THE T E L E C O M S I ND U S T RY ME D I A P L ATFORM
5G cybersecurity threats and solutions - S92
5G Cyber : CTOs from around the world weigh in
Focusing on how best to secure 5G networks
It’s all about safeguarding infrastructure
With 5G, the security aspects are crucial
Wider attack surface and cybersecurity vulnerabilities
5G cybersecurity threats AND solutions 2019
CONTENTS
2
THE TELEC OMS IND U ST RY M E D I A P L AT F O R M
6 “Security is a journey and not a one-time event” – TELUS CTO
12 5G challenges should be overcome with a ‘security by design’ approach, says Orange CTO
9 AT&T capitalizes on SDN to counter 5G cyber threats
15 KT embraces 5G with high level security technologies
4
The era when security has become much more complicated
18
5G Security Assessment and Verification
24
5G Cyber Security Living Lab
30
Europe set to be left lagging behind in race for 5G
5G cybersecurity threats AND solutions 2019
EDITORIAL
Editor in Chief & Senior ICT Analyst Toni Eid toni.eid@tracemedia.info
3
Toni Eid, founder editor in chief Telecom Review International
Senior Journalists Mark Forker mark@tracemedia.info Christine Ziadeh christine@tracemedia.info Editorial Team Shelley Beyak (British Colombia -Canada), Toni Eid (UAE), Mark Forker (UAE), Martha Kassouf (Lebanon), Lacinan Ouattara (Ivory Coast), Tala Issa (UAE), Jennifer Saade (Lebanon), Jeff Seal (USA), Christine Ziadeh (Lebanon) Copy Editor Shelley Beyak Advertising Enquiries Mohammed Ershad ershad@tracemedia.info Graphic Designer Vanessa Haber Responsible Manager Joseph Bou Daher News Provided in cooperation with AFP, the global news agency Published by
Trace Media Ltd. Zouk Mikael, Lebanon Kaslik Sea Side Road, Badawi Group Building, 4th Floor, P.O. Box 90-2113, Jdeidet el Metn Tel. +961 9 211741 M. +961 70 519 666 Trace Media FZ.LLC. Dubai Media City, UAE Building 7, 3rd Floor, Office 341 P.O. Box 502498, Dubai, UAE Tel. +971 4 4474890 M. +971 55 639 7080 Printing Arab Printing Press (Beirut-Lebanon) © All rights reserved Publication of any of the contents is prohibited - Year 14 - S92 -
Tackling 5G with Telecom Review Global edition
5
G is here - right now - and deployment has started. 5G chipsets are undergoing the last stages of manufacturing, and 5G devices are already available for testing.
Everyone agrees that 5G will create a massive data transaction on telcos’ networks due to the ultra-high speed, extra capacity and low latency provided by these networks, and will increase the number of connected devices in all categories from transport to automotive from banking to industrial, and any other service such health, utilities ,etc. However, the most important thing is that transactions and data are secured in a way so that systems don’t crash and personal information isn’t hacked. Data privacy must be preserved. This edition by Telecom Review about the 5G and cybersecurity issue is a global edition featuring exclusive interviews with the most influencing CTOs of the industry in North America, Europe and Asia, along with independent opinion features from research labs and universities. This edition is online on all Telecom Review websites globally and in hard copies to be distributed to the leaders of the Industry and upon request.
5G cybersecurity threats AND solutions 2019
ICT FEATURE
The era when security has become much more complicated Security has long been a priority, and with the world becoming even more connected, it has become clear to what extent security is important. However, only lately has it been making headlines, notably with the Huawei vs. US case, and with 5G closer than everyone expected.
4
5G cybersecurity threats AND solutions 2019
A
t the Mobile World Congress 2019, which was held this year under the theme “Intelligent Connectivity”, 5G announcements were made by major vendors and operators, and countless MoUs were signed to push 5G deployment forward. While industry experts forecasted that the technology will be a reality in 2020, vendors proved them wrong and started offering 5G solutions as of 2018. With 5G, security is tackled with a whole new approach because the architecture of the fifth generation technology presents new security challenges. “Operators are moving from a hardware system to a virtualized and fully automated one,” said Darren Anstee, technology director at Netscout, which provides software for networks. “Security is about visibility. When you can’t see everything on your network, this is when you have a problem”. 5G allows for the available bandwidth to be split up into channels, each of which is independent from others and can be separately secured, which some experts say can help boost security. “We can create a kind of micro-networks, with different levels of security. The idea is to compartmentalize the network according to different uses,” said Laurent Boutet, a systems engineer at US computer networking company F5Network. For Dexter Thillien, analyst at Fitch Solutions, the main challenge for security is this rise in the “number of entry points, considering the exponential number of objects which will be connected. From the point of view of security, the network itself is secondary.” “You have to keep in mind that nothing will ever be 100 percent secure. We still don’t have a precise idea of how billions or even trillions of connected objects could affect networks, it is still unknown at this point,” said Thillien.
ICT FEATURE
In the race to 5G deployment, vendors have put all their efforts to be the first to offer the technology to their clients and partners. Huawei has been leading the way with major technological breakthroughs that have most certainly given it the lead, despite the pressure it was put under by the US which expressed “security” concerns another new aspect of security in the era of 5G. With the case of Huawei and the United States, network security has drifted from its common meaning to a more political dimension given that it’s about the US claiming that Beijing could use the Shenzhen-based Huawei’s products to spy on Western governments. The famously secretive company launched a media offensive at the Mobile World Congress against US accusations that its cheap equipment used in telecommunications infrastructure across the globe are a Trojan horse for potential Chinese state spying and sabotage. The United States considers the matter urgent as countries around the world prepare to rollout fifth generation ( 5G) networks that will bring near-instantaneous connectivity that can enable futuristic technologies such as selfdriving cars. On the eve of the start of the Mobile World Congress, which companies usually reserve to unveil their new devices, top Huawei officials held several press conferences and meetings with reporters where they strenuously rejected Washington’s claims. “We need to be more transparent, and that means speaking out more often,” Huawei’s president for Western Europe, Vincent Ping, told the reporters. The highlight of the media offensive came when one of Huawei’s rotating chairmen, Guo Ping, delivered a keynote speech where he reiterated the company’s position that there are no “backdoors” in its 5G tech that could allow Beijing to spy on countries.
5
Huawei is the first company to deploy 5G networks at scale, Guo said. His MWC 2019 keynote address - “Bringing you 5G safer, faster, smarter” - outlined how Huawei has developed the most powerful, simple and intelligent 5G networks in the world, and argued that such innovation is nothing without security. He urged the industry and governments to work together and adopt unified cybersecurity standards. “The US security accusation against our 5G has no evidence. Nothing. The irony is that the US Cloud Act allow their entities to access data across borders,” he told a packed auditorium, speaking in English. This argument was echoed by several telecom operators and government delegations at the trade fair. The head of Vodafone, the world’s second largest mobile operator, said at MWC that the United States needed to share any evidence it has about Huawei with authorities so they can decide whether or not to use the Chinese firm’s technology in their 5G networks. “We need to have a fact-based riskassessed review,” Vodafone chief executive Nick Read told a panel discussion on the opening day of the Barcelona trade show. He said he had not seen what evidence the United States has to back its claims, “but they clearly need to present that evidence to the right bodies throughout Europe.” In the era of 5G, it is necessary to protect data security. Whether we are talking about autonomous cars, remote medicine or simply any online activity. However, cybersecurity should not become a political issue – an opinion echoed by Huawei Rotating Chairman Eric Xu. He said, “Cybersecurity, first and foremost, should be a technical issue; it should not become a political issue. The most effective way to address cybersecurity issues is to establish cybersecurity standards that are transparent, clear and fair to all participating companies.”
