declared on May 15, 2019 in Executive Order (EO) 13873. The declaration was set to expire on May 15, 2021. The extension and the growing compendium of analyses calling attention to the economic, societal and technical risks associated with ITC cybersecurity indicates that we may be years away from fully and effectively addressing these issues.

The ESF working group summary highlights the economic, competitive, and security implications of technical standards upon the 5G playing field, effectively alluding to the fact that if we allow global adversaries like China to make the rules for 5G they will leverage those rules to their own advantage, at least economically and geopolitically … and most likely maliciously. Mounting concern over China exerting its influence over international technology standards bodies and the risks associated with untrusted components in the U.S. supply chain has led to numerous cybersecurity and supply chain security provisions being added to the 2021 National Defense Authorization Act (NDAA).

To try to get ahead of the curve on the rising 5G trend line, Congress has also passed the Internet of Things Cybersecurity Improvement Act to begin to address cybersecurity concerns with IoT devices and their increasing proliferation. Concerns over supply chain risk management (SCRM) and the cybersecurity of contractor systems has driven the creation of the Defense Department’s Cybersecurity Maturity Model Certification (CMMC) program.

Each of these efforts and others will continue to evolve and significantly impact and reshape both the federal contracting environment and the national technological landscape. Vendors need to stay informed of the numerous federal initiatives in these areas and actively engage in the opportunities to help shape them or risk being left behind in this changing market.