5G Archives - WITA

UK, Huawei and 5G: six myths debunked

Madelyn Cunningham — Tue, 28 Jan 2020 16:13:45 +0000

1. The UK doesn’t ‘get’ the cyber threat posed by China.

The UK is under no illusions as to the cyber threat posed by China. The UK government and critical industry sectors, such as defence, telecommunications and IT, have all been subject to Chinese cyber intrusions designed to steal data on an industrial scale. This was last called out publicly in 2018 by then-foreign secretary, Jeremy Hunt, who described Chinese attacks against UK managed service providers as ‘one of the most significant and widespread cyber intrusions against the UK … uncovered to date’.

Drawing on its own experiences in the cyber domain, the UK will also fully understand that espionage capabilities can quickly become sabotage capabilities – the hack of a network to steal data can quickly become the hack that brings the network down. And the UK knows that China’s intelligence law requires Chinese companies to provide it assistance if asked to do so. The UK’s assessment of the cyber threat posed by China does not differ from that of the US.

2. The UK may have managed the use of Huawei kit in its 3/4G networks, but its use in 5G networks significantly increases the risk of Chinese espionage and sabotage.

Just as 3/4G networks are entangled together today, 5G will be entangled with 3/4G networks. Given that Huawei is already providing kit in the UK’s 3/4G networks, the theoretical ability of the Chinese to access and sabotage the UK mobile network would be little changed even if Huawei kit were not used in the 5G elements of the networks.

3. Even if the risk doesn’t increase from 3/4G to 5G, the UK shouldn’t be using Huawei in any ‘G’ network because the threat of serious cyber espionage cannot be mitigated.

The basic cyber security measures that have been used for 3/4G also apply to 5G, with the proper use of encryption to ensure the confidentiality and integrity of data being a crucial one. Ironically, it remains the case that those with the best chance of reading traffic on anyone’s mobile networks are the companies providing ‘over-the-top’ encrypted applications, as well as whichever government hosts those companies under the terms of their domestic lawful intercept (so in the UK that is overwhelmingly the Silicon Valley companies and the US government).

Increasingly, the UK finds itself unable to read the encrypted traffic between suspected terrorists in London and Manchester without Silicon Valley’s help. The presence of Huawei makes no difference – even if the Chinese government were able to use the Huawei kit to listen in, it would face the same problem as the UK government. Let’s be clear – Google can get to the content of gmail passing over a bit of Huawei kit, but China cannot.

4. Ok, the real risk isn’t about spying, it is about China’s ability to use Huawei kit to sabotage the network.

The provision of kit into UK mobile networks and the interfaces between those networks and the rest of the UK’s telecommunications infrastructure are complex processes. Any kit that Huawei provides into UK networks will be integrated with kit and over networks run by other providers – such as BT, Vodaphone, Virgin Media, EE and others. Those providers have a degree of visibility and control over the various interfaces, with ‘redundancy’ built in – another basic UK requirement being to build redundancy into traffic routing to ensure the network as a whole can survive the loss of a single element (network resilience).

Additionally, many of the components inside Huawei kit are manufactured by other nations, particularly the US – software from Microsoft, microchips from Intel and Qualcom. Removing kit within a complex twenty-first century telecommunications network based simply on the nationality of the kit’s ‘supply chain’ is almost impossible. National ownership of a piece of kit is not the only deciding factor when it comes to ‘ease of interference’. As an illustration, if the US were behind the Stuxnet attack, as alleged, it interfered with the kit of a German company, Siemens.

In short, bringing down a complex modern telecommunications network is not easy, whichever bit of kit within the network you ‘own’. But even if you could, when would you do it? It is effectively a ‘one shot’ capability – if used by China, it would undermine the position of all Chinese companies in the world tech market, effectively handing the market to exclusively non-Chinese companies. China would therefore presumably save the ‘one shot’ for war or near-war, in which case it would need to be sure it would work. As I have outlined above, that is not easy.

The sabotage risk is, in reality, probably far subtler. It is more likely that China might try to insert damaging code via mobile networks remotely and deniably, with the Huawei kit used to facilitate an insertion or exfiltration of code/data into other networks – it is part of a pathway or a small but essential cog in a bigger wheel. Note again, however, that other countries could get into Huawei (or Nokia or Ericsson for that matter) kit remotely to do the same thing.

5. Given that there is a potential sabotage risk, can the UK really isolate the core of its network from Huawei?

5G is a cool technology, providing greater bandwidth, faster speeds, better quality and instant connections. It is this faster, smarter layer that will enable the truly innovative applications that we call the ‘Internet of Things’, for example, self-driving vehicles.

Sitting behind this are various technologies. The use of higher frequencies (ultimately including ‘millimetre waves’) means that the system can carry more information and support more devices (‘smart things’) at the same time (4G uses data at rates of 200–300 megabits per second, while service providers are ultimately looking to get 5G to above 40 and even up to 100 gigabits per second). There are many more and smaller transmitting and receiving antennae, using less power and covering smaller geographic areas – allowing the transmission and receipt of signals simultaneously through multiple antennae.

5G uses a Cloud Radio Access Network, meaning cheaper infrastructure and less maintenance. Unlike current generations, 5G base stations use ‘beamforming’ to detect and locate the user, and only transmit in that direction. 5G uses ‘Full Duplex Mode’ enabled by high-speed switching that can handle simultaneous transmission and receipt. Using all of the above, a 5G network can be ‘sliced’ and dedicated to a specific task (e.g. one part for phones and one part for driverless cars).

So 5G looks complicated and distributed. But it can still be divided into core and non-core. The latter refers to the myriad of small antennae, small cells and base stations distributed on masts, street corners and rooftops creating ‘smart’ environments. But there still has to be a controlling brain – the handful of main data centres at the heart of the network, with there being only two or three more centres needed in a 5G network than in a 3/4G network. That is the core, which can be owned and protected by UK service providers, such as Vodaphone and the like, including if held in the ‘cloud’. That is why the UK thinks it might be able to manage the overall risk by restricting Huawei kit to the ‘non-core’ network.