5G cybersecurity threats AND solutions 2019
INTERVIEW
Dr. Ibrahim Gedeon, CTO, TELUS
“Security is a journey and not a one-time event” – TELUS CTO
6
5G cybersecurity threats AND solutions 2019
INTERVIEW
7
With fifth-generation wireless networks starting to be deployed this year, the issue of 5G security was in focus at the Mobile World Congress in Barcelona. Unlike upgrades of wireless networks in the past, 5G will deliver not just faster speeds and low latency but also open up a new realm of possibilities such as connected cars and devices.
D
espite telcos’ enthusiasm to roll out the network, they are still trying to secure them as much as possible for a better experience. Dr. Ibrahim Gedeon, CTO of Canadian telecom provider, TELUS, spoke to Telecom Review about how TELUS is operating to secure its 5G networks and the cybersecurity challenges operators are facing in their journey to commercially roll out 5G.
need to be addressed before 5G networks are launched. As the CTO of a major operator, can you tell us what your views are on the security vulnerabilities and challenges of 5G? I would like to start by saying that 5G is inherently more secure than previous generations. At TELUS, we believe that security includes operational, design and cyber aspects. The fact that 5G disaggregates the various components and localizes the access and part of the traditional core provide operators with major resiliency.
What does ‘secure’ mean to you? Is your 5G network ‘secure’ when you get approval from your government, or perhaps a governing body like the GSMA? Our relationship with the federal government and agencies like the Canadian Communication Security Establishment (CSE) is very collaborative and based on sound
Dr. Gedeon stressed that security is not a one-time event but rather an ongoing journey where operators have to constantly invest in cybersecurity measures to keep their networks as secure as possible.
Operationally, TELUS adopts a “secure-by-design” framework, so our plan for 5G is to ensure the sensitive network areas are secured through dual vendors in basic areas and distribution of the control plane of the network. From a cyber point of view, we are actively working with the likes of NGMN and GSMA towards universal testing and threat modelling for continuous strengthening of 5G and our deployment of it.
5G is inherently more secure than previous generations
5G wireless technologies are promising faster speeds and greater reliability. However, there appears to be a growing consensus within the ICT ecosystem that there are a number of security concerns that
5G cybersecurity threats AND solutions 2019
technical analysis. TELUS operates a national infrastructure, and we have a self-imposed responsibility to ensure we operate secure networks. It’s critical that what we deploy is coordinated with CSE. A secure network for us is simply identifying the areas that carry sensitive control and data, and securing that. Bodies like the GSMA reinforce our plans and design, and acknowledge that creating a global approach will help to reduce the effort and cost for operators and vendors. We know that 5G is going to be a ‘key enabler’ for driverless vehicles and autonomous transportation. However, if those connections are not secure, then the risks will be immense. How do you determine your 5G network is verifiably secure? What tests and research will you conduct to ensure the network is bullet proof from potential threats? What’s the best way to achieve verifiability and transparency in this process? I believe that the wireless networks, starting with 3G, have become more important for critical traffic, and that has continued with 4G. It will officially “come home to roost” for 5G. As an operator that adopts “secure-by-design” networks and services, our work on security is now in its third generation.
INTERVIEW
8
We collaborate on a pan-Canadian level with all operators on the Canadian Security Telecommunications Advisory Committee (CSTAC), a body representing all domestic operators, CSE, and Innovation, Science and Economic Development (ISED) Canada. Also, we are active with NGMN and GSMA on global threat analysis and testing, and we conduct our own independent vendor testing and work with global research universities.
believe that if we want 5G networks to be secure for more than three years, then we need more research. Do you subscribe to this viewpoint? As I said earlier, 5G security is a continuous journey and not a onetime event. I subscribe to the view that like-minded operators need to invest in global threat modelling so we can ensure as many use cases as possible are captured and mitigated, and the appropriate standards are developed to address them in advance.
It is important to remember that security is a journey and not a one-time event. 5G introduces new challenges across a wide-range of areas that will require new security measures and continued diligence, whether it’s across authentication and onboarding of IoT and bringyour-own-device scenarios, eSIM and subscriber management, or a transformed RAN—especially given the potential to change radio access to something akin to a plug-andplay component through initiatives like Open RAN. Unfortunately, these scenarios get overlooked and pale in comparison to the 5G security hype that is currently more political than it is technical.
In your expert opinion, what is the most complex and acute cybersecurity challenge for operators seeking to commercially deploy 5G networks? I think it’s critical to have global alignment on what areas need to be secured, and these are in constant motion as the 5G ecosystem matures and more services are developed. I believe one of the biggest challenges is going to be the fragmented approach of vendors towards what they define as “secure”—that, in concert with the fact that operators globally have deployed in a unique-enough fashion to render reuse and threat modelling sharing not very effective. So, we are excited about what NGMN published six months ago and what the GSMA is doing to provide a global framework that the operator and vendor community can adopt to protect networks. In my humble opinion, these efforts make 5G by far more secure than its predecessors.
How long does the 5G network need to be secure for and what category of threats is it tailored towards combating? Some industry experts
5G cybersecurity threats AND solutions 2019
INTERVIEW
Andre Fuetsch, President and CTO, AT&T
AT&T capitalizes on SDN to counter 5G cyber threats 5G is today the buzzword in the telecom industry. With new technology comes the fear of the unknown. 5G will surely present many benefits to its users, but as with any new technology, cyber criminals will be ready to exploit its weaknesses and as such, experts must evaluate the risk of 5G connectivity and how it may directly or indirectly impact the user. It’s not only that 5G brings new threats, but existing ones might undergo considerable lateral expansion and amplification.
9
5G cybersecurity threats AND solutions 2019
I
n an exclusive interview with Telecom Review, Andre Fuetsch, President and CTO, AT&T Labs exposes insights regarding this matter.
