CISA Highlights 5G Risks as Federal Agencies Pursue 5G Adoption

CISA Highlights 5G Risks as Federal Agencies Pursue 5G Adoption

Transitioning to 5G is a key strategy for federal agencies' network modernization efforts, but the next generation of communication comes with unique supply chain hazards.

The U.S. Customs and Border Protection (CBP) is eager to transition to 5G infrastructure to improve mission delivery, but the Cybersecurity and Infrastructure Security Agency (CISA) warned against hasty 5G adoption citing 5G supply chain security concerns during an FCW Network Modernization event this week.

“[The supply chain] is going to be an extremely important piece as we look at 5G security and risk,” said Serena Reynolds, CISA Initiative Management Branch chief, “and then looking at deployment leveraging untrusted vendors and really providing an education on cybersecurity, cyber awareness and what do untrusted components really mean [for 5G security]?”

Christopher Wurst, executive director for enterprise networks and technology support at CBP, said his component wants to balance resilience, security and increased mobility through network modernization efforts.

Wurst said CBP will soon require field agents to wear body cameras, which may flood CBP’s already busy network with video data.

CBP is America’s largest law enforcement agency, Wurst said, “so you can just imagine the quantity and quality of data and video that will be introduced to the network at some point. That's a huge challenge for us to move and collect all that video.”

5G could be the key to boosting CBP’s network operations, which often languish at the southwest border where connectivity is low.

“The network is now a vital utility that cannot be overlooked,” Wurst said during the event. “Your application can be up and running all day long, but if your network is down, it doesn’t matter. We do want to increase our mobility position, take advantage of 5G for those edge devices that rely on wireless connectivity — getting the data in real time to our officers out in the field.”

Wurst hopes 5G can reduce the load on CBP’s network as CBP shifts computing to edge devices. Without 5G, this strategy is imperfect because sometimes field agents can’t even get 4G on the southwest border.

“Part of our mobile strategy is to put some of that processing capability out on that edge device to minimize some of the traffic,” Wurst said. “Our strategy is to move as much of that computing power out to the device itself. It is a challenge on body-worn cameras, we're taking the approach that it's not going to be real time, it'll be stored locally on that person and they'll have to take it to a secure location to get that video uploaded safely. What we can do to move some of that data processing out to the edge is definitely in our roadmap.”

Reynolds warned about the increased usage of "internet of things" devices, which rely on edge computing, and the impact on network security as federal agencies prepare for 5G.

“With IoT really growing and the sheer number of devices on the network, [there is] an increased attack surface and new vulnerabilities,” she said. “We’re working with DOD to talk through all aspects of R&D where 5G will be deployed.”

Ryan Orr, a senior risk analyst with CISA, said it will be a while before all 4G infrastructure is ripped out and replaced with 5G infrastructure. The first few years of 5G, he said, will rely on radio access networks (RAN) via 4G infrastructure, which present unique security challenges.

“For the first few years of 5G, only cell phones and the devices they connect to will be 5G,” he said during the event. “The backbone or core network will be 4G, so it'll be a few more years before the full backbone is replaced. Edge computing is moving the core infrastructure, like data centers, and physically moving them closer to the end user and incorporating them into the RAN. By moving closer to the end user, they literally reduce the area the data needs to travel and latency.”

CISA expects malicious actors to target the RANs during this initial 5G phase.

“By moving the core network closer to the end user, it may allow a malicious actor to insert into a RAN,” Orr said.

Another risk is the security of the 5G supply chain, particularly software.

“There's still the [potential] introduction of any vulnerabilities or untrusted components into that mobile edge computing and exposing core networking elements to risks introduced by software and hardware vulnerabilities, like counterfeits,” Orr said. “One of the things we've noticed with open RAN is software assurance is a high priority.”

Orr and Reynolds stressed working with federal cyber leaders and industry partners to secure software supply chains as federal agencies move computing to the network edge. Securing the supply chain now, they said, will make the transition to 5G more secure.

“[We’re] building on the Prague Proposals to look at policy legal and security frameworks to start building out those best practices,” Reynolds said. “We're working with industry partners through our security framework and risk products that are extremely timely, also working with ODNI and the NSA. There are important frameworks to move forward and [make] sure there's an interagency effort.” 

 
Standard