6. But isn’t Huawei kit rubbish anyway?

Perhaps the single-most important reason why Huawei 5G kit seems to outperform its rivals is the amount it has invested in R&D, and its deployment support is very good. The UK’s National Cyber Security Centre has, however, been very critical of Huawei’s coding. Nonetheless, kit can still perform well even when the underlying coding is a mess, meaning that it is not configured in a uniform way and is therefore very ‘buggy’, like Huawei’s. The presence of bugs in software is ‘normal business’ – they are not back doors in themselves, but they can be used to create back doors.

An international standard that set how coding is done would have reduced the number and type of bugs, and, therefore, made the kit inherently more secure. This is a crucial point: the international community should have baked security standards into the design of 5G networks from the outset, rather than now trying to retrofit security measures by means of, for example, the core/non-core debate.

This is the key lesson from the current Huawei saga for future generations of critical technology, including Artificial Intelligence. If we did not do enough to establish the right standards for 5G, we should now start developing the best standards for the 6G that we will be installing in a decade.

To view the full blog, click here.

The post UK, Huawei and 5G: six myths debunked appeared first on WITA.

Why 5G Requires New Approaches to Cybersecurity

Juliette Holthaus — Tue, 03 Sep 2019 18:59:02 +0000

“The race to 5G is on and America must win,” President Donald Trump said in April. For political purposes, that “race” has been defined as which nation gets 5G built first. It is the wrong measurement.

We must “fire first effectively” in our deployment of 5G. Borrowing on a philosophy Admiral Arleigh Burke coined in World War II: Speed is important, but speed without a good targeting solution can be disastrous.^[1]

5G will be a physical overhaul of our essential networks that will have decades-long impact. Because 5G is the conversion to a mostly all-software network, future upgrades will be software updates much like the current upgrades to your smartphone. Because of the cyber vulnerabilities of software, the tougher part of the real 5G “race” is to retool how we secure the most important network of the 21^st century and the ecosystem of devices and applications that sprout from that network.

Never have the essential networks and services that define our lives, our economy, and our national security had so many participants, each reliant on the other—and none of which have the final responsibility for cybersecurity. The adage “what’s everybody’s business is nobody’s business” has never been more appropriate—and dangerous—than in the quest for 5G cybersecurity.

“As we pursue the connected future, however, we must place equivalent—if not greater—focus on the security of those connections, devices, and applications.”

The new capabilities made possible by new applications riding 5G networks hold tremendous promise. As we pursue the connected future, however, we must place equivalent—if not greater—focus on the security of those connections, devices, and applications. To build 5G on top of a weak cybersecurity foundation is to build on sand. This is not just a matter of the safety of network users, it is a matter of national security.

HYPERFOCUS ON HUAWEI

Effective progress toward achieving minimally satisfactory 5G cyber risk outcomes is compromised by a hyperfocus on legitimate concerns regarding Huawei equipment in U.S. networks. While the Trump administration has continued an Obama-era priority of keeping Huawei and ZTE out of domestic networks, it is only one of the many important 5G risk factors. The hyperbolic rhetoric surrounding the Chinese equipment issues is drowning out what should be a strong national focus on the full breadth of cybersecurity risk factors facing 5G.

The purpose of this paper is to move beyond the Huawei infrastructure issue to review some of the issues that the furor over Huawei has masked. Policy leaders should be conducting a more balanced risk assessment, with a broader focus on vulnerabilities, threat probabilities, and impact drivers of the cyber risk equation. This should be followed by an honest evaluation of the oversight necessary to assure that the promise of 5G is not overcome by cyber vulnerabilities, which result from hasty deployments that fail to sufficiently invest in cyber risk mitigation.

Such a review of 5G cyber threat mitigation should focus on the responsibilities of both 5G businesses and government. This should include a review of whether current market-based measures and motivations can address 5G cyber risk factors and where they fall short, the proper role of targeted government intervention in an era of rapid technological change. The time to address these issues is now, before we become dependent on insecure 5G services with no plan for how we sustain cyber readiness for the larger 5G ecosystem.

The after-the-fact cost of missing a proactive 5G cybersecurity opportunity will be much greater than the cost of cyber diligence up front. The NotPetya attack in 2017 caused $10 billion in corporate losses. The combined losses at Merck, Maersk, and FedEx alone exceeded $1 billion. 5G networks did not exist at that time, of course, but the attack illustrates the high cost of such incursions, and it pales in comparison to an attack that would result in human injury or loss of life. We need to establish the conditions by which risk-informed cybersecurity investment up front is smart business for all 5G participants.

China is a threat even when there is not Huawei equipment in our networks. From the successful exfiltration of highly sensitive security clearance data in the Office of Personnel Management breach commonly attributed to China, to the ongoing China-linked threat actor campaign against managed service providers, many of China’s most successful attacks have taken advantage of vulnerabilities in non-Chinese applications and hardware and poor cyber hygiene. None of this goes away with the ban on Huawei. We cannot allow the headline-grabbing focus on Chinese network equipment to lull us into a false sense of cybersecurity. In a world of interconnected networks, devices, and applications, every activity is a potential attack vector. This vulnerability is only heightened by the nature of 5G and its highly desirable attributes. The world’s hackers (good and bad) are already turning to the 5G ecosystem, as the just concluded DEFCON 2019 (the annual ethical “hacker Olympics”) illustrated. The targets of this year’s hacker villages included key parts of the 5G ecosystem such as: aviation, automobiles, infrastructure control systems, privacy, retail call centers and help desks, hardware in general, drones, IoT, and voting machines.