5G wireless technologies are promising faster speeds and greater reliability. However, there appears to be a growing consensus within the ICT ecosystem that there are a number of security concerns that need to be addressed before 5G networks are launched. As the VP of Security Architecture of a major operator, can you tell us what your views are on the security vulnerabilities and challenges of 5G? 5G networks will enable revolutionary advancements in connectivity and AI. These advancements will enable us to more quickly and effectively identify and address cyber threats, but we expect they will also create opportunity for bad actors as the cybersecurity arms race continues to evolve. We expect the volume of data traversing an operator’s network to be 10x the amount traversing the 4G network today. This would likely translate to a wider attack surface and cybersecurity vulnerabilities. When it comes to preventing and addressing cyber threats, our migration to SDN actually enhances our security posture in terms of prevention, detection and mitigation of threats to data at rest, in transit and in storage as well as to devices. Additionally, enhancements in 5G standards will provide additional security and privacy counter measures. One example is the Subscription Concealer Identifier feature which will preserve the device identify and help to mitigate many of the currently known risks. We continue to implement security controls at the edge of the network to protect against vulnerabilities from the devices such as certifying devices for use on the network and implementing DDoS protection at the edge of the network. That being said, when 5G reaches full deployment, device manufacturers will play a critical role in securing
INTERVIEW
the billions of connected devices anticipated. Collaboration between the network operators and device manufactures will continue to drive a holistic approach to security. What does ‘secure’ mean to you? Is your 5G network ‘secure’ when you get approval from your government, or perhaps a governing body like the GSMA? For us, a “secure” 5G network is one that adheres to established, industry-wide security specifications and standards as well as having the people, processes and tools in place to effectively detect and respond to known and unknown cyber threats. We’re embedding security directly into the design, architecture and functionality of our software-defined (SDN) network on day one of full 5G deployment, which enables us to be more agile as new attack vectors are identified. We can more quickly detect threats, patch vulnerabilities, and ultimately prevent attacks from being successful. Our new SDN, powered by the Open Network Automation Platform (ONAP), puts us in a unique position to address cyber threats at the 5G Radio Access Network (RAN), core, and edge of the network. Here are some examples of the emerging security capabilities powered by our SDN and ONAP technology: • Virtualize our security controls which enable us to dynamically orchestrate security across the network at a global scale. • Automate security policy throughout the network utilizing machine learning technology which is an integral part of our best in class threat analytics platform. • Improve agility by creating technology that automates the process of instituting firewalls and micro-perimeters to protect applications, and deploying technologies that help to prevent lateral movement from attackers.
10
• With security embedded in the network and utilizing our SDN network, we are able to dynamically detect and mitigate threats within the mobile RAN, core, and edge networks. • Our DDoS mitigation capabilities allow filtering and scrubbing of attack traffic within the network in a highly-automated fashion - without customers having to deploy or manage any infrastructure. We know that 5G is going to be a ‘key enabler’ for driverless vehicles and autonomous transportation. However, if those connections are not secure, then the risks will be immense. How do you determine your 5G network is verifiably secure? What tests and research will you conduct to ensure the network is bullet proof from potential threats? What’s the best way to achieve verifiability and transparency in this process? There is no bullet proof combination of processes, tools and technology, no “silver bullet” when it comes to cybersecurity. We are applying more resources and technologies than ever before to protect our network and its users from both known and unknown cyber threats, including use of machine learning-based automation to detect and respond to threats. In fact, with more than 242 petabytes of data crossing our network every day, we analyze approximately 670 billion flows of network data, identifying roughly 110 billion potential probes for vulnerabilities across our global IP network every day.
Our new SDN puts us in a unique position to address cyber threats
5G cybersecurity threats AND solutions 2019
INTERVIEW
How long does the 5G network need to be secure for and what category of threats is it tailored towards combating? Some industry experts believe that if we want 5G networks to be secure for more than three years, then we need more research. Do you subscribe to this viewpoint? Our approach to security, including 5G security, is evolving to respond to new attack vectors. Security will be embedded from day-one, based on standards-based security features and our unique combination of security platforms and capabilities. We are committed to securing 5G, and since 5G is an evolving technology, additional security vulnerabilities and risks may be discovered as the design evolves. We will continue to proactively research and assess potential 5G security threats and develop corresponding security controls to mitigate emerging risks
This feature mitigates the risk of IMSI catchers currently present in previous generation wireless technology.
As any technology ages, moving from new to legacy, we see an increase in the number of security vulnerabilities discovered, and the same can be said about wireless network technologies. The 5G standards communities have introduced the Subscription Concealed Identifier (SUCI) to conceal/encrypt and protect the 5G Subscription Permanent Identifier (SUPI) also known as the IMSI.
Similarly, we’re evolving our awardwinning, proprietary security platforms to enable the distributed security needed to help mitigate the risk of Distributed Denial of Service (DDoS) attacks at the edge of our network from the anticipated billions of devices that will connect to our 5G network. Our DDoS detection and mitigation platform will evolve to help protect against vulnerabilities in massive IoT devices connected to the edge of the network. This feature will effectively help block malicious traffic at the edge of the network. In your expert opinion, what is the most complex and acute cybersecurity challenge for operators seeking to commercially deploy 5G networks? Over the past 143 years, we have become a technology leader across telecom, advertising and entertainment sectors, with a huge subscriber base that includes consumers, businesses, first responders and government entities. As a result, billions of devices will be connected to our network in the next few years. We therefore uniquely face a sincerely complex cybersecurity challenge:
11
helping to protect not only our 5G network backbone, but also our subscribers and customers from various cyber crimes and denial of service attacks. To address this cybersecurity challenge, we are taking a “defense-in-depth� approach. This approach includes embedding various controls within the network such as compliance auditing, micro-perimeter, and automated security policies. We are coupling these embedded policies with security platform innovation and enhancements to do truly real-time monitoring, alerts and response activities when anomalies are detected.
Security will be embedded from day-one
5G cybersecurity threats AND solutions 2019
INTERVIEW
12
5G challenges should be overcome with a ‘security by design’ approach, says Orange CTO
Emmanuel Lugagne Delpon, Group CTO and Senior Vice President, Orange
Maintaining a high level of security for all 5G use-cases will be a huge challenge whereas the attack surface will deeply increase. Those were the insights shared by Emmanuel Lugagne Delpon, Group CTO and Senior Vice President, Orange, in an exclusive interview with Telecom Review.
5G cybersecurity threats AND solutions 2019
O
range CTO highlighted the difference between 4G networks and 5G networks and how the 5G standard provides security improvements compared to the previous generation. When asked about what “secure” means to him, he said that it means having taken a full set of actions to maximize the confidentiality, integrity and availability of networks. 5G wireless technologies are promising faster speeds and greater reliability. However, there appears to be a growing consensus within the ICT ecosystem that there are a number of security concerns that need to be addressed before 5G networks are launched. As the CTO of a major operator, can you tell us what your views are on the security vulnerabilities and challenges of 5G? Indeed there are several concerns raised about security and 5G, and they reflect the expectations and the hope that we have in 5G. As 5G will be vital for the entire society, the security aspects of 5G are of upmost importance. First on the 5G standard itself, the 3GPP Phase 1 specification provides significant improvement from security perspective compared to 4G standard. The potential risks that have been identified in 2G,3G and 4G, that were highlighted in many security conferences, are now well-covered by the standard and the standard is flexible enough to introduce in the future new security features if needed. There is a 3GPP working group for that purpose. Therefore, I feel that we did the necessary improvements of the 5G standard for the initial launches but also prepared a solid basis for further improvement. For example, during the last months, several articles have been published related to security issues, mainly focused on AKA (Authentication and Key Agreement) protocol and paging messages. These attacks are difficult to implement on 4G networks and not directly applicable to 5G.
