Working Together to Ensure E2E Cyber Security

New technologies such as cloud computing, artificial intelligence (AI), and the Internet of Things (IoT) will provide new opportunities for society. However, these technologies also present new security challenges. Governments around the world are reviewing the challenges surrounding next-generation mobile communications technology, and we believe governments should view these challenges from a technological perspective. As a world-leading information and communications technology (ICT) infrastructure provider, we believe that future cyber security regulations must encourage collaboration from both industries and governments.

Networks are connected by devices from different vendors, and services are provided by different operators. Without any industry-wide security standards, cyber security challenges may become more frequent. To eliminate the impact of cyber security challenges, governments, enterprises, and industry organizations need to collaborate to ensure end-to-end (E2E) cyber security.

Firstly, we need agreed-upon standards. Governments, enterprises, and industry organizations need to decide upon security standards for all network devices and services. If any network device or service fails to meet these security standards, the entire network’s security can be compromised. 3GPP has been recognized as an international standards organization in the mobile communications field. The members of 3GPP, including Huawei and Ericsson, work together to develop security standards and promote the security of communications networks. Compared with 4G, 5G has stronger encryption algorithms and more flexible authentication mechanisms, and new security standards are being discussed to protect product deployment security, and the security of new services.

Secondly, we need unified security certification standards. Governments and enterprises need to collaborate and develop security certification standards, such as the standards set by Common Criteria (CC), which has become the most recognized and trusted IT product security certification in the world. It is the responsibility of operators and vertical industries to determine the required security certification levels, using previously successful security standards as well as an understanding of each industry’s individual characteristics. It is also their role to ensure that all devices and services meet their expected security certification levels. We must think about how to apply and upgrade the current security certification standards, processes, and methods with concerned stakeholders, and how to build standards, processes, and methods that can be recognized by both governments and customers. Ensuring all stakeholders collaborate in this discussion will ensure that successful, industry-wide standards will be implemented. For example, Korea’s LG U+ requires all 5G devices to be CC EAL 4 certified.

Thirdly, secure manufacturing processes and services are needed. Equipment suppliers, as well as service providers, must improve their cyber security capabilities to ensure that their products comply with security standards and meet their customers’ security certification level. Vendors such as Huawei and Ericsson have designed the security of LTE and 5G equipment and services using recognized security standards, such as 3GPP and CC.

Lastly, third-party security certification mechanisms need to be established to ensure there are minimal cyber security certification issues. Unified third-party security certification mechanisms that involve multiple stakeholders, including governments, equipment vendors, operators, and certification organizations must be established, and all equipment vendors must earn certification. The entire industry should trust these third-party certification organizations, and their independent equipment certifications should be impartial. If there are current scenarios that are not covered by current certification standards, these would need to be changed to satisfy new certification standards. 3GPP is developing the Network Equipment Security Assurance Scheme (NESAS), and the Global System for Mobile Communications Association (GSMA) will review this third-party certification lab’s qualifications, meaning that this third-party certification lab will soon be able to certify NE security.

Cyber security cannot be achieved by unrecognized organizations, and risks cannot be eliminated through isolation. The only way to ensure E2E cyber security is to collaborate our resources and work together to develop high quality cyber security services.