5G EXPANDS CYBER RISKS

There are five ways in which 5G networks are more vulnerable to cyberattacks than their predecessors:

The network has moved away from centralized, hardware-based switching to distributed, software-defined digital routing. Previous networks were hub-and-spoke designs in which everything came to hardware choke points where cyber hygiene could be practiced. In the 5G software defined network, however, that activity is pushed outward to a web of digital routers throughout the network, thus denying the potential for chokepoint inspection and control.
5G further complicates its cyber vulnerability by virtualizing in software higher-level network functions formerly performed by physical appliances. These activities are based on the common language of Internet Protocol and well-known operating systems. Whether used by nation-states or criminal actors, these standardized building block protocols and systems have proven to be valuable tools for those seeking to do ill.
Even if it were possible to lock down the software vulnerabilities within the network, the network is also being managed by software—often early generation artificial intelligence—that itself can be vulnerable. An attacker that gains control of the software managing the networks can also control the network.
The dramatic expansion of bandwidth that makes 5G possible creates additional avenues of attack. Physically, low-cost, short range, small-cell antennas deployed throughout urban areas become new hard targets. Functionally, these cell sites will use 5G’s Dynamic Spectrum Sharing capability in which multiple streams of information share the bandwidth in so-called “slices”—each slice with its own varying degree of cyber risk. When software allows the functions of the network to shift dynamically, cyber protection must also be dynamic rather than relying on a uniform lowest common denominator solution.
Finally, of course, is the vulnerability created by attaching tens of billions of hackable smart devices (actually, little computers) to the network colloquially referred to as IoT. Plans are underway for a diverse and seemingly inexhaustible list of IoT-enabled activities, ranging from public safety things, to battlefield things, to medical things, to transportation things—all of which are both wonderful and uniquely vulnerable. In July, for instance, Microsoft reported that Russian hackers had penetrated run-of-the-mill IoT devices to gain access to networks. From there, hackers discovered further insecure IoT devices into which they could plant exploitation software.

Fifth-generation networks thus create a greatly expanded, multidimensional cyberattack vulnerability. It is this redefined nature of networks—a new network “ecosystem of ecosystems”—that requires a similarly redefined cyber strategy. The network, device, and applications companies are aware of the vulnerabilities and many are making, no doubt, what they feel are good faith efforts to resolve the issues. The purpose of this paper is to propose a basic set of steps toward cyber sufficiency. It is our assertion that “what got us here won’t get us there.”

Fifth-generation networks create a greatly expanded, multidimensional cyberattack vulnerability. Therefore, the redefined nature of these networks requires a similarly redefined cyber strategy. (Credit: Tom Westbrook/Reuters)

5G service providers are the first ones to tell us that 5G will underpin radical and beneficial transformation in what we can do and how we manage our affairs. At the same time, these companies have publicly worried about their ability to address the totality of the cyber threat and have described the future challenge in disturbingly blunt terms. The president’s National Security Telecommunications Advisory Committee (NSTAC)—composed of leaders in the telecommunications industry—told him in November, “The cybersecurity threat now poses an existential threat to the future of the [n]ation.”

The nature of 5G networks exacerbates the cybersecurity threat. Across the country, consumers, companies, and cities seeking to use 5G are ill-equipped to assess, let alone address, its threats. Placing the security burden on the user is an unrealistic expectation, yet it is a major tenet of present cybersecurity activities. Looking to the cybersecurity roles of the multitude of companies in the 5G “ecosystem of ecosystems” reveals an undefined mush. Our present trajectory will not close the cyber gap as 5G greatly expands both the number of connected devices and the categories of activities relying on 5G. This general dissonance is further exacerbated by positioning Chinese technological infection of U.S. critical infrastructure as the essential cyber challenge before us. The truth is that it’s just one of many.

WHAT HAVE WE LEARNED THUS FAR?

5G has challenged our traditional assumptions about network security and the security of the devices and applications that attach to that network. As officials of the Federal Communications Commission (FCC), the authors struggled to deal with these challenges only to be confronted by:

Industrial-era procedural laws that make rulemaking activity cumbersome and non-rulemaking activity less than optimal.
The incentive of bad actors to overcome any solution that is typically greater than the incentive to maintain the protection.
Industry stakeholder fear of exposing their internally identified risk factors at precisely the time when sharing information about attacks would be of greatest value for a collective defense.

At the same time, those who know the networks the best—the network operators—exist under business structures that are not optimal for effective risk reduction. As an FCC white paper concluded three years ago:

As private actors, ISPs (internet service providers, such as 5G networks) operate in economic environments that pressure against investments that do not contribute to profit. Protective action taken by one ISP can be undermined by the failure of other ISPs to take similar actions. This weakens the incentive of all ISPs to invest in such protections. Cyber accountability therefore requires a combination of market-based incentives and appropriate regulatory oversight where the market does not, or cannot, do the job efficiently.

The FCC report’s finding—that market forces alone would not address society’s cyber risk interests—highlighted the ISPs over which the agency had primary jurisdiction. The report additionally examined the larger ecosystem and concluded that the motivation to solve the problem generally gets worse when consumers do not link a purchasing decision with a cyber risk outcome. This, unfortunately, is all too often the case, as service providers as well as device and application vendors do not make meaningful security differentiators public and don’t compete on any verifiable security indicators.

“None of this suggests that we suspend the march to the benefits of 5G. It does, however, suggest that our status quo approach to 5G should be challenged.”

In 2016, for instance, hackers shut down major portions of the internet by taking control of millions of low-cost chips in the motherboards of video security cameras and digital video recorders. That the internet could be attacked this way reflected the reality of digital supply chains: Because consumers didn’t consider cybersecurity in their purchase decisions of low-cost connected devices (they were the means, not the target of the attack), retailers didn’t prioritize security in their decisions of what to stock. As a result, manufacturers didn’t emphasize cyber in the components they purchased and thus chip and motherboard manufacturers did not include cyber protections in their product. None of companies defined a role for themselves for sustaining post-purchase product cyber readiness and, by and large, that’s still the case.

New industry verticals are bringing 5G-enabled capabilities to a market where good faith efforts are insufficient. There is no evidence that the business priorities of the suppliers of devices and applications are any different than those attributed to network operators in the FCC report. A 2018 report by the Trump administration’s Council of Economic Advisers, for instance, warned of, “underinvestment in cybersecurity by the private sector relative to the socially optimal level of investment.”

None of this suggests that we suspend the march to the benefits of 5G. It does, however, suggest that our status quo approach to 5G should be challenged. Continuation of corporate and governmental policies that are not keeping up with today’s cyber risk do not bode well for a volumetric expansion of the attackable network and data surface of 5G networks. There is a crying need for coordinated efforts to achieve targeted expectations.

TWO KEYS TO WINNING THE REAL “5G RACE”

The real “5G race” is whether the most important network of the 21^st century will be sufficiently secure to realize its technological promises. Yes, speedy implementation is important, but security is paramount. To answer that overriding question requires new efforts by both business and government and a new relationship between the two.