INTERVIEW
Moreover, many security issues related to IMSI-Catcher are based on the fact that IMSI (International Mobile Subscriber Identity) passes in clear format in certain radio messages. In 5G, the identity is encrypted so this type of attack is not possible anymore. A second topic is the security of services using 5G, and the security of virtualized networks. 5G network will be a critical asset for many usages: automotive, more generally transport but also healthcare, energy, industry and so on. Many of these services will make use of network slicing and virtualization. So to maintain a high level of security for all these use-cases or usages will be a huge challenge whereas the attack surface will deeply increase. I believe the answers to these challenges come from 2 different approaches. One is security by design. We all know within the industry that security has to be addressed from the very early phase of the design of the system for 5G security mechanisms have indeed been natively embedded within the 5G architecture and will continue to be developed (identity and access management, interface and storage encryption, integrity controls, security orchestration…). Another answer to the security concerns of the virtualized networks resides in the test and learn approach. Virtualized
13
networks are already deployed, not as largely as they will be with 5G, but this allows to master it before it is widely used, before complexity increases. What does ‘secure’ mean to you? Is your 5G network ‘secure’ when you get approval from your government, or perhaps a governing body like the GSMA? There is no single answer to this question, because there are different expectations from different stakeholders, and because security encompasses different aspects mainly confidentiality, integrity and availability. Being compliant with regulation is a no brainer. We are fully compliant with the local rules in each and every country where we operate. Another step is adopting recommendations from various bodies, and the GSMA falls into that category. It is a good complement to the governmental regulation. Finally being secure means having taken a full set of actions to maximize the confidentiality, integrity and availability of our networks. We do our part - through audits for example - but that cannot be achieved by a single company; it is a shared responsibility between 3rd party service provider, telco, and vendors. Orange works with all actors for improving the security of the mobile network.
Security encompasses different aspects - mainly confidentiality, integrity and availability
5G cybersecurity threats AND solutions 2019
We know that 5G is going to be a ‘key enabler’ for driverless vehicles and autonomous transportation. However, if those connections are not secure, then the risks will be immense. How do you determine your 5G network is verifiably secure? What tests and research will you conduct to ensure the network is bullet proof from potential threats? What’s the best way to achieve verifiability and transparency in this process? First I would like to remind our track record. Our networks, 2G, 3G and 4G have been until now very safe. 5G will build on this and benefit from the experience gained. Our SoC (security operation centers), responsible of global monitoring (security and functional) are currently assessing relevant tools and processes to complement the current monitoring, e.g. for low latency services. As for other topics, one way to improve security and verifiability is to study and test security with various partners. On connected cars, we are involved in a European collaborative project that will trial connected motorways, in a multi-country configuration. That trial is not dedicated to security topics, but will globally help the European industry to progress on the requirements of connected vehicles, and how to answer them. We also work with the vertical industries to help them develop their
INTERVIEW
own security mechanisms embedded in their applications. For instance, to react properly when there is a loss of mobile service, whether this is due to malicious action, network outage or just being out of coverage. For how long does the 5G network need to be secure and what category of threats is it tailored towards combating? Some industry experts believe that if we want 5G networks to be secure for more than three years, then we need more research. Do you subscribe to this viewpoint? Security has been improving on each generation of mobile network but also within the lifetime of each generation. It will be the same for 5G and security will evolve over time as the threats evolve. In 5G, the “security by design” principle is a key element and standardization prepares a basis for a couple of years. The 5G standard plans different steps and each of them brings a new set of security features. In your expert opinion, what is the most complex and acute cybersecurity challenge for operators seeking to commercially deploy 5G networks? Among the various challenges, there is one that I would like to remind that is not the most sophisticated, not the newest, but will be emphasized with 5G. It is managing the very huge numbers of devices, the huge volumes of traffic. We expect a lot of traffic, from a large variety of devices, and
14
potentially DDoS traffic generated by a lot of compromised devices. In parallel, infrastructure becomes more and more complex and generates a lot of log/information. Finding relevant information (Indication of Compromise) in such a flow will be a real challenge. Artificial Intelligence will be useful, but also a part of that challenge.
One way to improve security is to study it with various partners
5G cybersecurity threats AND solutions 2019
INTERVIEW
KT embraces 5G with high level security technologies
Hongbeom Jeon, CTO and SEVP, KT
In an effort to highlight how 5G will affect cybersecurity and the solutions undertaken to face cyber threats, Telecom Review spoke to Hongbeom Jeon, CTO and SEVP, KT who confirmed the need for higher levels of security with the advent of 5G.
15
5G cybersecurity threats AND solutions 2019
INTERVIEW
16
5
G is linked with security concerns expressed by all the components of the ICT ecosystem given the advancements this technology brings to the industry and how it will impact the lives of people. According to the CTO of Korea Telecom, security can be insured through the protection of the operator’s network as well as customers’ data. In the interview, Hongbeom Jeon explained how the operator is developing technologies to protect its customers against any potential attack that can be significantly dangerous, and highlighted the need to focus on both the B2B and the B2C areas to ensure complete end-to-end protection. 5G wireless technologies are promising faster speeds and greater reliability. However, there appears to be a growing consensus within the ICT ecosystem that there are a number of security concerns that need to be addressed before 5G networks are launched. As the CTO of a major operator, can you tell us what your views are on the security vulnerabilities and challenges of 5G? In 5G, we are placing top priority on B2B business whereas B2C remained the focal point in the previous generation. The B2B business requires a higher level of security for use cases like smart factories, smart cities, smart hospitals that are not just limited to smartphones as in the B2C cases but with extra emphasis on mission critical 5G services. Therefore, we plan to protect information and the service by using our advanced technologies. We are working closely with governments and standards bodies to elaborate the robust security specifications that will be adapted to our 5G infrastructure. What does ‘secure’ mean to you? Is your 5G network ‘secure’ when you get approval from your government, or perhaps a governing body like the GSMA? We have devised two strategic key directions for 5G security. The first is to
protect our network infrastructure and the second is to keep our customers’ information safe. The standards bodies used to mainly focus on the protection of the operators’ network so it is efficient to protect our own network from security attacks. However, there is no perfect recommendation to protect our customer services, yet. We are now pulling immense resources in order to keep our customers’ information safer. The security level for our customer service should be fortified threefold: guaranteeing of service sustainability, keeping the customers’ information safe from hackers and protecting against hostile takeover of service control. To attain such level of security, it is important to have governments and trusted organization like GSMA be engaged in establishing accreditation process for all to comply with. We know that 5G is going to be a ‘key enabler’ for driverless vehicles and autonomous transportation. However, if those connections are not secure, then the risks will be immense. How do you determine your 5G network is verifiably secure? What tests and research will you conduct to ensure the network is bullet proof from potential threats? What’s the best way to achieve verifiability and transparency in this process?
One important use case of 5G is autonomous driving and its security plays a critical role in its success. If autonomous cars were hacked, catastrophic consequences could ensue because hackers can control the cars and wreak havoc. That is why, with 5G, we endeavor to find ways to protect our IoT devices to reinforce the safety of people using the services.
