Former Top FCC Officials Seek More Focus on Making 5G Secure
Former FCC Chairman Tom Wheeler, now a Brookings Institution visiting fellow, and David Simpson, FCC Public Safety Bureau chief under Wheeler, called for a more focus on the risks posed by 5G, during a Brookings in-person and virtual event Thursday. The two released a paper earlier this week on making 5G more secure. They were joined by Joyce Corell, senior technology adviser to the White House cyber director, who said the administration is working to get on top of 5G security.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
By one estimate, by 2025 nearly half the data traffic worldwide will be “without human intervention; it will be machine talking to machine,” Wheeler said. “To do that, you need robust, reliable secure communications, and that’s the great opportunity that 5G represents,” he said: “While 4G was about smart apps, principally for our phones, 5G is about smart everything else.”
The stakes are higher than in the 4G world “because what we’re dealing with is the infrastructure that will define the 21st century, the infrastructure that will drive economic growth, the infrastructure that will give us international competitiveness, but, in order for those good things to happen that infrastructure needs to be secure,” Wheeler said. “We know 5G is smart; now let’s make it secure,” he said.
“5G ushers in not just a better smartphone experience” but also “a machine-to-machine communication that really underpins what we think about when we contemplate the internet of things and its role in smart cities, in smart bases, in smart logistics, in smart vehicles,” said Simpson, now a business professor at Virginia Tech. 5G “essentially brings the cloud … out to the edge,” he said: “You can go to the cloud badly” and be exposed to more risks.
“Bringing alive machine-to-machine at the edge is a volumetric increase in the number of nodes and the traffic going back and forth between those nodes and not all of that traffic comes back to a nice center where you can scrub it, clean it, make sure that it’s cyber secure,” Simpson said. “That low-latency, tactile kind of response is now a new attack surface, and who is responsible for addressing the cyber risk?” he asked.
When attackers exposed the Log4j open-source software vulnerability (see 2208100058), the Cybersecurity and Infrastructure Security Agency's response was to tell companies to reduce their exposed attack surface, Simpson said. “What that means is fewer nodes and reduced functionality at the edge, at the very time we’re wanting to catch up with 5G-enabled IoT and smart cities,” he said: “We want to be first to get to smart cities and to invent and utilize AI, but at the same time we perceive still that we need to reduce our attack surface. That gap between those two messages is really what we’re trying to address.”
Risks Inevitable
“Every company, every government agency, defines their objective risk threshold, and it’s never zero risk -- you can’t afford zero risk,” Simpson said. That assessment of risk is “what we think is missing now from the 5G landscape,” he said: “There isn’t that dialogue between companies” or “with the responsible government agencies that are looking end to end across a fabric that has multiple layers to it and new market entrants that we’re there before.”
The cyberthreat “still exists” and 5G “now brings a new set of risk factors,” Simpson said. “We have malicious actors all around the world that still would do harm to our networks,” he said: “We have school districts that are wrestling with ransomware and can’t access student records or have student records released. We have had hospitals that have had operations significantly degraded because they’ve been taken over. We’ve had police departments that have actually paid the ransom to get their data back.”
The move to open radio access networks creates new challenges, Simpson said. “There is a lot to like … but we need to not look at ORAN with rose-colored glasses,” he said: “ORAN is not just a U.S. thing. … There are Chinese companies that are part of the ORAN Alliance. So we shouldn’t look at ORAN as ‘yeah, that’s made in the USA.’ ORAN has many authors and it’s open source.” With ORAN “we’re breaking up the technology stack” and creating “risk seams that need to be addressed,” he said.
The administration is working on a national cybersecurity strategy, Corell said. “It will include not just things for the federal government, but for critical infrastructure,” she said: “When you say who is going to be looking at security, we will be convening the stakeholders in this particular space.” The FCC and the Commerce Department will both be involved, she said.
“The threat landscape evolves over time, so we’re never going to be in a perfectly secure state of being,” Corell said. Government can “shape” industry performance through contract language, “the power of the purse,” she said. “These requirements are now fairly substantial,” she said. The government also requires companies to produce a software bill of materials (see 2209210074), she noted: “You then have insight into what is in a product or a system that’s being procured. That doesn’t fix any security problems” but helps address problems more quickly.
Congress invested $1.5 billion in a Public Wireless Supply Chain Innovation Fund, which is part of the Chips and Science Act, to be run by NTIA, Corell said. “It’s a large sum of money to be executed over a 10-year time period, which is intended to accelerate innovation with a priority for cybersecurity in this space, as well as to stimulate competition,” she said.
The Commerce Department’s National Institute of Standards and Technology is also working on 5G security, setting up a stand-alone network and running tests, Corell said. “NIST has already begun publishing security guidance,” she said.