CISA Takes on Security Challenges with 5G

As federal agencies prepare their infrastructure for anticipated 5G capabilities, these modernization efforts elicit the need for enhanced security. The Cybersecurity and Infrastructure Security Agency (CISA) is uniquely positioned to address these needs.

The Federal Mobility Group (FMG), led by Department of Justice CISO Nick Ward, is heading up secure adoption of 5G technology throughout the federal register. The group released a white paper in November 2020, the Framework to Conduct 5G Testing, to address potential security concerns and challenges with 5G and the 5G supply chain.

The framework focuses on end-to-end testing of 5G architecture and mapping according to 3GPP standards, listing all possible testing use elements for different use cases, and performance and security metrics, according to the white paper.

Serena Reynolds, a member of the group and the 5G Program Lead at CISA, said CISA’s plan to secure 5G dovetails with the FMG’s framework.

“CISA released our 5G Strategy … and that’s really based on three areas: risk management, risk characterization and working with industry through a group called the enduring security framework, and technical assistance, [which is] walking through scenarios like network security standards, supply chain, and really dig deep [to] look at threat, risk, mitigation,” she told GovernmentCIO Media & Research in an interview. “It was really great to have industry in the room to validate what we were hearing from the federal world.”

Reynolds said a lot of countries adopting 5G struggle with resilience, something CISA hopes to tackle. CISA is working on expanding awareness about the 5G supply chain and ICT supply chain and the inherent security risks.

“I think one of the big challenges we heard even within our state and local workshops is the lack of someone to communicate clearly about the risks without selling a product or service,” Reynolds said, adding that she hopes CISA will fill this role and encourage innovation in the market. “With limited competition in the marketplace, figuring out what those economic levers are, tax incentivization programs, financing, grants, trying to figure out what are some of those areas to help share info on what are those economic levers. A lot of that is run through our security.”

Federal agencies and private industry alike see 5G as an exciting new technology glimmering with possibilities, but they need to collaborate on best security practices before jumping in.

“We think the most significant use cases are going to come from when 5G works in that ultra-low latency use case for tele-surgery, autonomous vehicles, and transfer of critical data between internet exchange data centers without any sort of latency that limits productivity,” Reynolds said. “We’ve seen with the pandemic, critical communications is extremely key with telehealth. 5G can support a lot of those public health and safety use cases, mostly because there’s not going to be that latency issue and critical operations will have capacity. [5G will] support medical IOT devices as well.”

Like so much of CISA’s work, 5G and ICT supply chain cyber risk are intertwined. Reynolds said she’s been working with CISA’s ICT Supply Chain Risk Management (SCRM) Task Force to educate federal agencies and private companies on the overlapping issues.

“With any emerging technology there’s a lot of risk,” she said. “We know it can be done through a lot of ways, through a supply chain attack or a white labeling, but we know that’s going to increase the ability for adversaries to compromise the integrity and ability of 5G. These are also smaller and mid-sized companies that are going to see a lot of the risk there.”

As far as risks go, Reynolds thinks software vulnerabilities will be the biggest threat to 5G integrity. Some of 5G’s most desirable capabilities, like network slicing and edge computing, are highly dependent on software and software assurance.

The influx of software updates and repairs creates more cyber vulnerabilities, and could raise costs for organizations seeking to secure their 5G infrastructure.

“The proper software security piece is going to be extremely important with 5G, probably more so than any other generation,” Reynolds said. “Network slicing allows users to be authenticated for only one network area, and that’s information on one slice that can’t be accessed by another slice even if they’re sharing information on the same infrastructure. The slices can add complexity to the network and make it a little more difficult to manage. There’s not really any real protocol for how network operators should develop and implement security for network slicing. So how do we partner with standards bodies and private companies and have those conversations on the front end?”

Addressing these issues and preparing the federal register and private industry for 5G requires consistent interagency and cross-industry communication, education and awareness.

“I’d say stakeholder engagement and being able to bang the drum around the interagency work and stakeholder engagement is going to be a good mechanism [for securing 5G],” Reynolds said.