We are now pulling immense resources in order to keep our customers’ information safer
5G cybersecurity threats AND solutions 2019
In fact, we are adopting networking slicing technology which enables us to provide a virtual independent private network to our customers. With the technology, they can separate their network from the public network and thus ward off potential cyberattacks. In addition, we have created our own internal technology called GiGA Stealth to make our customers’ devices virtually invisible to hackers by masking the devices’ addressing. Furthermore, we have resorted to quantum distribution technology which provides higher level of security than Quantum Random Number Generation for data protection and virtually all authentication. It is still at its early commercialization stage and we are developing the technology to insure our 5G security. We are also looking into incorporation of latest AI technology into security solutions to successfully predict complex patterns of potential errors and take timely and proactive measure against future failures. How long does the 5G network need to be secure for - and what category of threats is it tailored towards combating? Some industry experts believe that if we want 5G networks to be secure for more than three years, then we need more research. Do you subscribe to this viewpoint?
INTERVIEW
Ensuring complete protection from all kinds of attacks is a very daunting and challenging task. Hackers are constantly developing new technics and technologies to keep pace with the developments of networks and devices, that is why we have to match their intensity to gain any competitive edge in implementing more competent protection technologies. It is an ever-evolving battle between spears and shields. I have mentioned the three technologies we have developed to upgrade security level of our customers. Until now, we have been able to effectively ensure protection and we are working on the quantum technology that will be commercialized in three years. To speed up the efforts, we need all-around collaboration from device, service platform, application layer to provide complete E2E security package for 5G services. In your expert opinion, what is the most complex and acute cybersecurity challenge for operators seeking to commercially deploy 5G networks? I elaborated a lot on the B2B protection but B2C protection is equally important because the mobile handsets include too many personal information that demands strong protection and if hacked, our customers’ information will be compromised.
17
As an operator, KT is geared up in good time for zooming in on high level security solution against various cyberattacks in 5G era to safeguard its customers’ devices in addition to its B2B customers.
We are working on the quantum technology that will be commercialized in three years
5G cybersecurity threats AND solutions 2019
OPINIONS
5G Security Assessment and Verification The 5th Generation (5G) of mobile networks is just around the corner. The first set of standards were frozen in 2018 and the final set is due in a few years, with vendors and operators working with these to deliver incrementally better networks until a complete system is available.
18
5G cybersecurity threats AND solutions 2019
L
earning from the lessons of the past, 5G is, by design, more secure than its previous versions. Among other things, it includes increased privacy protections, stronger signalling and control-plane protocols, and design options delivered via network slicing that would allow for the secure delivery of different types of network traffic. 5G also is the most complex system built so far and depends on some fundamental underlying platforms. 5G is intended to be built as a more virtualized system, leveraging the Network Function Virtualization (NFV) platforms, SoftwareDefined Networking (SDN), as well as taking advantage of modern web architecture such as RESTful APIs. In contrast, the security assessment and testing schemes have not evolved to the same degree. 5G is only just waking up to issues of security in a fully globalized environment and the discussion is growing around the integrity of a product supply chain and a need for having an international standard for evaluating the security of 5G technologies. Outside of programs run in the national security interest by some countries, there is no industry-wide security framework to tackle this issue. Additionally, the current schemes focus on a per-component approach and do not assess the system in a full build, end-to-end environment, including the underlying platforms. This approach was valid when the components were delivered to the operator as a single unit. Now, however, the operator is expected to build these platforms separately and then overlay the 5G system, while managing resource sharing and overall orchestration via separate processes. It is important to understand the implications to security of this complex interaction. Finally, 5G is not a net new technology. It is built on top of 4G and there will be an evolution in an operator’s network as the 5G systems are integrated. 5G networks will therefore rely on the baseline security for 4G highlighting
OPINIONS the requirement to assess the systems end to end. Other components in our networks Include fixed access and transmission which are equally Important. 5G can be the trigger to enable a more holistic and effective modicum of assurance across the board. In general, the mobile industry operates on a high-level of trust, as exemplified by the global standards initiatives that are all-inclusive that results In us having to have verification that can provide industry-wide security schemes whichh will survive the scrutiny of operators, their customers, and the national interests within which they operate. Trust but verify! • What is being done today • Generally Security assessment and certification is broadly tackled by the Common Criteria program which focuses on assessing security capabilities within general IT products. This program is based on an alliance of co-operating governments that certify the labs and govern the requirements for the program. Security requirements are drawn up for a class of products to allow crosscomparison (are all firewalls created equal?). Vendors can also create targets which describe security capabilities of their products and have the labs perform tests to validate that these targets have been achieved. Organizations such as ETSI and the ITU create standard for good security practice and these are generally held independently of the 5G design process as they are broadly applicable to many different types of devices. • Within Mobility 5G is built of a number of different functions, each contained within their own standard and design guideline. These are maintained by the 3GPP technical committees and form the basis for product development. 4G provides several 3GPP standardised security features to protect the confidentiality, integrity and availability of services and customer data. 5G builds on the 4G security architecture by providing standardised security
19
features that are similar or better than the equivalent 4G security features. For each of these the 3GPP has started creating SCAS documents which represent the security requirements for the component. These requirements included the intended security functionality of the component (e.g. it must be able to filter certain types of network packets) as well as good security practice (e.g. mandatory encryption for certain types of information). There are also a few references to product integrity and build requirements, such as the resistance to buffer overflow attacks on data input to the system. However, this does not allow for evaluation of the end to end solution. • Nationally To address specific national security requirements in 4G equipment, a few customized programs have been created to address security concerns for both the UK and Canada. Whilst limited details are known about these programs, they are believed to focus on supply-chain integrity, engineering quality and the risk of malicious components or those of unknown provenance being included in equipment supplied from non-national sources. Judging from what has been revealed publicly, these programs focus on software development as well as architectural controls which are applied against a holistic 5G system. Areas within the 4G system have been assigned different sensitivity levels and are treated to higher or lower security requirements as a result. • Overall Table 1 shows a comparison of the programs across a number of different areas, highlighting the differences in approach, both technically and programmatically. Some areas to take note of are: • The level of vendor independence • Functional vs. adversarial security assessment • The scope of the testing and
5G cybersecurity threats AND solutions 2019
OPINIONS
20
recognition of results outside of the program • Suitability for state-level security requirements, coupled with an adversarial perspective Descriptions are important Descriptions of what activity is being undertaken can be easily confused (and sometimes are). It is important that the true objective is achieved. Characteristics can be described as below:
Activity
Description
Efficacy
Transparency
• Often a “Citrix window” to the vendors lab. • Cannot be sure that you are seeing the true codebase/toolset. • Cannot build the software from source or run tools against it.
Virtually ineffective in terms of enabling a truly risk managed approach to security.
Verification
Evaluation
• Little access to source code • Only verifies what is claimed. Target of evaluation can be made to pass any test.
• Access to code onsite. • Can build new versions independently. • Can run tools against codebase and verify binary equivalence – a key indicator of a proper build environment and development process.
Limited assurance.
Provides a high level of assurance but has to be enabled to keep pace with product releases.
