The hype of new technologies in the market means business leaders can often become distracted by mundane requirements such as ensuring reliable security is in place. Dmitry Kurbatov, CTO at Positive Technologies, tells us why one out of every three attacks on 5G infrastructure succeed and he discusses the absolute necessity of having an effective security model prior to 5G operation.
2019 is undoubtedly the year of 5G – a network upgrade which continues to define the future of telecoms. Whether it be the endless media firestorm surrounding Huawei or the multiple rollouts by UK operators launching their networks such as EE, Three and Vodafone. This attention shows no sign of slowing down as annual spending on network infrastructure is set to increase to US$4.7 billion by the end of 2020, rising to US$8 billion by 2023. The UK government has also announced plans to give a majority of the population access to 5G signal by 2027 with Ofcom granting more capacity for 5G networks from 2020 to increase its coverage.
Competition to launch has driven providers to innovate and upgrade faster than they should, leaving security on the ‘to-do list’. It is easy to get swept up in the excitement around these ‘new’ ultra-fast networks.
However, 5G security concerns are top of the agenda for the UK government. The Science and Technology Committee held a Q&A on the security of telecoms infrastructure, asking industry leaders including academics and representatives of major suppliers (Ericsson, Nokia, Huawei), about the risks associated with 5G and the extent to which those can be managed. This preceded a more comprehensive assessment of the issue in the Telecoms Supply Chain Review by the Department of Digital, Culture, Media and Sport. The Secretary of State, Jeremy Wright, MP, said: “The current levels of protection put in place by industry are unlikely to be adequate to address the identified security risks.”
There are also international efforts to adopt a high level of 5G cybersecurity, with the European Commission and European Agency for Cybersecurity having published a risk assessment of cybersecurity in 5G networks. By the end of December 2019, the NIS Cooperation Group will agree on a toolbox with the aim to mitigate measures to address associated 5G cybersecurity risks at national and European Union level. However, the conflict between the hastiness of operators and the cautiousness of governments means there is a potential risk of reputational and financial damage further down the line, if inadequate security measures aren’t addressed.
As with many new and evolving technologies – the potential of 5G seems limitless – one study found that while it might take a 4G (LTE) network 40 minutes to download a three-gigabit movie, 5G would increase bandwidth speeds to the point where this would take just 21 seconds. As exciting as this sounds – with great power comes great responsibility. As operators deploy to keep pace with evolving customer expectations of being ‘always on’ and ‘always connected’, it also becomes a prime target for cybercriminals to wreak havoc.
One of the major cybersecurity risks is that 5G is not entirely replacing previous networks. The reality is that 5G networks are still reliant on a pre-existing 4G (LTE) core, which means that any new networks will have the same security flaws from day one. Vendors’ priorities need to fundamentally change when it comes to launching their 5G networks. Despite their best intentions to have secure networks, the residual flaws of previous generations will be a consistent thorn in the side of operators.
Our recent security audit found that that every 4G network is open to exploitation by hackers seeking to commit crimes, such as denial of service (DoS) attacks and tracking the location of a user, with one in three at risk of fraud attacks on the operators themselves.
Another issue which is growing in regard to 5G is that it will penetrate so many aspects of daily life – whether it be healthcare, transport or any number of other industries – and with the rise of IoT, the threat landscape has become more connected and complex. With an estimated 20 billion of these devices in use by 2020, new threats emerge every day, but for operators to have a chance they will need to adapt to a much broader range of devices and develop specific threat models tailored to them. Our researchers found that the number of malware campaigns targeting IoT devices grew by an incredible 50% over the last year, during which time we identified more than 1,100,000 vulnerable devices.
The main vulnerability IoT presents is the opportunity for cybercriminals to use botnets to orchestrate scalable malware infections in poorly protected devices. The potential for disruption is massive – Mirai malware was used in October 2016 to devastating effect through a coordinated DoS infection of IoT devices and resulted in many high-profile websites becoming temporarily inaccessible such as Amazon, Netflix and Airbnb. The next threat like this is around the corner and as the number of IoT devices increases exponentially, so too does the level of potential disruption.
The reality is that many of the security risks associated with 5G infrastructure can be avoided in the early stages of development. Often in the early stages of implementation, operators do not pay nearly enough attention to intergeneration security and it becomes an afterthought – when flaws may have already been built in. This approach makes financial sense in the short term, but further down the line vendors will be forced into remedial security measures as issues arise. This will put a squeeze on budgets which have failed to factor in the potentially enormous cost of later-stage security.
Quick-fix patches are not the answer and real consideration needs to be made about integrating solutions effectively into the network architecture. This is a frequent issue with 5G networks – experts have found that one out of every three attacks on 5G infrastructure succeeds because of the incorrect configuration of equipment. It is clear that the most successful security measures are those which implemented as early as possible in the development of a network.
However, as it currently stands, operators remain focused on speed and innovation, with security at the back of the queue. Operators need to take a ground-up approach – focusing less on the bells and whistles of 5G and more on the nuts and bolts of its security from day one. This will not only save on costs further down the line, but provide an additional selling point: as more money is pumped into 5G development, robust security strategies will increasingly be of value as insurance against growing threats. When effective security is finally in place, we can begin to think about all the ways in which 5G can positively transform our lives.