The recommendations that follow are both important and not without cost. In normal times, such suggestions might be judged too much of a departure from traditional practices. These are not normal times, however. The outlook for a future that relies on 5G and other new digital pathways is cyber-defined. Our nation has moved into a new era of non-kinetic warfare and criminal activity by nation-states and their surrogates. This new reality justifies the following corporate and governmental actions.

Key #1: Companies must recognize and be held responsible for a new cyber duty of care

The first of this two-part proposal is the establishment of a rewards-based (as opposed to penalty-driven) incentive for companies to adhere to a “cyber duty of care.” Traditionally, common law established that those who provide products and services have a duty of care to identify and mitigate potential harms that could result. There needs to be a new corporate culture in which cyber risk is treated as an essential corporate duty and rewarded with appropriate incentives, whether in monetary, regulatory, or other forms. Such incentives would require adherence to a standard of cyber hygiene which, if met, would entitle the company to be treated differently than other non-complying entities. Such a cyber duty of care includes the following:

Reversing chronic underinvestment in cyber risk reduction

Proactive cyber investment today is the exception rather than the rule. For public companies, the Securities and Exchange Commission (SEC) and others are driving change from the corporate board-level on down through management. A favorite entrance point for cyberattacks, however, remains the smaller companies, many of which are outside of the scope of these efforts. Unfortunately, the SEC’s efforts impact only the less than 10% of American companies that are publicly owned. At the very least, where companies have a role in critical infrastructure or provide a product or service that, if attacked, could imperil public safety, there must be the expectation that cybersecurity risks are being addressed proactively.^[2]

Implementation of machine learning and artificial intelligence protection

Cyberattacks on 5G will be software attacks; they must be countered with software protections. During a Brookings-convened discussion on 5G cybersecurity, one participant observed, “We’re fighting a software fight with people” whereas the attackers are machines. Such an approach was like “looking through soda straws at separate, discrete portions of the environment” at a time when a holistic approach and consistent visibility across the entire environment is needed. The speed and breadth of computer-driven cyberattacks requires the speed and breadth of computer-driven protections at all levels of the supply chain.

Shifting from lag indicators of cyber-preparedness (post-attack) to leading indicators

A 2018 White House report found a “pervasive” underreporting of cyber events that “hampers the ability of all actors to respond effectively and immediately.” The 5G cyber realm needs to adopt leading indicator methodology to communicate cyber-preparedness between interdependent commercial companies and with government entities charged with oversight responsibilities. There are a number of good examples to pull from. Shared cyber risk assessments are increasingly a best practice for cyber-mature companies and their supply chain. Several accounting and insurance firms have developed lead metrics to inform cyber risk reduction investments and underwrite policies. The Department of Homeland Security has resiliency self-assessment standards to motivate long-term community disaster preparedness improvement.^[3] Such a model should be extended to the 5G cyber realm in order to shift oversight from lag indicators to lead indicators.

A regular program of engagement with boards and regulators using cybersecurity lead indicators will build trust, accelerate closing the 5G readiness gap and lead towards more constructive outcomes when cyber attackers do succeed. Underreporting of lag indicators, as highlighted in the 2018 White House report should be addressed, but with the primary purpose of closing the feedback loop, improving the quality of lead measures and the investment decision process they inform.

Cybersecurity starts with the 5G networks themselves

While many of the large network providers building 5G are committing meaningful resources to cyber, small- and medium-sized wireless ISPs serving rural communities have been hard pressed to rationalize a robust cybersecurity program. Some of these companies have fewer than 10 employees and can’t afford a dedicated cyber security officer or a 24/7 cyber security operations center. Still, they will be offering 5G services and interconnecting with 5G networks. About one-third of these companies have ignored government warnings about the use of Huawei equipment and are now petitioning Congress to pay for their poor decisions and pay to replace the non-Chinese equipment. Any replacement must include the expectation that the companies will establish sufficient cybersecurity processes that sustain protections. All the networks that deliver 5G—whether big brand names, small local companies, wireless ISPs, or municipal broadband providers—must have proactive cyber protection programs.

Insert security into the development and operations cycle

For many application developers, a core agile development tenet has been sprinting to deploy a minimum viable product, accepting risk, and committing to later providing consumer-feedback-driven upgrades once the product gains a following. Software companies and those providing innovative, software-based products and services are beginning to insert cybersecurity in the process as a design, deployment, and sustainment consideration for every new project. Such security by design should be a minimum duty of care across the commercial space for innovations in the emerging 5G environment.

Best practices

The National Institute for Standards and Technology (NIST) Cybersecurity Framework has established five areas for best practice cybersecurity management that could become the basis of industry best practices: Identify, protect, detect, respond, and recover. For instance, NIST’s “identify” initiative focuses on determination of a company’s cyber universe, threats, and vulnerabilities in order to identify cyber risk reduction investments. While not limited only to the NIST framework, Congress should establish a cybersecurity standard of expected performance and accompanying incentives for its adoption by companies. While industry-developed best practices are a step in the right direction, they are only as strong as the weakest link in the industry and continue to place the burden on poorly informed consumers to know whether the best practices are being fulfilled. The Consumer Technology Association (CTA)—representing the $377 billion U.S. consumer technology industry—helped produce an anti-botnet guide that outlines best practices for device manufactures, but there is no way for a consumer to easily tell if it’s being followed.

“While industry-developed best practices are a step in the right direction, they are only as strong as the weakest link in the industry.”

Unfortunately, publication of optional cybersecurity best practices without full industry buy-in may be an attempt at responsible behavior and good public relations, but often do little to change the cyber risk landscape. While CTA has additionally published a useful buyer’s guide to explain cyber risk issues and improve household cyber hygiene, one wonders how many consumers of low-cost network connected technologies even know of its existence. Shifting cyber risk burdens to poorly informed consumers has limited utility. The 5G commercial sector needs to acknowledge the limits of consumer-based actions, own the residual risk, and work together with government oversight to assign cross-sector mitigation responsibilities.

Key #2: Government must establish a new cyber regulatory paradigm to reflect the new realities

Current procedural rules for government agencies were developed in an industrial environment in which innovation and change—let alone security threats—developed more slowly. The fast pace of digital innovation and threats requires a new approach to the business-government relationship.