5G cybersecurity threats AND solutions 2019
OPINIONS
Table 1. Comparison of Current Security Assessment Programs
21
5G cybersecurity threats AND solutions 2019
Current technical challenges To tackle the problem statement laid out in our opening statement, the technical aspects of the programs reviewed to date are insufficient. While each program has merits and can be used for security assessment in many scenarios, neither of them fundamentally address adversarial scenarios (intentional corruption), supply-chain integrity outcomes, nor do they address the complex deployment environment that will result from integration with the underlying platforms. As a result, we believe that we need general enhancements in the following areas: End-to-end assessment Component analysis allows for a focused review of security but what operators ultimately need is a measure of positive security outcomes which speak to the security resiliency of the system as a whole. This is the main measure that stakeholders will use, and it implicitly assumes the security of the entire system: “Am I secure when using 5G?” It is insufficient to be able to attest to the security of individual, discrete components. Adversarial threat modeling In general, security is a practice that must assume an adversary at all times. In this context, it is not sufficient to assess security controls in a vacuum and without a defined threat model. Specific threat models need to be created which are documented and outline, as exhaustively as possible, the security threats to a system and guide the development of better technology and new controls. This threat modelling must take into account the full range of attackers as we see them today. From petty criminals, to hacktivists, international organized crime and state entities engaging in espionage. All of these can target the industry supply-chain and undermine secure engineering standards and practices.
OPINIONS
As documented here, there are specific national programs that target these types of threats, but they are not applicable outside of their jurisdiction and hence cannot benefit the entire industry. While there will always be specific security concerns for a nation, the overall cybersecurity of the supply chain is one that the entire industry will benefit from and which must be included in current testing schemes to stabilize the 5G supply chain. Dynamic and evolving requirements As we’ve seen with recent academic analyses on 4G (for example, the aLTEr attack), new vulnerabilities will be found after the standards have been set. In the current environment, the industry builds the best possible network based on existing standards, but then leaves the ongoing assessment and discovery of new vulnerabilities to the general public. As we move from hardware to software, the pace of change within mobility will rapidly increase. We will see software upgrades on the order of weeks and not years and security assessment methods, threat models, and even attacker tactics and goals will evolve.
22
A program for verifiable 5G security This certified evaluation program intends to provide a harmonised assessment of the quality and security assurance of a product AND deployment model thus enabling the operator take a risk based decision on the vendors use. It can also be used to baseline further national security evaluations. It is not intended to be vendor specific and whilst we discuss 5G throughout this paper, we believe the concept can be applied generically to any telecoms network technology. The proposal has the following characteristics: Centralised as much as possible in terms of operations and competence i.e. a limited number of regional instances ensuring corporate memory, access to competence and continuity. It can efficiently deal with national bodies as appropriate and the certification has to be trusted by those wishing to consume the output. It will require an element of oversight from national governments. A supranational body may be able to enable this with member states providing competence and oversight.
The 5G security program must be as dynamic. We believe that this necessitates a partnership with the academic community in a number of areas, including tactical (development of new tools and methods), defensive (updated standards and new techniques for safeguarding systems), and offensive (real analysis of built systems and standards).
Access to source code. Such a system must enable access to source code with the ability to rebuild the software components in the same manner the vendor does ensures the centre can validate best practice and performance metrics. Binary equivalence must be tested i.e. is the software running in the network the same as that delivered or built within the evaluation centre.
A program for verifiable 5G security While we have assessment schemes at the lower end, for component security functionality, and at the higher end, for highly nationalized security concerns, we don’t have a scheme that links these and introduces a higher security standard globally while also addressing as many of the common national security concerns. What is required is an overarching security program, built on existing activity, which fills the continuum between both ends of the spectrum, and introduces the most rigorous, but globally acceptable, program possible.
It needs to keep pace with the product releases. This is a scalability issue. A core network element has upwards of 250M lines of code. This is a significant effort to evaluate – which MUST be done in good time before the next release of code. A competent labs take 2-3 months to evaluate smaller products employing 70+ people (with competence, access to source code and 8+ years corporate memory). The use of external input Is Important In terms of providing the latest thinking and techniques for example - university research.
5G cybersecurity threats AND solutions 2019
It must be independent from the vendors. Vendors must not be able to affect the operations or results unless it is by way of corrections/fixes or via a dispute resolution process. The vendors must provide the information required in the evaluation process which could include build environments, source code and related documentation. There Is no Intention to run a “transparency centre” In this proposal. The programme must be secure. Vendors will not allow their source code be made available to a lab that cannot protect it effectively. This will drive a protection model to, it is expected, an assurance level that is internationally recognised e.g. to a level commensurate with national SECRET. This aspect will likely drive a security clearance requirement. The aggregation of sensitive information will, in itself, make the assurance lab a target. This is because the evaluation centre will discover new vulnerabilities and have to deal with them appropriately. All parties have an equivalent interest in protecting IPR, downstream compromise of products (by virtue of inside knowledge) and the resulting vulnerability or defensive posture being managed appropriately. The ability to protect multiple vendors IPR in the same location will have to be managed. It must be universal. Security issues arise in all areas of modern communications networks and are not limited to only specific technologies, professional fields, or countries of origin. The application of a robust security program to all vendors would set the correct expectation for the industry. • Vendor Benefit A properly run program provides maximal security benefit to both operators and vendors. For the vendor, the goal is to be able to showcase their product security as widely as possible and reduce the amount of custom verification that is done in each jurisdiction. The scheme proposed here would do just that. By adding an increased level of assessment rigour, the vendor’s
OPINIONS product would meet more security criteria globally. At the same time, by incorporating concerns and assessment techniques from the most advanced national security programs today, the additional custom testing to satisfy regional concerns is reduced. • Program Evolution It is important to acknowledge that assessment methods can also be improved and should evolve in lockstep with product sophistication. To achieve this requires from integration with a research team. The benefit of the centralization proposed in the program here is that it introduces the idea of a standing test-bed for fully Integrated 5G systems. With the appropriate safeguards, opening this up to researchers affiliated with the scheme would then allow for more research to be focused not only on 5G security, but on the fundamental evaluation methods such as source-code review, blackbox analysis, formal protocol and architecture modelling, etc. This would increase the pace of developments in the security field and would also allow for the development of better teaching and students in each affiliated organization. • Who Needs This? Globalization, political and trade alliances are bringing cyber security issues to the fore and, while they may be seen first in some regions, they are (by definition) global. This has been most pronounced recently in the 5G arena but we can easily imagine the issues being raised in other technologies. Ultimately, we believe that any operator involved in a significant portion of a nation’s Critical Infrastructure (CI) will benefit from the program and is likely to be required to adhere to at least some of the security requirements that have been raised here. This proposed program is an opportunity to take the shared experience of multiple security evaluation schemes and allow the mobile industry to leapfrog this initial development period and into a mature program. The establishment of a security program of this sort is not easy and each nation, if they had to do this
23
individually, would produce variable results over a prolonged period of time. • You Need This Now is the time to actively support the development of the right security scheme with 5G as the focal technology. However, this can’t be limited to 5G - we have other technologies in the fixed world to manage equally well and the same process will enable this. While encouraging the existing programs to continue their good work, supporting operators, vendors and nations, need to come together to form the next security testing alliance.
