How Do We Build Trust and Transparency in Our Mobile Networks?

Amidst concerns about the security of existing mobile networks and the coming of 5G, cooperation among industry, advocates, NGOs, standards bodies, and regulatory agencies will be key.  

So, what should the role of government be and what should we expect of vendors? In the spirit of both partnership and security, government should collaborate with telecom operators, equipment vendors, and experts to focus on mitigating the danger any software can pose rather than banning software and hardware from China or anywhere else. Senior Trump administration officials emphasize that a whole-of-government and international approach is necessary to ensure cybersecurity of next-generation 5G networks and the effort should be “country and company agnostic,” while DHS and industry partners are working on risk management for 5G. 

It’s important to know that 5G security architecture, which is the same security architecture as for 4G security, consists of the transport stratum, serving stratum, home stratum, and application stratum, which are securely isolated from each other. As the CTO of Orange recently said, “security assurance is a shared responsibility among the key stakeholders”.  In terms of cybersecurity risks, regulators need to monitor all four strata, service providers need to monitor the application stratum, operators need to monitor the transport, serving, and home strata, and equipment vendors need to focus on the underlying network equipment. All industries will necessarily work together to tackle the security challenges brought by services, architectures, and technologies under the standard architecture.

Even more importantly, 5G will bring not only dramatic shifts in network capabilities but also substantial security enhancements. This next-generation network supports more security features to tackle potential security challenges in the future 5G lifecycle. 5G and 4G networks share the same security mechanisms and work in standard and practice consistently to keep improving the network security levels. In addition to user data encryption on 2G, 3G, and 4G networks, 5G standards provide user data integrity protection to prevent user data from being tampered with. 

There will be enhanced user privacy protection over what has existed in the past and current standards.  In 2G, 3G, and 4G networks, users' permanent IDs (international mobile subscriber identities — IMSIs), are transmitted in plain text over the air interface. Attackers can exploit this vulnerability using IMSI catcher attacks to track users. In 5G networks, users' permanent IDs (in this case, SUPIs) are transmitted in ciphertext to defend against such attacks.

In addition, 5G will offer better roaming security. Operators usually need to set up connections via third-party operators. Currently, attackers can forge legitimate core network nodes to initiate Signaling System 7 and other attacks by manipulating third-party operators' devices. 5G Service-Based Architecture (SBA) defines Security Edge Protection Proxy (SEPP) to implement E2Esecurity protection for inter-operator signaling at the transport and application strata. This prevents third-party operators' devices from tampering with sensitive data (e.g., key, user ID, and SMS) exchanged between core networks.Enhanced cryptographic algorithms are also being developed. 5G R15 standards currently define security mechanisms such as 256-bit key transmission. Future 5G standards will support 256-bit cryptographic algorithms to ensure that such algorithms used on 5G networks are sufficiently resistant to attacks by quantum computers. 

The Network Equipment Security Assurance Scheme (NESAS) has been created by industry groups representing hundreds of mobile network operators worldwide for security evaluation of mobile network equipment. Developed according to security standard guidelines pertaining to vendors' product development and lifecycle processes, the scheme provides a security baseline to evidence that network equipment satisfies a series of security requirements.  

Questions about the security of network equipment fall to vendors, each and all tasked with developing secure and security-enabling products.  But it is operators who control networks and access to the data. It’s been well recognized that the primary risk of network and data security is assumed by operators (who therefore necessarily take great care in choosing vendors they can trust.)  It’s important to note that vendors do not have uncontrolled access to these networks or the data contained in them. Even if asked by some government authority, such a vendor (like Huawei, the subject of so much recent mistrust and suspicion) could not comply with requests for inappropriate data collection and transmittal, or other malicious behavior regarding data. This is partly due to strictly controlled network access, whereby operators need to give permission before vendors can access anything. In addition, even if there were not laws and regulations in most countries where Huawei operates (which there are) the company itself follows strict guiding principles of privacy and security. 

At this time, it’s essential that all stakeholders understand just how much vendors, Huawei in particular, have invested in security throughout product development, adhering to the principle of security by design and security in process. At Huawei, cyber security activities built into the process are performed in strict compliance throughout the entire product lifecycle, so that security requirements can be implemented in each phase. 

Huawei is committed to not only building confidentiality, integrity, availability, traceability and user privacy protection into 5G equipment based on security standards, but also collaborating with operators to build high cyber resilience in networks.  

Looking to the future, as cloud, digitization, and software-defined everything become more prevalent and networks become more open, Huawei R&D has initiated the transformation for enhancing software engineering capabilities to continuously build trustworthy, high-quality products and solutions. Huawei's Global Cyber Security and Privacy Protection Committee (GSPC) is chaired by its Rotating Chairman, part of the company's comprehensive governance system. Security management has been embedded into all processes for its products and services based on ISO28000 in the supply domain and ISO20000 in the service domain. 98 percent of raw materials are traceable; software tracing can be completed in less than one hour.  

In a massive effort to build trustworthy products and solutions with network resilience, Huawei is investing $2 billion for R&D transformation over the next 5 years to enhance the reliability of development processes and results. The company’s open and transparent cooperation has been integral to their long-term and effective security-based partnerships with several countries such as the UK, Canada, Germany, and France. Huawei is working successfully with the European Cyber Security Center in Brussels to provide security verification services. The company is actively participating in the formulation of security standards by international standards organizations such as ITU-T, 3GPP, and IETF; and they strive to promote global unified security evaluation standards and certification. Over 3,000 Huawei suppliers have signed cyber security agreements and 580+ have signed privacy protection agreements. 

Amidst unsupported speculation and rumor, all players need to agree on a unified security assurance framework comprising of agreed-upon standards, conformance programs, and best practices.  Network security needs to continuously evolve in order to address new potential security risks coming from the open Internet and the development of new services; that is exactly what members of GSMA and 3GPP standards’ efforts are continuously working on. In-house or third-party security audit, or both, should be encouraged as a best practice for empowering mobile networks (not limited to 5G only). Operators need to be alert and always one step ahead of possible security threats. 

Governments play a major role in providing incentives to deliver a positive economic output for their respective countries, in terms of both leveraging innovations and guaranteeing that regulations are available for defining key aspects such as the security agenda, security assurance mechanism, certification program, and policies. The time is now for government regulators to work closely with all relevant industries and partners, delivering a consistent set of regulations to address 5G security, while allowing operators to take responsibility for the overall implementation. It is also important to obtain the support of all network equipment suppliers, including Huawei.