5G security suffering from too many cooks in the kitchen
The US Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) recently awarded itself a starring role in the industry's shift to 5G: The agency said it would analyze 5G components for security risks.
And how exactly will a two-year-old agency with a $3 billion budget go about completing that daunting task? No one knows, and the agency hasn't provided any details.
CISA's promise to secure the entire US 5G industry is listed on page 14 of its 24-page report on 5G security: "Procurement of 5G components from untrusted vendors poses many economic and security risks. Often, these technologies are cheaper than trusted alternatives, but these low, up-front costs have the potential to accumulate into more long-term expenditures to address security flaws or interoperability issues," the agency wrote. "To prevent the United States and its allies from purchasing untrusted equipment, CISA will analyze components from 5G vendors and report on any long-term risks that affect the ability to securely communicate and share information."
The proclamation could have a significant impact on a wide range of companies ranging from antenna providers to silicon vendors, which potentially may need to receive CISA approval before selling their wares in the US. Several 5G component suppliers contacted by Light Reading, including San Diego-based Qualcomm and Sweden's Ericsson, declined to discuss the issue. However, according to a source familiar with the topic who asked not to be named, CISA's new job in the wireless industry represents another step by the Trump administration toward developing a cohesive plan to secure 5G, rather than a fully formed security program.
Previously, the administration considered taking a country-of-origin approach to component security but has since moved away from that notion. Now, via the CISA, it's leaning toward an approach that would certify individual suppliers and their components.
CISA's new job in 5G stems from the Trump administration's moves against Huawei and ZTE, Chinese vendors deemed a security threat by US officials. While Huawei and ZTE have now largely been blocked from the US market, the situation raises an important question: If those vendors cannot be trusted, which vendors can be trusted?
That's a much more difficult question to answer, apparently – and it's one that's attracting interest from a wide variety of players.
CISA isn't the only entity that wants to be the bouncer for Trump's 5G party. The Alliance for Telecommunications Industry Solutions (ATIS) and the Telecommunications Industry Association (TIA) each have their own proposals on how to secure 5G networks. Other entities and agencies working on the topic range from the National Institute of Standards and Technology's (NIST) Cybersecurity Framework to DHS' Information and Communications Technology Supply Chain Risk Management Task Force (ICT SCRM Task Force) to the National Telecommunications and Information Administration's (NTIA) Communications Supply Chain Risk Information Partnership (C–SCRIP) to the FCC's secure supply chain effort.
Most such efforts stem from the Secure and Trusted Communications Networks Act passed by Congress in 2019.
Not surprisingly, some in the 5G industry are beginning to worry that there are too many cooks in the network-security kitchen. "To avoid fragmentation and reach relevant stakeholders, the federal government must promote a unified regime for supply chain security," wrote the CTIA, a lobbying group for the nation's biggest wireless network operators, in a recent FCC filing. "This will help government and industry protect US networks and create opportunities for strong, alternative supply chains to develop."
For its part, the CTIA wants DHS to lead things.
"CTIA urges the [FCC] commission to fit its supply chain activities into a whole-of-government approach, led by DHS and supported by Commerce [Department]," CTIA wrote. "DHS is the sector-specific agency for communications and information technology and has significant experience with national security and supply chain issues. DHS is suited to lead, especially where the implications extend beyond US telecommunications carriers. Commerce has authority to address national security threats."
Regardless of which US agency or entity ultimately ends up with the undoubtedly lucrative contract to secure America's 5G, the effort will be tainted by the Trump administration's backwards approach to the issue. Instead of implementing security protocols to cull bad actors, the administration first identified the bad actors and now has to find security protocols that align with its decisions.
No wonder there are too many cooks in the kitchen; after all, the cart was put before the horse.
— Mike Dano, Editorial Director, 5G & Mobile Strategies, Light Reading | @mikeddano