By Marc Kneppers (TELUS) and Gerald McQuaid (Vodafone)
Vendors will not allow their source code be made available to a lab that cannot protect it effectively
5G cybersecurity threats AND solutions 2019
OPINIONS
24
5G Cyber Security Living Lab Cyber security is a global concern that is getting amplified with the scale of the incoming era of 5G. Wireless connectivity has long become an essential service, akin to basic utilities. The current fragmented and loose global standards on security and security testing for wireless networks are not reassuring for the 5G ecosystem. Although 5G by nature is more secure than 4G, the plethora of vendors, technology combinations and open source dependencies, along with varying operator deployment scenarios, motivate the creation of a global alliance supporting a distributed 5G Cyber Security Living Lab.
T
he 5G Cyber Security Living Lab, a virtual organization with members consisting of operators and security researchers spanning multiple countries, would enable the continuous testing of 5G features, vendor implementations and operator deployment scenarios and share
the findings globally. The goal of this lab would be to create a secure and verifiable 5G network with transparency for global operators and security agencies. Such an advanced assessment is needed to ensure endto-end security. However, this requires a setup as close as possible to a global operational production deployment, which is not within the means of a single organization or nation.
An end-to-end, operational focus, is an essential component of the Living Lab. Though there are various resources for component-level security, there are fewer for architecture-wide security analysis. The 3GPP has created an overall security reference in the form of TS 33.510 which summarizes the security model for a mobile network. This needs to be augmented by best practice implementation details that
5G cybersecurity threats AND solutions 2019
OPINIONS
25
log to a central source, must provide a central server to which all elements can log, and establish a shared data bucket that will be used, as much as possible, for the data acquisition that supports the orchestration of the network. It is worth considering if such a lab with its rich data lake should be connected to a cloud instance to leverage the computing power available there as well as enabling access to the data by researchers globally. This feature would better support cloud-based logging and big-data techniques such as mapreduce and elastic search. Enabled research Countless areas of research in cyber security can be empowered with such a lab. These include traditional security assessment and evaluation at all layers and would facilitate independent benchmarking. Examples of research areas include:
are typically developed in isolation in an operator’s network. Through the creation of a Living Lab, these architectures can be developed and published along-side the 3GPP specifications to provide better implementation security. While there exist other 5G Living Lab initiatives, none currently address security, despite the global concerns in this area. By creating a new lab with a security focus we can maintain the focus of each of the existing centers of excellence and, through the use of common deployment templates and architectures, ultimately tie them together to achieve larger 5G impacts. Lab characteristics Live The key to the success of such a lab is that it must be living—where living means that it presents a network that is “real”. Living implies several invaluable features: scale, end-to-end, and traffic—all of which are features currently lacking in almost all security research and assessment. Having a full-scale network of networks, which is open for experimentation, monitoring, and testing across physical and virtual
entities would be unprecedented. The scale has to be in both network size and geographical scope. The end-to-end capabilities must be from radio, to core, to radio allowing for a global view of security. Traffic is a key element for the success of the live network, since this is one of the areas where simulations and virtualized environments fail at when it comes to next generation networks. Data rich While it is difficult to say what logging capabilities we can expect from vendors at this point, it seems clear that orchestration of the overall environment (including resource management within NFV) will require extensive data from the RAN that will be mined by both the Orchestrator(s) and Application Functions that might seek to optimize the mobile experience. Data acquisition must be a fundamental building block of the lab. To support multiple vendors, it is important that the data acquisition structure be independent from what is currently offered by vendors so that proprietary tools and formats are discouraged. For example, the lab must have permanent packet taps which
1. IoT testing: Currently this is an area of exponential growth which will introduce a plethora of vulnerabilities into the market. The behavior of such devices is like nothing we have dealt with before (types of traffic, types of signaling, QoS requirements, etc…)
Data acquisition must be a fundamental building block of the lab
5G cybersecurity threats AND solutions 2019
1. Signaling assessment: This has proven to be an area of real concern in previous generations of wireless communication but was challenging to address due to the complexity of setups needed to assess and experiment. 2. Traffic characterization and classification: With new types of traffic being introduced at an unprecedented rate, how to make sense of traffic for QoS and security applications? 3. Protocol fuzzing: How to assess protocol security in complex environments with multiple entities both physical and virtual? 4. Security across domains: How do the different entities within a network (radio, mobile device, controller, etc‌) influence the security end-to-end? What new threat models will emerge?
OPINIONS
5. Verification: How to develop verifiable security for 5G? Outcomes Outcomes of the 5G Cyber Security Living Lab that are invaluable for research in the area of cyber security would include: Reference datasets The existence of large, comprehensive and realistic datasets has always been a prime catalyst for scientific advances. One of the best-known examples is the Human Genome Project and associated Genomic datasets, which have enabled new forms of cancer treatment and better understanding of drug effectiveness. Closer to the field of computer science, the availability of standardized datasets such as MNIST and CIFAR have vastly impacted the field of image recognition, while text
26
datasets such as the Enron dataset and those contributed by IMDB, Amazon and Reuters have greatly improved natural language processing by machines. It goes without saying that the value of data
Data acquisition must be a fundamental building block of the lab
5G cybersecurity threats AND solutions 2019
is similarly paramount for research in cyber security. Datasets have proven to be very valuable in enabling analytics, mining and AI research on networking and cyber security. This need for data will become more important in 5G context particularly that very few entities in the world can generate or capture “realâ€? 5G traffic. The Living Lab could possibly allow for the capture of controlled data generated from staged entities (physical and virtual) in order to benchmark and assess full-scale effects on a live network, while still preserving the security requirements of the infrastructure and not endangering privacy of real users. This is something that currently very few privileged researchers worldwide have access to and is not replaceable by virtualized and simulated environments due to the complexity and scale involved. It is envisioned that such data sets can provide views of traffic from different perspectives within a global network. In addition, the datasets can include modern traffic types (ex: IoT, vehicles, etc‌) and broad malicious traffic (ex: DDoS, 5G specific attacks). Testing environment As with datasets, there is a research barrier related to test environments. One of the limitations of conducting research in cyber security is the availability of realistic test
OPINIONS
environments. Current physical and virtual alternatives lack the scale and realism needed to validate and benchmark some of the solutions. This need is amplified in 5G context due to the cost associated with the software and equipment. A Living Lab model could be a highly valuable resource for researchers to test their techniques and methods within a very realistic environment at scale. The challenge will be to establish a mechanism by which this can be accomplished while preserving the network integrity. However, such setups are possible with network slicing and other traffic segregation mechanisms. Software analysis tools and binary datasets Because of the complexity of 5G components, a large number of vulnerabilities will arise from software defects in 5G components. Even if architecturally secure, such defects will weaken or negate security guarantees. As a result, another key outcome would be tools and techniques for analyzing 5G software for vulnerabilities. A key challenge is that much of 5G component software will exist as embedded binary images. Thus, a standardized set of tools and sample binaries would enable greater experimentation and innovation. Parallels can be drawn to the DARPA Cyber Grand Challenge and Lava-M datasets that have spurred advances
27
in software analysis and vulnerability detection and mitigation tools for standard software. Knowledge dissemination 5G Security is a rapidly moving and changing field. It is critical that all participants in the lab remain informed about developments so that the research produced continues to be relevant to all stakeholders. At the same time, dissemination of the latest
A standardized set of tools and sample binaries would enable greater experimentation and innovation
5G cybersecurity threats AND solutions 2019
OPINIONS
28
operators, researchers, governments and standardization bodies to closely work on tackling the tough questions. Such a lab will be unique in its scope, scale, and impact. The time to act is now! Moving forward there is a need to develop a governance structure for such an entity and for a core group of organizations to step up and champion this initiative. This is an open call; contact 5gcc@telus.com to get involved.
