Fifth-generation (5G) telecommunications networks could revolutionize the digital economy by enabling new applications that depend on ultra-fast communications at industrial scale. Many of these new applications, such as driverless cars, telemedicine, factory automation, smart electric grids, and smart cities, will capitalize on advances in artificial intelligence (AI), and 5G networks themselves will be AI-enabled.
With these opportunities come major cybersecurity challenges. Western governments are grappling with the risks posed by Huawei and other Chinese vendors of 5G infrastructure equipment. On May 15, 2019, U.S. President Donald J. Trump issued an executive order laying the groundwork for a ban on Huawei equipment in U.S. networks, a long-anticipated move that was accompanied by the Commerce Department’s even more consequential decision to restrict the company’s access to U.S. components. Excluding Huawei from U.S. networks, however, is not the same as securing those networks. Instead, U.S. policymakers need to adopt a broader strategy that includes technical measures, regulatory adjustments, a sensible legal liability regime, diplomacy, and investments in research and cybersecurity skills training.
The Technology of 5G
A 5G network is a collection of microprocessors that rapidly send packets of data among themselves. At the “edge” of the network, devices including smartphones, cars, and robots will send and receive data over radio waves at 5G frequencies by connecting to a new generation of small-cell radio units that form the radio access network (RAN). The RAN links individual devices to routers and switches that compose the “core” network, where data traffic is transported to and from other devices and the internet (or the cloud).
One way 5G networks differ from prior generations is in the physical location of critical functions. Generally speaking, the core of a telecom network is where more sensitive functions, such as user access control, data authentication, data routing, and billing, occur. The edge is where base stations and other RAN equipment connect user devices to the core network. But in 5G, the distinction between core and edge is less clear. Advanced uses of 5G will require high-volume communications with low latency (the delay in sending and receiving data): for example, the anti-collision sensors on a driverless car require instantaneous and reliable data connections. The distance between devices communicating with one another needs to be shortened to provide such high speed and reliability. Thus in 5G networks, some functions traditionally performed in the core will be performed in the RAN.
5G networks will also be significantly more complex than previous generations, which were designed primarily for consumer voice and data services. 5G networks will support at least three different major functions. These are (1) enhanced mobile broadband, which will enable faster download speeds for consumers; (2) ultra-reliable low-latency communication, designed for autonomous vehicles and other applications requiring no gaps in communication; and (3) massive machine-to-machine communications, or the Internet of Things (IoT), in which billions of devices constantly communicate among themselves. Prior generations of mobile technology involved devices connecting to the network in a hub-and-spoke architecture; in 5G, billions of IoT devices will connect with one another in a weblike environment.
5G Cybersecurity Risks
5G networks will undergird a host of critical functions, including autonomous vehicles, smart electric grids, intelligent medicine, and military communications. As such, it is extremely difficult to distinguish “critical” 5G network infrastructure from the noncritical sort; all of 5G is arguably what U.S. officials call a “national critical function.” As companies and individuals become increasingly dependent on these networks, they become more vulnerable to the theft of sensitive data traversing the network, attacks on and disruptions of the functioning of connected devices by other devices, and attacks that disrupt or degrade the network itself. 5G networks will expand the number and scale of potential vulnerabilities, increase incentives for malicious actors to exploit those vulnerabilities, and make it difficult to detect malicious cyber activity.
One threat is manipulation of equipment in the core network—for example, the installation of a secret portal known as a “backdoor” that allows interception and redirection of data or sabotage of critical systems. This can happen even after the systems have passed a security test, since the manufacturer will continually send updates to the equipment. Such a threat could negate front-end security measures such as inspecting source code or equipment for backdoors and other vulnerabilities. Additionally, functions of the core network will take place primarily in the cloud, depending on AI to manage complexity and network resource allocation. Hackers can attack or manipulate the algorithms that operate these AI-based systems.