More effective regulatory cyber relationships with those regulated

Cybersecurity is hard, and we should not pretend otherwise. As presently structured, government is not in a good position to get ahead of the threat and determine detailed standards or compliance measures where the technology and adversary’s activities change so rapidly. A new cybersecurity regulatory paradigm should be developed that seeks to de-escalate the adversarial relationship that can develop between regulators and the companies they oversee. This would replace detailed compliance instructions left over from the industrial era with regular and fulsome cybersecurity engagements between the regulators and the providers at greatest risk as determined by criticality, scale (impact), or demonstrated problems (vulnerabilities) built around the cyber duty of care. It would be designed to reward sectors where participants have organized and are clearly investing ahead of failure to address risk factors.

Conversely, where sectors are ignoring cyber risk factors, graduated regulatory incentives can change corporate risk calculus to address consumer and community concerns. These activities would be afforded confidentiality and not be used by themselves to discover enforcement violations, but instead to help both regulators and the regulated better spot trends, best practices, and collectively and systematically improve their sector’s approach to cyber risk. DHS can have a supporting role for this, but at the end of the day, the balance between security, innovation, corporate means, and market factors is inherently regulatory. Absent the ability to impose a decision, government involvement can only be hortatory.

Recognition of marketplace shortcomings

Economic forces drive corporate behavior. Of course, there are bottom-line-affecting costs associated with cybersecurity. Even when such costs are voluntarily incurred, however, their benefits can be undone by another company that doesn’t make the effort. The first of this paper’s two recommendations suggests what companies can do to exercise their cyber duty of care. History has shown, however, that the carrot accompanying such efforts often needs the persuasion of a standby stick. This is only fair to those companies that step up to their responsibility and should not be penalized in the marketplace by those that do not step up. A rewards-based policy would amplify the value of cyber duty of care participation, especially when others fall short. It would also provide forward-looking incentive for risk reduction and a more useful feedback loop when breaches invariably occur.

Consumer transparency

Consumers have little awareness and no insight with which to make an informed market decision. The situation is analogous to the forces that resulted in the establishment of nutritional labeling for foods. Consumers should be given the tools with which to make informed decisions. “Nutritional labeling” about cyber risks or a cyber version of Underwriters Laboratories’ self-certification will help focus the attention of all parties on its importance.

Inspection and certification of connected devices

For years, the FCC has overseen a program to certify that radio-signal-emitting devices do not interfere with authorized use of the nation’s airwaves. Whether cellphones, baby monitors, electronic power supplies, or Tickle Me Elmo, the FCC assures the design and assembly of transmitting devices are within standards. The industry then organizes underneath that construct to self-certify devices in a cost-effective means baked into their production and distribution processes. At the time of the 2016 DYN attack that took control of millions of video cameras, the authors proposed a similar regimen to review the cybersecurity of connected devices. If we protect our radio networks from harmful equipment, why do we not protect our 5G networks from cyber-vulnerable equipment?

Contracts aren’t enough

Both the executive and legislative branches have focused on using government acquisition standards and pathfinder contracts to impose cybersecurity requirements where government contracts can compel commercial actions. This is an important, proven practice, but it can only go so far. Federal acquisition policies do not reach non-government suppliers that in an interconnected network can wreak havoc by simply connecting to the network. The majority of small and medium 5G network providers are not bound by any of these government contracts.

Stimulate closure of 5G supply chain gaps

For years government review of mergers and acquisitions has typically failed to appreciate the potential negative impact on critical supply chains. Moving companies and processes offshore or to joint ventures with foreign ownership/control has created wholesale gaps in the supply of crucial 5G components and the absence of domestic procurement options. Country of origin/ownership concerns must become relevant to both the corporate calculus that led to offshoring purchase decisions as well as to the market conditions that led to the destruction of a national capability in the first place. 5G supply chain market analysis must be continuous with regular engagement between regulators, industry, and the executive and legislative branches to properly incentivize globally competitive domestic sourcing alternatives.

Re-engage with international bodies

At present, the standards setting process for 5G is governed by the 3^rd Generation Partnership Project (3GPP), an industry group that makes decisions by consensus based on input from its members, including Chinese 5G equipment companies. (Huawei reportedly made the most contributions to the 5G standard). The Obama FCC engaged directly with 3GPP to identify public safety and cybersecurity risk considerations applicable to the U.S. market. It additionally opened a notice of inquiry to ask the nation’s best technology brains how to implement cybersecurity risk reduction as part of the development and deployment cycle. The move was opposed by some industry associations and the Republican commissioners. Shortly after the beginning of the Trump administration, the new FCC cancelled the Obama FCC’s cyber initiatives.

The FCC should re-engage with international bodies like the 3rd Generation Partnership Project to have more agency in the worldwide debate over 5G cybersecurity. (Credit: FCC/U.S. government work)

There needs to be informed third-party oversight early in the 5G industry’s design and deployment cycle in order to prioritize cyber security. The nation, our communities and our citizens should—through their government—have some degree of agency in the process. The FCC and Commerce Department should participate in 3GPP and the U.S. feeder group as observer stakeholders. This will allow for earlier issue identification and the opportunity to submit concerns, without changing the basic governance of standards setting. The representatives of American citizens should have the option to escalate engagement on matters of national security and public safety concern.

CONCLUSION

It is an amazing turn of events when the U.S. Senate, currently led by Republicans, feels it necessary to introduce legislation instructing the Trump administration “to develop a strategy to ensure the security of next generation mobile telecommunications systems and infrastructure.” The 5G cybersecurity threat is a whole-of-the-nation peril. We should not be lulled into complacency because the newness of the network has masked the threat. We must not confuse 5G cybersecurity with international trade policy. Congress should not have to pass legislation instructing the Trump administration to act on 5G cybersecurity. The whole-of-the-nation peril requires a whole-of-the-economy and whole-of-the-government response built around the realities of the information age, not formulaic laissez faire political philosophy or the structures of the industrial age.

“People are going to be put at risk and possibly die as we increasingly connect life sustaining devices to the internet,” was the stark warning from one of the experts participating in a Brookings roundtable on 5G cybersecurity. This cold reality is because the internet’s connection to people and the things on which they depend will increasingly be through vulnerable 5G networks. It is an exposure that is exacerbated by a cyber cold war simmering below the surface of consumer consciousness.

