For years, discussion about 5G security in Canada has fixated on Chinese telecom giant Huawei and the potential danger of Canadian telecom companies building next-generation wireless networks with equipment from a company with close ties to China’s authoritarian government.
But that discussion, many cybersecurity experts say, has overshadowed another urgently needed conversation about the security underpinning our 5G networks – regardless of who builds it.
Last December, the University of Toronto’s Citizen Lab released a report declaring, “Canada does not have a ‘Huawei problem’ per se.” Instead, it stated, we have a much bigger 5G strategy problem, stemming from a lack of co-operation between government, telecom companies and manufacturers of 5G-enabled equipment to ensure that our emerging 5G networks are safe from cyberattacks.
“We still don’t have that full shared-accountability model fleshed out,” says Marin Ivezic, cybersecurity and privacy partner at PwC Canada. “It’s slowly emerging, but not as fast as threats are emerging, and that’s what gives me trouble sleeping occasionally.”
At issue, Mr. Izevic explains, are two principal differences between 5G and previous generations of wireless networks. The first is 5G networks will eventually have a dramatically different architecture than current wireless networks. The 5G being rolled out now will mostly connect to customers the same way as existing 4G networks. Eventually, however, because of 5G’s speed and low latency (minimal time delay between devices exchanging information), 5G networks will enable vast, cloud-based virtual networks.
Individuals and organizations will no longer buy internet access through an internet service provider (ISP) and connect through a single point of entry that can be secured and firewalled. Instead, they’ll connect devices directly to the 5G network. That will turn telecom companies into de facto ISPs.
The second concern is related. As more 5G-enabled devices enter homes and businesses, and as a growing number of business processes rely on them – think of smart factories full of Internet of Things (IoT) machinery – there will be a rapid proliferation of new points vulnerable to cyberattacks.
“There will be more and more and more ways for bad actors to get in and cause damage,” says David Masson, the Ottawa-based director of enterprise security for cybersecurity firm Darktrace. “An organization may be exposed through hundreds or thousands of internet-connected devices, rather than one easily secured router.”
For an easy illustration of the risk, imagine a hypothetical highway filled with self-driving vehicles. Fifth-generation’s ultrahigh speeds and low latency will enable vehicles to communicate with roadside antennas and one another, fast enough to keep traffic flowing smoothly and safely. But a single compromised piece of IoT hardware could permit access to the entire network.
The danger is not as hypothetical as it sounds. In a now-famous example, hackers working with a cybersecurity firm in 2015 demonstrated a remote hack on a Jeep on a Missouri highway, changing the radio volume, blasting the air conditioner and disabling the brakes.
In the real world, responsibility for preventing such an attack will lie with multiple actors: the telecom companies bouncing signals to cars, but also the automotive manufacturers themselves, as well as every single subcontractor involved in developing internet-connected hardware and software inside those vehicles.
And, of course, regulators.
That kind of alignment doesn’t yet exist in Canada, but the market pressure to develop increasingly powerful uses for 5G does.
“Everybody wants to go to market faster,” Mr. Izevic says, “but nobody wants to take accountability for cybersecurity more than they absolutely need. Everybody hopes that somebody else is thinking about security and the new use cases are going to come at us faster than we can handle.”
As director of risk advisory for Deloitte Canada’s emerging technology group, Stephen Meagher works with oil and gas companies, software developers, auto manufacturers and other clients to help them understand emerging cybersecurity risks.
Among the most important principles, he says, is “not just to secure what you’ve already got, but to build securely. What is it you’re buying? Whom are you buying it from? How is the entire value chain being secured?”
That aligns with the concept of DevSecOps (development, security and operations), a hardware and software development approach that aims to build security into every layer of a product’s supply chain, aligning each vendor in that chain.
The problem isn’t being ignored, Mr. Meagher says. While progress has been slow, there are industry consortiums involved in setting shared security standards for 5G.
“3GPP [3rd Generation Partnership Project] is the global standard for the actual development of the security standards for 5G networks,” Mr. Meagher says. “But that really is not what most companies go by, so we rely on organizations like ISO [International Standards Organization]. I think the Canadian government has also done pretty well for communicating the need to these standards.”
But, he adds, communicating the need is quite different from implementation.
Mr. Ivezic goes further: “We just haven’t seen enough progress, and it has to be government [that] drives it,” he says. “There is movement, but it’s moving much slower than the technological advancement.”
On the other hand, certain aspects of 5G may be a security boon. For example, network slicing (dividing single connections into multiple distinct ones) will allow 5G providers to designate portions of their networks for specific customers or uses. That would allow customers to isolate their traffic from the overall network, implementing additional security or encryption on a particular slice.
Still, Mr. Masson says, the structural vulnerabilities loom larger.
“[What] 5G will do is move things from just barely manageable to no longer manageable because it’s just too fast and complicated,” he says. “Current security products are still looking in the rear-view mirror; they need victims before they come up with solutions.”
That approach won’t be tenable in the future, because 5G will dramatically expand the vulnerabilities. Without faster collaboration between governments, telecom companies and device manufacturers, Mr. Masson says, “the victims will just pile up too fast.”