Security is even more complicated at the edge. Backdoors can be installed in mobile base stations, enabling data interception or manipulation from one of the numerous access points in the RAN. Such activity can be difficult to detect: if, for example, data is being copied and exfiltrated, base stations could still appear to be operating normally. In addition, the devices that connect to 5G networks can themselves pose cyber threats. In 2016, major internet activities were shut down after hackers hijacked low-cost chips in security cameras and digital video recorders (DVRs) to take down multiple internet domains. The weblike architecture of IoT devices dramatically expands the opportunities for, and consequences of, such attacks.
5G Controversy: The Huawei Hullabaloo
Huawei is the world’s largest producer of the equipment needed to operate 5G networks. It is positioned to expand its market share, given the low cost of its products, its investment in research and development, and its ability to offer efficient end-to-end solutions that cover devices, networks, and data centers. But the U.S. government has significant national security concerns about Huawei because of the cybersecurity risks inherent to 5G, Huawei’s past business practices, and the nature of the relationship between Chinese tech companies and the Chinese government. Trump’s executive order lays the groundwork for the U.S. Commerce Department to prohibit U.S. firms from installing Huawei equipment, expanding on restrictions enacted last year regarding the use of Huawei by U.S. agencies and federal contractors. The Commerce Department also added Huawei and sixty-eight affiliate firms to the list of entities subject to export restrictions due to the risks they pose to U.S. national security and foreign policy interests, citing Huawei’s violations of U.S. sanctions law in support of the decision. Trump appeared to ease these export restrictions somewhat in a pledge to Chinese President Xi Jinping at the June Group of Twenty summit. However, it still remains unclear to what extent Huawei will be cut off from American-made semiconductors and chip-design tools that are crucial to the company’s operations.
The security concerns around Huawei are both specific to Huawei and structural to 5G. There is evidence that Huawei’s engineering practices are often shoddy and could be exploited by any malicious cyber actor. The UK’s Huawei Cyber Security Evaluation Centre, a watchdog that audits the security of Huawei equipment, identified in March 2019 a litany of persistent and “concerning issues in Huawei’s approach to software development bringing significantly increased risk to UK operators.”
There is also evidence that Huawei routinely violates local laws in countries where it operates. In January, the U.S. Justice Department accused the company of fraud, money laundering, violating U.S. sanctions against Iran, and stealing trade secrets from its U.S. business partner T-Mobile. In another case in January, the Polish government arrested a Huawei sales director on espionage charges. Huawei has also been linked to the theft of intellectual property from Cisco, and U.S. startup CNEX has accused Huawei and its deputy chairman of conspiring to steal its trade secrets. These and other incidents, combined with Huawei’s secrecy and mysterious ownership structure, contribute to concerns about the company’s operations and intentions.
But Western governments’ larger concern is Huawei’s relationship with the Chinese government. If requested, Huawei and other Chinese telecom equipment companies would be legally and politically required to assist the Chinese government in “intelligence work.” The Chinese party-state has in recent years expanded its presence in Chinese corporations, waged a global campaign of state-sponsored cybertheft of foreign intellectual property, and launched sweeping domestic digital-surveillance programs. Given this history, Huawei’s inability to credibly claim independence from the Chinese government is especially problematic.
Economic concerns also carry security implications. U.S. and European officials argue that Chinese telecom subsidies give companies like Huawei unfair commercial advantages and leverage in the development and deployment of global telecom networks. Similarly, Beijing has been accused of politicizing [PDF] the process of setting 5G standards by creating an expectation that Chinese companies participating in the standard-setting Third Generation Partnership Project will vote for Chinese-proposed standards whether or not they are superior. Companies whose technology becomes a global standard can gain market advantages through standard-essential patents. Market advantage can then become a structural security advantage as firms leverage the economic benefits of patent royalties to drive growth and expand their presence in global networks.
National governments face difficult cost-security tradeoffs in deciding whether to exclude or limit Huawei or other equipment providers from their 5G networks. For many developing countries focused on the economic benefits of building out these networks, espionage is likely to be a secondary concern. For the United States, keeping any particular company’s hardware out of U.S. and allies’ network infrastructure will not eliminate the threat of espionage or sabotage. Iranian, North Korean, Russian, and other hackers have already proven their ability to penetrate U.S. networks to cause harm—and the networks they broke into did not use Chinese equipment. Regardless of whether Huawei is excluded from U.S. or allies’ 5G infrastructure, Chinese networks and Chinese equipment will connect to those networks. The challenge is how to embrace interoperability and efficiency while also optimizing security.