Early generation cyberattacks targeted intellectual property, extortion, and hacked databases. Today, the stakes are even higher as nation-state actors and their proxies gain footholds in our nation’s critical infrastructure to create attack platforms lying in wait. Any rational risk-based assessment reveals that the favored adversary target is our commercial sector. Companies that provide critical network infrastructure or provide products or services connected to it represent the likely and potentially most dangerous enemy course of action in the ongoing cyber cold war.

“If you’re asking me if I think we’re at war, I think I’d say yes,” the former commandant of the Marine Corps, Gen. Robert Neller, told an audience in February. “We’re at war right now in cyberspace. … They’re pouring over the castle walls every day.” While our adversaries, no doubt, see positive outcomes for high-profile direct attack, they also are perfecting less-risky positive outcomes in a steady pace of low-level attacks intended to erode U.S. public confidence in our cyber critical infrastructure and the digital economy it underpins. The low-intensity cyber war is already ongoing as our adversaries risk very little in these attacks and stand to gain much.

Into this attack environment has come a software-based network built on a distributed architecture. With its software operations per se vulnerable, and a distributed topology that precludes the kind of centralized chokepoint afforded by earlier networks, 5G networks will be an invitation to attacks. Given that the cyber threat to the nation comes through commercial networks, devices, and applications, our 5G cyber focus must begin with the responsibilities of those companies involved in the new network, its devices, and applications. The cyber duty of care for those involved in 5G services is the beginning of such proactive responsibility.

“Yes, the “race” to 5G is on—but it is a race to secure our nation, our economy, and our citizens.”

At the same time, the federal government has its own responsibility to create incentives for 5G companies to focus on the cyber vulnerabilities they create. This is especially the case when there may be a corporate or marketplace lack of motivation to prioritize a maximum cyber effort. As outlined in this paper, this will necessitate replacing the rigid industrial-era relationship between government and business with more innovative and agile means of dealing with the shared problem.

Yes, the “race” to 5G is on—but it is a race to secure our nation, our economy, and our citizens.

The moment is now for a bipartisan call to action to not just address the current 5G exposures, but also to address the structural shortfalls that have allowed the cyber readiness gap to continue to grow. What got us here won’t get us to a secure 5G-enabled future.

Tom Wheeler was the 31^st chair of the FCC from 2013 to 2017. Currently, he is a visiting fellow at the Brookings Institution. Rear Admiral David Simpson, USN (Ret.), was chief of the FCC’s Public Safety and Homeland Security Bureau during the same period. Currently, he is a professor at Virginia Tech’s Pamplin College of Business.

Report Produced by Center for Technology Innovation

To read original report, click here

FOOTNOTES

1Captain Wayne P. Hughes, Jr., USN (Ret.), Fleet Tactics and Coastal Combat, 2^nd ed., U.S. Naval Institute Press, 2000, pp.40-44
2Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Zhou, L. (2015). Externalities and the Magnitude of Cyber Security Underinvestment by Private Sec tor Firms: A Modification of the Gordon-Loeb Model. Journal of Information Security, 6, 24-30. http://dx.doi.org/10.4236/jis.2015.61003
3While the authors do not want to understate the shortfalls associated with the NIMS self-assessment model and lack of federal engagement at the regional level to assess actual NIMS implementation, we do want to note that a decade in, NIMS has succeeded in establishing a common language and investment framework for long-term steady improvements to resiliency in over 10,000 jurisdictions across the country.

The post Why 5G Requires New Approaches to Cybersecurity appeared first on WITA.

Innovation and National Security: Keeping Our Edge

Juliette Holthaus — Sun, 01 Sep 2019 19:56:54 +0000

Executive Summary

The United States leads the world in innovation, research, and technology development. Since World War II, the new markets, industries, companies, and military capabilities that emerged from the country’s science and technology commitment have combined to make the United States the most secure and economically prosperous nation on earth. This seventy-year strength arose from the expansion of economic opportunities at home through substantial investments in education and infrastructure, unmatched innovation and talent ecosystems, and the opportunities and competition created by the opening of new markets and the global expansion of trade. It was also forged in the fire of threat: It was formed and tested in military conflicts from the Cold War to the war in Afghanistan, in technological leadership lost and regained during competition with Japan in the 1980s, and in the internal cultural conflicts over the role of scientists in aiding the Pentagon during the Vietnam War. Confronted with a threat to national security or economic competitiveness, the United States responded. So must it once again.

This time there is no Sputnik satellite circling the earth to catalyze a response, but the United States faces a convergence of forces that equally threaten its economic and national security. First, the pace of innovation globally has accelerated, and it is more disruptive and transformative to industries, economies, and societies. Second, many advanced technologies necessary for national security are developed in the private sector by firms that design and build them via complex supply chains that span the globe; these technologies are then deployed in global markets. The capacities and vulnerabilities of the manufacturing base are far more complex than in previous eras, and the ability of the U.S. Department of Defense (DOD) to control manufacturing-base activity using traditional policy means has been greatly reduced.

Third, China, now the world’s second-largest economy, is both a U.S. economic partner and a strategic competitor, and it constitutes a different type of challenger.1 Tightly interconnected with the United States, China is launching government-led investments, increasing its numbers of science and engineering graduates, and mobilizing large pools of data and global technology companies in pursuit of ambitious economic and strategic goals. The United States has had a time-tested playbook for technological competition. It invests in basic research and development (R&D), making discoveries that radically change understanding of existing scientific concepts and serve as springs for later-stage development activities in private industry and government. It trains and nurtures science, technology, engineering, and mathematics (STEM) talent at home, and it attracts and retains the world’s best students and practitioners. It wins new markets abroad and links emerging technology ecosystems to domestic innovations through trade relationships and alliances. And it converts new technological advances into military capabilities faster than its potential adversaries. Erosion in the country’s leadership in any of these steps that drive and diffuse technological advances would warrant a powerful reply.

