By: Elizabeth Rosenblatt, YLS ‘23

5G, the fifth-generation standard of mobile networking technology, promises to enable novel use cases that will fundamentally alter the world as we know it. However, with this promise comes increased security risk. As digital infrastructure becomes increasingly critical, this heightened cybersecurity risk is cause for concern. Telecommunications vendors and network operators are under incentivized to mitigate cybersecurity risk due to a collective action problem. Further, due to increasing interconnectedness between network components, a cyber event in one network element may catalyze widespread breach or network failure across providers with catastrophic societal implications. Novel tools are needed to address this challenge and catalyze efficient levels of investment in precaution. This paper examines the network vulnerabilities unique to fifth-generation networks and proposes the use of network “stress tests” to understand, measure, and proactively react to network vulnerabilities.

Introduction to 5G

5G offers ultra-low-latency and high-speed mobile internet. This more reliable, faster speed, lower lag connection has the potential to enable a plethora of new user applications including autonomous transportation, remote healthcare delivery, connected electric grids and energy sources, and autonomous military, agricultural, and manufacturing technologies.

5G networks are distinct from previous generations of mobile networks in a few key ways. First, 5G utilizes a wider mix of spectrum bands, including mid and high-band spectrum, to deliver faster speeds. Given that higher frequency waves travel shorter distances and have trouble penetrating objects, 5G network infrastructure must be placed more densely than its predecessors. Whereas 3G and 4G were built on networks of dispersed cellular towers, 5G is built on a network of more densely distributed macro and micro cell sites.

Further, software-defined networking (SDN) and network virtualization have changed the way that network hardware interplays with network management software and the end-user. In a software-defined network, the control plane (which sets the rules for data traffic and transfer) is separated from the data plane (which actually sends the data). This disaggregation allows the network owner to program and manage the network centrally via software, as opposed to having to reconfigure physical hardware. Network virtualization shifts the delivery of certain network functions from hardware to software. Critically, virtualization enables network slicing through which multiple virtual networks, each uniquely configured for client needs, can operate on the same infrastructure.

The disaggregation of network hardware from the software-based, virtualized networks operating atop them encourages greater interoperability and competition between hardware and software vendors.

5G Cybersecurity Vulnerabilities

While next-generation wireless networks offer new opportunities, they also carry substantial security risks. First of all, the stakes are higher. The user applications listed above – including critical transport, energy, military, and healthcare technologies – rely on uninterrupted connection with these low-latency networks. Even a brief disruption to the network’s connection can put human life at stake.

Further, 5G networks are more vulnerable than previous generations of technology standards. To begin with, because 5G networks will, at least initially, be built atop existing 3G and 4G infrastructure, they inherit the vulnerabilities present in prior generations. In addition, some of the novel features of next-generation wireless networks that beneficially lead to increased competition and interoperability also expose networks to increased cybersecurity risk.

Former FCC Chairman Tom Wheeler shares a compelling birds-eye view of 5G security risks in his article, “Why 5G requires new approaches to cybersecurity: Racing to protect the most important network of the 21st century.” Key vulnerabilities, building on Wheeler’s framework, are detailed below.

First, as the number of user applications (e.g., mobile phones, Internet of Things (IoT) devices, smart home appliances, wearables) and the number of cell sites proliferate, so too do the number of potential entry points to the network. Second, the control plane software managing these software-defined networks can be susceptible to an attack that would have network-wide implications. Further, software-definition removes the “hardware choke points” that previously served as gatekeepers to prevent and isolate malicious entry. Third, while increased interoperability and the use of different vendors for each component of network hardware and software is incredibly beneficial from a competition standpoint, it leaves the network vulnerable to flaws in any of those vendors’ products. The network is only as secure as its weakest link. Lastly, though concerns over China’s dominance in telecommunications equipment markets (and particularly Huawei’s dominance in radio access network equipment) are perhaps exaggerated, there are legitimate risks involved in relying on critical, hackable equipment from a geopolitical adversary.

Where do we go from here?

There is much literature on what should be done to secure this critical digital infrastructure. Solutions focus on taking a zero-trust approach to 5G involving end-to-end encryption, emphasizing the importance of resilience and the use of artificial intelligence (AI) to rapidly identify breaches, and cultivating US-allied leadership in the supply chains for core and radio-access network (RAN) equipment. The Cybersecurity and Infrastructure Security Agency (CISA)’s 2020 report, “CISA 5G Strategy: Ensuring the Security and Resilience of 5G Infrastructure in our Nation,” provides an initial set of initiatives to secure 5G focused on standard setting, best practice sharing, and stakeholder engagement.

But the fact is, telecommunications market participants are under incentivized to invest in security protections due to a collective action problem. The probability of serious breach is relatively low and the resulting harms, while great in magnitude, are distributed across many stakeholders and network users. As such, novel tools are needed to ensure market participants take efficient levels of precaution.

There is perhaps a worthwhile comparison to be made between digital network infrastructure and the banking system. In banking, stress tests are one of a handful of regulatory tools that, in particular, test risk preparedness for a simulated future scenario. A similar tool may be prudent in digital network infrastructure – forward-looking “stress tests” could evaluate a network’s ability to identify breaches, isolate them, and implement backup mechanisms to prevent widespread harm. These tests would simulate security breaches (e.g., malware, phishing, denial-of-service) at various entry points to the network (e.g., user end points, cell sites, virtualization software, spectrum sharing software) across different vendors to understand the existence and magnitude of any vulnerabilities. The introduction of interoperability and open RAN offer increased innovation and competition, but they also mean that security breaches can propagate farther than they could before. Simulated breaches will enable market participants to understand not only the vulnerabilities in their own systems, but also the vulnerabilities stemming from vendor interconnectedness. These stress tests could provide both market participants and regulators with a tool to understand where increased investment in security and resilience is needed.