In August 2020, the Cybersecurity and Infrastructure Security Agency (CISA) released its strategy to ensure the security and resilience of 5G infrastructure in the United States. Roughly every 10 years, the next generation of mobile communication networks is released, bringing faster speeds and increased capabilities. The fifth generation (5G) of wireless technology is a complete transformation of telecommunication networks, introducing an abundance of benefits such as higher data rates, ultra-low latency and increased network capacity. These benefits will pave the way for new capabilities and support connectivity for applications like smart cities, autonomous vehicles, remote healthcare and much more. “The deployment of 5G technologies will enable new innovation, new markets, and economic growth around the world,” wrote Christopher Krebs, Director CISA, in the Strategy’s foreword. “Given 5G’s scope, the stakes for safeguarding our networks could not be higher. The vulnerabilities that will come with 5G deployment are broad and range from insider threats to cyber espionage and attacks from sophisticated nation-states.”
Strategy goal
Considering both the potentials and the risks and challenges brought forth by 5G technology, especially in critical infrastructures and services, CISA developed the 5G Strategy. The goal of CISA’s 5G Strategy is to advance the development and deployment of a secure and resilient 5G infrastructure that promotes national security, data integrity, technological innovation and economic opportunity for the United States and its allied partners. To address the risks and challenges of 5G infrastructure, CISA's strategic initiative is aligned with previously published 5G resilience road maps like the White House's National Strategy to Secure 5G, published earlier this year, and the Prague Principles, which was released in 2019 when leaders met in the Czech capital to discuss the global implications of the new technology. The CISA 5G Strategy aligns with the four lines of effort identified in the National Strategy to Secure 5G, which aims to maximize the security of 5G infrastructure in the following four ways:
- Facilitate domestic 5G rollout;
- Assess risks to and identify core security principles of 5G infrastructure;
- Address risks to United States economic and national security during development and deployment of 5G infrastructure worldwide; and
- Promote responsible global development and deployment of 5G.
The three pillars
The CISA vision focuses on a combination of commerce, security and global relations, and it lists three basic competences as the foundation for its approach:
- Risk management to promote secure and resilient 5G deployment by identifying, analyzing, prioritizing, and managing risks
- Stakeholder engagement by actively engaging federal, state, local, tribal and territorial, industry, academia and international partners to address 5G challenges
- Technical assistance to update and develop tools and services that support stakeholders with the planning, governance, operational and technical aspects of secure 5G deployment
The five strategic initiatives
The CISA 5G Strategy establishes five strategic initiatives that seek to advance the deployment of a secure and resilient 5G infrastructure. Each of the strategic initiatives addresses critical risks to secure 5G deployment, such as physical security concerns, attempts by threat actors to influence the design and architecture of the network, vulnerabilities within the 5G supply chain and an increased attack surface for malicious actors to exploit weaknesses.
Strategic Initiative 1: Support 5G policy and standards development by emphasizing security and resilience.
The development of 5G policies and standards serve as the foundation for securing 5G communications. To prevent attempts by threat actors to influence the design and architecture of 5G networks to their benefit, it is critical that these foundational elements be designed and implemented using a security and resilience by design approach.
Strategic Initiative 2: Expand situational awareness of 5G supply chain risks and promote security measures.
The 5G supply chain security is threatened by untrusted components, vendors, equipment and networks. These compromised components have the potential to affect the connectivity and security of transmitted data and information. Strengthening and securing the 5G supply chain will help prevent or mitigate malicious vulnerabilities from creeping into the supply chain.
Strategic Initiative 3: Partner with stakeholders to strengthen and secure existing infrastructure to support future 5G deployments.
Before moving to a standalone infrastructure, the first deployments of 5G networks will depend on existing 4G LTE infrastructure and core networks. While 5G architecture is designed to be more secure, 5G’s specifications and protocols stem from previous networks, which contain legacy vulnerabilities. For example, the overlay of 4G and 5G networks has the potential for a malicious actor to carry out a downgrade attack where they could force a user on a 5G network to use 4G in order to exploit known vulnerabilities against them. To mitigate these inherent vulnerabilities along with new and unidentified risks, the collaboration of industry and government is required to develop and communicate security enhancements to support secure 5G deployments.
Strategic Initiative 4: Encourage innovation in the 5G marketplace to foster trusted 5G vendors.
Secure and resilient 5G technologies and capabilities can drive innovation and R&D initiatives. CISA plans to support such initiatives through collaboration with academia and industry to help drive innovation and establish a trusted vendor community for the future of 5G.
Strategic Initiative 5: Analyze potential 5G use cases and share information on identified risk management strategies.
The enhanced capabilities of 5G technologies will support an array of new functions and devices, introducing a plethora of potential use cases. With the potential for the connection of billions of devices on a network, applications like smart cities will require increased security to safeguard connected devices from potential threats and vulnerabilities. To ensure the security and integrity of these devices, CISA will communicate known vulnerabilities and risk management strategies for use cases associated with securing national critical infrastructures.
Partnership is the backbone of the strategy
“The promise of 5G is undeniable, but with 5G technology posed to underpin a wide range of critical infrastructure functions, it’s vital that we manage these risks adequately and promote a trusted ecosystem of 5G componentry,” said CISA Director Christopher Krebs. “CISA is committed to working with partners to build a resilient 5G infrastructure, and this strategy identifies a roadmap of how we will bring stakeholders together to achieve this.” The nature of risk environment precludes any single entity from managing risk entirely on its own. That is why CISA stresses the importance of collaboration and partnership between the State and the critical infrastructure sector. The CISA 5G Strategy paves the way to defend against today’s threats and to build more secure and resilient infrastructure for the future. However, the devil lies in the (implementation) details.