However, the United States faces a critical inflection point in all of them. There is a great deal of talk among policymakers, especially in the Defense Department, about the importance of innovation, but the rhetoric does not translate fast enough into changes that matter. The Task Force believes that the government and the private sector must undertake a comprehensive and urgent response to this challenge over the next five years. Failure to do so will mean a future in which other countries reap the lion’s share of the benefits of technological development, rivals strengthen their militaries and threaten U.S. security interests, and new innovation centers replace the United States as the source of original ideas and inspiration for the world.

The major findings of the Task Force are:

Countries that can harness the current wave of innovation, mitigate its potential disruptions, and capitalize on its transformative power will gain economic and military advantages over potential rivals.
The United States has led the world in innovation, research, and technology development since World War II, but that leadership is now at risk.
U.S. leadership in science and technology is at risk because of a decades long stagnation in federal support and funding for research and development. Private-sector investment has risen, but it is not a substitute for federally funded R&D directed at national economic, strategic, and social concerns.
Friends, allies, and collaborators tightly link technology ecosystems and create scale in a globalized system of innovation, and thus are a competitive advantage. Washington’s current trade policies needlessly alienate partners, raise costs for American tech firms, and impede the adoption of U.S. technology in foreign markets.
A central strength of the U.S. innovation environment has been a steady pipeline of domestic STEM talent and the country’s ability to attract the best and brightest students, engineers, and scientists from around the world. A lack of strong education initiatives at home and new barriers to talented foreign students’ and workers’ coming to and remaining in the United States will have long-term negative economic and national security consequences.
The Defense Department and the intelligence community will fall behind potential adversaries if they do not rapidly access and deploy technologies developed in the private sector.
The defense community faces severe challenges in attracting and retaining tech talent.
The defense community faces deteriorating manufacturing capabilities, insecure supply chains, and dependence on competitor nations for hardware.
A persistent cultural divide between the technology and policymaking communities threatens national security by making it more difficult for the Defense Department and intelligence community to acquire and adopt advanced technologies from the private sector and to draw on technical talent.
China is investing significant resources in developing new technologies, and after 2030 it will likely be the world’s largest spender on research and development. Although Beijing’s efforts to become a scientific power could help drive global growth and prosperity, and both the United States and China have benefited from bilateral investment and trade, Chinese theft of intellectual property (IP) and its market manipulating industrial policies threaten U.S. economic competitiveness and national security.
China is closing the technological gap with the United States, and though it may not match U.S. capabilities across the board, it will soon be one of the leading powers in technologies such as artificial intelligence (AI), robotics, energy storage, fifth-generation cellular networks (5G), quantum information systems, and possibly biotechnology.
Although the Donald J. Trump administration has boosted the budgets of several technology-related organizations within the DOD and issued a number of executive orders, its efforts to accelerate innovation in critical frontier technologies such as AI are too incremental and narrow in scale.
The United States is ahead of the rest of world in AI, but others are closing the gap—and U.S. failure to compete for global talent could result in the loss of its lead.
In the race for the next generation of communications technologies, the Trump administration has developed only a few parts of what should be a multifaceted strategy. It has failed to coordinate a response to Huawei’s global expansion, muddied its message about the company’s economic and national security risks, and not sufficiently accelerated domestic efforts to deploy 5G.
Beijing has often exploited the openness of the American system. Efforts to protect U.S. intellectual property are a necessary complement to, but not a substitute for, innovating faster than China. The administration is over-weaponizing trade and investment policy, with costs to U.S. innovation.

The United States needs a national security innovation strategy that ensures it is the predominant power in a range of emerging and foundational technologies over the next two decades. This Task Force report offers policy recommendations for the federal government, industry, and academia. Progress on this issue will require contributions and creativity from all three sectors if the United States is to maintain its ability to lead the world in the scientific and technological innovations necessary to its security and economic vitality. Some of the recommendations can be implemented in the short term; others will require more systemic change.

A new U.S. innovation strategy should be based on four pillars: funding, talent, technology adoption, and technology alliances and ecosystems. Action is required over the next five years.

The major recommendations of the Task Force are:

Restore Federal Funding for Research and Development

The White House and Congress should restore federal funding for research and development to its historical average. This would mean increasing funding from 0.7 percent to 1.1 percent of gross domestic product (GDP) annually, or from $146 billion to about $230 billion (in 2018 dollars). Only the government can make the type of investments in basic science that ignite discoveries; such investments are too big and risky for any single private enterprise to undertake.
Federal and state governments should make an additional strategic investment in universities. The investment, of up to $20 billion a year for five years, should support cross-disciplinary work in areas of pressing economic and national security interest.
The White House should announce moonshot approaches to society wide national security problems. This would support innovation in foundational and general-purpose technologies, including AI and data science, advanced battery storage, advanced semiconductors, genomics and synthetic biology, 5G, quantum information systems, and robotics.
The White House, Congress, and academia should develop a twenty first-century National Defense Education Act (NDEA), with the goal of expanding the pipeline of talent in science, technology, engineering, and mathematics. A twenty-first-century NDEA would support up to twenty-five thousand competitive STEM undergraduate scholarships and five thousand graduate fellowships.
Universities, federal and state government, and business should address the underrepresentation of minorities and women in STEM fields through mentoring, training, research experience, and academic and career advising. They should also provide financial support for room and board, tuition and fees, and books, as well as assessments of job placement opportunities in STEM fields, highlighting employers with clear track records of fairness in hiring, promotion, and pay.
Federal agencies, the private sector, and universities should work together to support debt forgiveness for students going into specialized technology sectors. The United States needs to make it easier for foreign graduates of U.S. universities in scientific and technical fields to remain and work in the country. Congress should “staple a green card to an advanced diploma,” granting lawful permanent residence to those who earn a STEM master’s degree or doctorate. Congress should also pass the Development, Relief, and Education for Alien Minors (DREAM) Act.
Congress should pass legislation that permits immigrants to live and work in the United States if they can raise funds to start new companies.
The federal government should make targeted—rather than sweeping —efforts to prevent the theft of scientific knowledge from American universities.