By Imad H. Elhajj (AUB), Marc Kneppers (TELUS) and David Lie (University of Toronto)
The goal of this lab is to create a secure and verifiable 5G network with transparency for global operators and security agencies research results to stakeholders is critical for maximizing the value of the lab. Thus, another outcome would be an annual meeting of researchers and stakeholders with the goal of exchanging information and setting goals and direction for the following year and a report compiling the major results and conclusions of each meeting, to be widely disseminated.
Moving forward In conclusion, we believe strongly in the value of a 5G Cyber Security Living Lab. Such a multi-stakeholder approach will be key to allowing 5G to live up to the promise of taking us to the next generation of communication, securely. This will only be possible through a collaborative transparent and inclusive process which brings together vendors,
5G cybersecurity threats AND solutions 2019
ICT FEATURE
30
Europe set to be left lagging behind in race for 5G There are growing concerns in Europe that if the regulatory environment doesn’t change, the continent will be left behind in relation to the commercialization and subsequent deployment of 5G networks. That was the general consensus which was shared amongst a number of high-profile and prominent figures from the ICT industry during Mobile World Congress in Barcelona.
5G cybersecurity threats AND solutions 2019
T
he US and countries in East Asia such as China, Japan and South Korea are already establishing a strong market position in relation to the development of next generation technologies. The Middle East has also adopted an aggressive and ambitious approach to 5G, with many of its major operators such as Etisalat in the UAE, and Saudi Telecom Company in Saudi Arabia already agreeing to enter into commercial 5G contracts with European telecommunications vendor Ericsson. Ericsson CEO Borje Ekholm took the opportunity during his keynote presentation at Mobile World Congress to take aim at the current ICT climate in Europe, and expressed his fears that the continent is going to repeat the same mistake as it did with 4G. However, according to Ericsson’s CEO, when you consider the revolutionary benefits and lucrative opportunities that are being promised with the
ICT FEATURE
advent of 5G technology, any hesitation in terms of creating the correct framework and ecosystem in Europe for 5G would have a significantly greater economic impact than the same hesitation did with 4G. Ekholm was addressing some concerns that were expressed from many European operators that a blanket ban on Chinese telecommunications behemoth Huawei would significantly hamper their ability to commercially deploy 5G networks. Although Ericsson’s CEO didn’t directly name Huawei, it was clear he was referring to it when he was dismissing the fears that had been expressed from operators and stated that they already have access in Europe to 5G technology. He stressed that the biggest challenge facing operators wasn’t access to 5G technologies, but instead the combination of high-spectrum prices and heavy regulation. Ekholm said, “There has been a lot of discussions and conversations taking place in Europe recently regarding the security of networks. This is a very important topic because 5G is going to
31
become a national infrastructure so the security of 5G networks naturally enough will be absolutely critical. 5G will be the backbone in the future of our society. However, operators shouldn’t be concerned that they’re going to fall behind in 5G deployments because
The biggest challenge facing operators wasn’t access to 5G technologies, but high-spectrum prices and heavy regulation
5G cybersecurity threats AND solutions 2019
they already have access to 5G technology. Undoubtedly, the biggest challenges facing operators is the combination of high-spectrum prices and heavy regulation. These barriers need to be removed in order to foster an environment which is more investor friendly. If operators can’t invest properly in 5G then the continent will fall behind, and that will have a severe effect on its economy.” Market fragmentation Chafic Traboulsi, vice president and head of Networks at Ericsson MEA, also conceded that high spectrum prices and heavy regulation were huge stumbling blocks in Europe’s ability to deploy 5G networks, but also pointed to fragmentation in the market as a huge obstacle. Traboulsi told Telecom Review, “Regulators are there for the people at the end of the day to make sure the business and competition is fair. However, it’s become very evident that there needs to be a balance and Europe needs to move quickly. They need to ensure that they secure frequencies at a very affordable rate for the communication service providers so that they can give those advanced services to their customers.” The Ericsson executive added that the cost of spectrum in Europe was just far too high. “Operators in such a competitive industry as Europe just simply don’t have the additional CAPEX to spend on buying high spectrum. As I said, the regulators are there to protect consumers but at the end of the day, there are far too many operators in the same markets. That market fragmentation restricts investment and results in operators not being able to invest properly. We were working with one operator in Romania, and there were eight other operators in the market. It’s just not sustainable.” CEO of Telefonica, Jose Maria Alvarez Pallete, urged European governments to resist the temptation to artificially inflate spectrum pricing in an effort
OPINIONS
to accelerate the rollout of 5G mobile networks. According to Pallete, European telecoms regulators need to adopt a more pragmatic approach to market consolidation in a bid to help telecommunications operators bare the cost of 5G rollout. During his opening address at MWC 2019 in Barcelona, the charismatic CEO questioned whether the European Commission’s preference for four players in each of the markets it regulates was in the industry’s best interest, particularly as it looks to pump billions of euros into its 5G network rollout. “Does competition theory say that Europe needs one mobile operator for every 1 million citizens in Europe? Governments are using 5G auctions as short-term cash generators rather than fostering the digital transformation that societies and economies require. Spectrum needs to be awarded for longer durations, and we hope that the new commission and parliament in the European Union make the creation of a level playing field their number one priority.” Nokia’s CEO Rajeev Suri also expressed his expert view on 5G progression in Europe, and was wholly unequivocal in his assessment that Europe’s 5G implementation program will be undoubtedly delayed. He shared the sentiments expressed by his Ericsson counterparts and pointed to a combination of high spectrum prices and regulatory hurdles as the main factors preventing Europe from the leading the way on the commercial deployment of 5G networks. Suri suggested that Europe’s execution of the new technology destined to fundamentally reshape major industries and our society as a whole would lag behind peers like the United States and China, which are making major strides in their development of 5G. Suri said, “The main reason European telecommunications players are
32
falling is a lack of spectrum as well as many regulatory hurdles. Spectrum is available in some countries, not all, and the market was completely ‘overregulated’ and that consolidation is not permitted.” There was no better example in Europe to exemplify the issue of high spectrum than in Italy, with the Italian government hauling a record $7.6 billion in a spectrum auction it held in October. Whether or not European regulators heed the calls from the continent’s major operators and telecommunication vendors remain to be seen, but one thing is for sure, if they don’t move fast then they will definitely be left behind the rest of the world in terms of deploying 5G networks.
European telecoms regulators need to adopt a more pragmatic approach to market consolidation