Following the introduction of the Telecommunications Security Bill in the United Kingdom, the stakes for security compliance have never been greater. As Jimmy Jones, telecoms cyber security expert at Positive Technologies says, many have focused on the complete ban on Huawei’s involvement in the UK’s 5G network, which is a major aspect.
However, the situation with Huawei has been front and centre for some time, thus it may be a moot point as the exclusion of their equipment has potentially been accounted for in 5G network planning. In truth, the more important details that operators should be focused on are the heightened security responsibilities they now face.
EU and US security theme
While the UK is the first to move towards legislation, it is only following the theme of others, such as the European Union and the United States. The intention to increase and quantify security in telecom networks is palpable across the globe.
Following a 5G conference in Prague in 2019 that was attended by 32 countries, the EU unveiled their EU Toolkit, which was designed to give member nations a set of measures to alleviate the risks that 5G networks present. Shortly thereafter, the US Cybersecurity and Infrastructure Security Agency presented a strategy document of their own.
Now the UK has taken things one step further by enshrining these powers in law and putting the onus on telecoms operators, with fines of £100,000 (€ 110,690) a day or 10% of revenue for non-compliance. High security standards will now be government mandated and paramount, a change for the industry from setting their own standards of security gaps. This legislation represents the logical next steps of the previously published regulatory documentation; therefore, it’s likely these principles will be replicated globally.
Security in 5G networks
It’s critical that security is delivered in 5G networks due to the huge increase in connectivity it ushers in. More connectivity means more varied services and more devices relying on network resilience, and the wider the impact if security is compromised. 5G must also address pre-existing threats. Most 5G networks will actually consist of an existing 4G network core, with 5G just present in the radio access edge. These hybrid networks, known as Non-Standalone will be with us for the foreseeable future.
With a majority of operators relying on already established 4G networks as a building block for their 5G networks, this leaves them open to the same vulnerabilities as the previous generation that hackers have been exploiting. This includes intercepting calls and SMS messages, tracking users locations, and more. We have seen firsthand in the media, with Circles and later the events spotlighted by IBM the impact these treats pose not just to operators, but for consumers as well.
Our recent research showed that 100% of 4G networks are also susceptible to Denial of Service attacks. This can affect millions of legacy devices and older networks globally, which is grave as these cannot be suddenly switched off so will coexist with their newer 5G counterparts for years to come. Thus, as operators work towards building out exponentially more complex and expansive networks while delivering security in 5G, they must also find the resources to secure older network generation architecture, with this audited and monitored as part of the new legal framework.
Supply chain changes
The telecom supply chain itself is also going to dramatically change, requiring additional scrutiny and protection. So-called high risk vendors had already been banned from the core of networks, but that will now be applied to its entirety.
The legislation pushes to diversify even further to create a far richer and diverse pool of vendors. Removing the expertise and experience of Huawei and replacing it with new entrants is a noble goal, but some say this will slow the 5G rollout. Which could potentially hamper new technology adoption (IoT) and the advantages to the economy that that brings, while possibly also adding expense.
This is addressed most obviously by the Open Radio Access Networks (RAN) initiative, which has the concept of creating telecoms infrastructure that can seamlessly integrate different vendors together. The UK’s decision to create the SmartRAN Open Network Innovation Centre and the support of the NeutrORAN project with NEC is their direct attempt to help this process by creating opportunities and driving innovation for new vendors to enter the market and help operators abide by the new regulations.
The UK should be applauded for the ambition shown in this legislation, and it represents a blueprint for nations everywhere in integrating the shared consensus of security ideas into law. In the 5G era, everybody from the telecom operators, vendors, Internet of Things (IoT) suppliers all the way to the end consumers need to prioritise security more than ever before to counter the growing threat landscape. This is just the beginning.
The author is Jimmy Jones, telecoms cyber security expert at Positive Technologies.