Support Technology Adoption in the Defense Sector

Federal agencies and each of the military services should dedicate between 0.5 and 1 percent of their budgets to the rapid integration of technology. The heads of each agency should also hire a domain specialist deputy for fast-track technologies (for example, data sciences, robotics, and genomics) from outside the government for a two- to four-year assignment.
Congress should establish a new service academy, the U.S. Digital Service Academy, and a Reserve Officer Training Corps for advanced technologies (ROTC-T) to foster the next generation of tech talent.
Lifelong career paths should be complemented with more short-term, flexible options. The White House and Congress should bring people from the technology industry into all three branches of the government for temporary rotations. They should also develop new fellowships to encourage the circulation of technologists, military officers, and federal officials between the technology sector and the Defense Department.

Bolster and Scale Technology Alliances and Ecosystems

The State and Treasury Departments should create a technology alliance to develop common policies for the use and control of emerging technologies.
The Department of Commerce should work with major trading partners to promote the secure and free flow of data and the development of common technology standards.
The Department of Commerce and the U.S. International Development Finance Corporation should encourage American start-ups in AI and data science, genomics and synthetic biology, quantum information systems, and other frontier technologies to invest in, export to, and form R&D partnerships with firms in emerging technology ecosystems. The goal would be fostering early adopters, developers, and customers who will build on U.S. technologies.
The Department of Energy (DOE), Department of State, National Institutes of Health (NIH), National Science Foundation (NSF), Office of Science and Technology Policy (OSTP), and other relevant agencies should develop a network of international cooperative science and technology partnerships, open to governments and the private sector, to apply frontier technologies to shared global challenges, such as climate change. Federal agencies should not only fund efforts that will include cooperation with other nations’ science organizations but should also provide R&D and tax incentives for tech firms to form international collaborative partnerships.
During the early years of the Cold War, confronted by serious technological and military competition from the Soviet Union, the United States invested heavily in its scientific base. Those investments ensured U.S. technological leadership for fifty years. Faced with the rise of China and a new wave of disruptive technological innovation, the country needs a similar vision and an agenda for realizing it. The United States must once again make technological preeminence a national goal.

TFR_Innovation_Strategy

To read original report, click here

The post Innovation and National Security: Keeping Our Edge appeared first on WITA.

From the iPhone to Huawei: The new geopolitics of technology

Madelyn Cunningham — Wed, 31 Jul 2019 15:05:52 +0000

In meetings in various international capitals this summer—from a gathering of defense ministers in Singapore to a meeting of economic policy heavyweights and CEOs in Paris—discussions frequently revolved around the impact of technology. Of course, technological developments have long had implications for the global economy and international security, whether the advent of gunpowder or the railways, or the mastery of radio or nuclear fission.

But with the “return of history” we may also be witnessing a return—after an anomalous period of positive-sum progress—of the geopolitics of technology. The scale and speed of this technological change makes it difficult to completely internalize the opportunities and challenges that lie ahead for the world’s major powers.

Essentially, different approaches to technological development, and specifically the use of data, threaten to divide the world and shape the contours of geopolitical competition, contributing further to the securitization of technological competition. Instead of a “clash of civilizations,” we could be in for a “clash of automations.”

The iPhone Era

The past two to three decades may well have been an aberration. They were marked by an acceleration of globalization: the faster, cheaper, and more efficient flow of goods, people, capital, information, and energy. This period witnessed rapid advances in broadband and satellite telecommunications, accelerated microprocessor speeds, more efficient energy use, the evolution of global financial markets, and the dispersal of manufacturing supply chains. The apotheosis of this world was the iPhone.

But there was an inherent compromise at the heart of the iPhone era of globalization. The United States and other advanced economies remained world leaders in innovation, deriving benefits from the resulting intellectual property and their marketing power. Meanwhile, actual manufacturing of these products shifted to lower income countries, notably China, and also parts of East and Southeast Asia. Lower cost services—software development, research, and back-end work—were outsourced to places like India. The global economy grew and everyone benefited, even if some—such as China, the United States, and India—benefited more than others.

The Next Wave of Technologies

But the new era of technologies, many of which are already emerging, may not simply build upon these developments—rather, in counterintuitive ways they may in fact undermine the globalizing effects of earlier breakthroughs. To date, many new developments are simply buzzwords to most consumers, so it is important to break down what the new set of technological developments will encompass. They can be grouped into six broad areas. The combinations of these technologies may well form the basis of what some have described as the Fourth Industrial Revolution.

Computing and storage, both of which will increasingly migrate to remote servers (the “cloud”), bringing down the cost and increase the scale of data storage. This could have potential implications for security and communications, especially features such as distributed record-keeping (blockchain) and new developments in data storage.
Telecommunications, specifically the developments of a fifth generation (5G) of infrastructure, which may operate up to 20 times faster than existing systems, with low latency (delay in data communication). This will enable a vast array of applications, including driverless cars and machine-to-machine communications.
Artificial intelligence, specifically machine learning, which involves fast and accurate pattern recognition by feeding vast troves of data to computers in order to “teach” them. This can then be applied to language, visual imagery, and other domains to resemble a form of intelligence.
Automation, including the online integration of physical objects: cyber physical systems (CPS) or the “internet of things” (IoT). Think health monitors, remotely-managed factory robots, or internet-enabled security systems.
Manufacturing, including in materials, optics, sensors, and additive manufacturing (“3D printing”).
Energy, particularly renewable and mobile energy sources and smarter management systems.

When combined, these changes are already beginning to affect every aspect of globalization. The emerging sectors in which this will be felt directly by consumers include social media for information, financial technologies (“fintech” e.g. digital payments) for capital flows, e-commerce (both wholesale and retail) for goods trade, e-services (including peer-to-peer businesses, automation, and digital identification) affecting mobility and social services, and changes to the sourcing and management of energy.

Most “unicorns”—start-ups valued at over $1 billion—would fall in one or more of these domains. Consider QQ, Stripe, Rakuten, Oyo, or Tesla. Today’s tech giants are already investing heavily in future technologies from which start-ups are benefiting: Google in machine learning, Samsung in 5G, Amazon and Alibaba in automation, and so forth.

The Re-Securitization of Technology

The geopolitics of these emerging technological developments are already being felt. China continues to project the benefits of its model. Beijing is no longer content to restrict it to its own territory: For the continuing success of a firm like Huawei, it will have to be able to compete in the global marketplace.

To view the full blog, click here.

The post From the iPhone to Huawei: The new geopolitics of technology appeared first on WITA.