The security implications of 5G have been big news in Australia recently, but the news coverage has unfortunately contained little practical advice for CSOs. It has focused instead on the ongoing Huawei scandal and the national security implications of allowing Chinese tech companies to be involved with the 5G roll-out.
Whilst these are certainly important issues, the Huawei story has obscured deeper problems with the 5G network. As previously reported, 5G security is a mess, even if foreign state surveillance is excluded. The new network is changing the threat model in several key ways, and the Australian government hasn’t yet defined an approach for dealing with this.
The security concerns of 5G implementation
The threats that 5G presents are now well-understood by the majority of CSOs, but it’s worth summarizing them in order to define a way to mitigate them.
First, and most prominently, there are concerns over the privacy of the 5G network, especially given the involvement of Chinese firms (and therefore the Chinese government) in building this network in Australia. These concerns have been heightened by the fact that all three telcos that are currently offering or planning to offer 5G in Australia — Telstra, Optus, and Vodafone — had had plans to use Huawei hardware, which were later rescinded.
Secondly, there are concerns that the speed of the 5G network — the very feature that makes it attractive to businesses and consumers alike — could lead to new forms of cyber attack being deployed against businesses. With faster network speeds, exotic forms of attack like fileless malware could become the new standard, leading some to worry that .
Finally, the adoption of 5G connectivity — as with any form of new mobile technology — presents a particular problem for CSOs. This is because most mobile connectivity is still reliant on a BYOD (bring your own device) model, in which employees choose their mobile carrier themselves.
The security of the network will ultimately depend on the security measures employed by telcos in Australia, and this in turn will depend on the standards that the Australian government decides to impose.
First, the bad news. There are two industry standards for 5G security: 3GPP and NIST. Unfortunately, and as a report from last year makes clear, the Australian government hasn’t decided which one to use.
This has meant that Australian telcos have made their own decisions about which standard to use — and they haven’t made this information public. As a result, CSOs looking to upgrade their business phones to 5G now are in an unenviable position: having to choose between the security offered by telcos, without any information about what that security is.
Now the good news. To give credit where credit is due, part of the reason for the Australian government’s tardiness when it comes to defining the security protocols that should be deployed on the 5G network is that this decision might not be as relevant as it seems.
Officials have argued that new 5G devices no longer make the distinction between virtualization and shared software, and this makes network-level security less relevant for a national security assessment, because “connected devices — from industrial equipment to a smartphone — will be connected to each other like a web, rather than just the network in a hub-and-spoke fashion”.
The tech firms behind the network agree. 5G, they say, is designed so that sensitive functions currently performed in the physically and logically separated core will gradually move closer to the edge of the network. This is, in fact, one of the major lessons to be drawn from recent data breaches: that threat intelligence now relies more on perimeter detection and mitigation than the encryption protocols used at a hardware level.
What CSOs can do about 5G security
For CSOs, applying this insight entails one thing: moving to VoIP and as part of that bringing phone systems in-house. This means that virtual private networks can be used to protect the edge of telecommunications networks, through VPN protocols such as PPTP, SSTP, and LT2P/IPSec. Subsequently, businesses will finally have control over the devices that their employees use.
This might sound like a huge step, but in reality plenty of collaboration apps already offer fully functional phone systems. The key, going forward, will be to use these systems to limit and control incoming voice and data from 5G networks.
In other words, the simple way to overcome some of the security issues raised by the 5G network is to not use “raw” 5G voice and data in your corporate communications. Treat 5G like a dumb, insecure pipe and ensure all communications goes through secure tunnels and protocols.
That might sound like a radical step, but in reality this is merely an extension of how Australian firms are pivoting to address cyber security threats more generally. The rise of IoT networks has made many firms re-assess the way that they secure their internal networks, and it has precipitated a shift away from device-level authentication and toward edge- and perimeter-scanning technologies.
Of course, it will still be difficult to ensure that your staff don’t use their 5G-enabled phones to undermine the security of your corporate networks. But as a CSO, that’s a problem you’ve likely faced for decades. The key, as ever, is to ensure that employees do not use their personal devices for business functions, and to ensure that everyone understands the cyber security risks of doing so.