The complexity of ensuring the security and reliability of 5G networks calls for a multilayered approach that includes technical measures, regulatory adjustments, a legal liability regime, diplomacy, and investments in research and cybersecurity skills training.
On the technical front, networks should require built-in resiliency, meaning they can isolate and withstand exploitation of any single device. Where possible, they should also use multiple vendors. The Defense Advanced Research Projects Agency (DARPA) is seeking to develop an open-source hardware movement that crowdsources the patching of vulnerabilities and the design and verification of protocols for the next generation of chips. In the meantime, the United States should work closely with allies and partners to develop common risk-based principles [PDF] of supply-chain integrity that mitigate the introduction of vulnerabilities in network equipment. (Notably, the supply-chain consequences of restricting Huawei’s access to U.S. technology could undercut such efforts.)
With U.S. networks inevitably connecting to “dirty networks,” policies should incentivize mobile service providers to identify and prevent malicious exploitations and attacks using machine learning–based tools. Risk mitigation for untrusted hardware is exceptionally complex, costly, and far from surefire. Sharing intelligence with countries that use untrusted gear is particularly risky. But dedicated network segmentation, cross-layer security standards, and end-to-end encryption and routing validation practices could mitigate some of these risks.
Regulatory policies should focus on transparency and market incentives. Perhaps most immediately, the Federal Communications Commission (FCC) should work with the Department of Defense and other agencies to clear and reallocate more “mid-band” spectrum (intermediate frequencies, large portions of which are owned by the U.S. government but could be made available for commercial use), which would enable U.S. companies to compete more effectively in the global contest to shape the 5G ecosystem. In addition, the FCC could require [PDF] manufacturers to disclose their practices for ensuring the security of IoT devices throughout the life cycle of their products. It could also make spectrum licenses available to service providers only on condition that they verify they operate according to best practices, such as the National Institute of Standards and Technology’s cybersecurity framework. The FCC should be included in the Information and Communications Technology Supply Chain Risk Management Task Force, a multiagency initiative established under the Department of Homeland Security to develop recommendations for managing supply-chain risk.
An improved legal liability regime is also necessary to improve private-sector cybersecurity. Altaba (a successor to Yahoo) recently settled in a shareholder suit over Yahoo’s customer data breach; this should be a warning to companies. The telecom industry should work to develop voluntary standards that will inform the standards that courts will apply in cybersecurity tort cases and provide the basis for a functional insurance market to price cyber risk. Such standards can coexist alongside programs that incentivize private-sector entities to share cyber threat information with the federal government.
The United States should exercise leadership in setting global norms and advancing U.S. interests in cybersecurity. The supply-chain risk management efforts outlined above are a starting point. The Trump administration has created a template for codifying risk-based cybersecurity provisions in a multilateral trade arrangement under the U.S.-Mexico-Canada Agreement. This model could be expanded in future trade negotiations with Asian and European partners. But such diplomatic efforts will be insufficient if the U.S. government fails to bolster its investment in basic research (including in the foundations of future 6G networks) and prioritize STEM and cybersecurity skills training at home.
Finally, U.S. technology and trade policy should proactively aim to secure U.S. networks and promote U.S. technology without succumbing to self-defeating economic protectionism. The U.S. government is justified in keeping Huawei out of U.S. critical infrastructure, but thus far it has failed to articulate the strategic rationale (and downside risks) of attempting to cut the company off from U.S. suppliers. Even as the United States takes steps to protect national security in 5G infrastructure and operations, it needs to remain open to the innovation-driving investment and know-how that have made it a technology leader.
This Cyber Brief is part of the Digital and Cyberspace Policy program. The Council on Foreign Relations takes no institutional positions on policy issues and has no affiliation with the U.S. government. All views expressed in its publications and on its website are the sole responsibility of the author or authors.