• United States




The race to secure 5G

Mar 26, 20214 mins
IoT SecurityNetworkingSecurity

The arrival of 5G technology introduces a new era of digital transformation. Security can't be an afterthought.

5G mobile wireless network
Credit: Thinkstock

Increased bandwidth and lower latency create the opportunity to develop ecosystems that can transform entire industries. The combination of IoT, 5G, cloud, data analytics, quantum computing, and AI paves the way for new and improved products and services in the energy, transportation, manufacturing, healthcare and logistics industries, to name a few.

5G also offers the foundation for a robust IoT ecosystem that will allow enterprises to harness data in unprecedented ways and enable governments to offer improved services to their constituents. By 2023, there will be more than one billion 5G connections, according to forecasts from International Data Corporation (IDC). Key drivers such as ever-increasing online content consumption, expanded reliance upon IoT devices, and the popularity of cloud gaming mean this rapid growth will continue for the foreseeable future.

But for 5G to be the success story that many envision, a variety of risks need to be addressed and mitigated.

New technologies, new risks, new requirements

CISOs will need to adopt a holistic, risk-based approach to 5G security and continuously monitor the maturity of their 5G security implementations. Whether serving telecom operators, digital service providers, IoT vendors or any part of an ecosystem that incorporates 5G technologies, CISOs should be aware of the risks and compliance needs, incorporate them in their risk register, and manage them.

Risk management should be embedded in any digital transformation project that involves 5G in order to tackle risks in timely fashion, avoid hidden costs or, even worse, make inefficient and irreversible decisions in sensitive areas, such as vendor selection and diversification or architectural design.

If security teams are able to properly manage the related risks, 5G’s impressive capabilities—including faster networks with higher capacity, support for static and mobile IoT devices and drastically reducing network energy usage, as outlined in ISACA’s recent white paper on 5G security—can be realized.

Government response

In the US, the Cybersecurity & Infrastructure Security Agency (CISA) in July, 2019, produced an overview of risks introduced by 5G adoption. Among the key findings: “Use of 5G components manufactured by untrusted companies could expose U.S. entities to risks introduced by malicious software and hardware, counterfeit components, and component flaws caused by poor manufacturing processes and maintenance procedures. 5G hardware, software, and services provided by untrusted entities could increase the risk of compromise to the confidentiality, integrity, and availability of network assets. Even if U.S. networks are secure, U.S. data that travels overseas through untrusted telecommunication networks is potentially at risk of interception, manipulation, disruption, and destruction.” As mitigating measures against these risks, CISA proposed steps such as encouraging continued development of trusted 5G technologies, promoting transparent international standards, and limiting the adoption of 5G equipment with known or suspected vulnerabilities.

In January 2021, the White House released  the implementation plan for its National Strategy to Secure 5G, in accordance with the Secure 5G and Beyond Act of 2020. The implementation plan describes four lines of effort: facilitating domestic 5G rollout, assessing risks to and identifying core security principles of 5G infrastructure, addressing risks to US economic and national security during development and deployment of 5G infrastructure worldwide, and promoting responsible global development and deployment of 5G. It follows a risk-based approach, assigning responsibilities for departments, agencies, and other federal entities and focusing on public-private and international cooperation, highlighting the need for standardization, education in cybersecurity, and research and development.

These efforts extend around the globe. In January 2021, the European Commission endorsed a toolbox of mitigating measures for addressing 5G infrastructure and supply chain cybersecurity risks. The toolbox focuses on 5G network configuration, access control, product quality, supplier diversification, state interference through the supply chain, controls against organized crime, critical infrastructure resilience, continuity in relation to electricity and other support systems, and IoT security. The mitigating measures are classified in strategic, technical, and other supporting actions and include audits on operators and the interdependencies between 5G networks and critical services, the risk profile of the supply chain, application security, virtual network security, patch management, incident response, and crisis management.

Encouragingly, the European Commission has signed joint declarations on 5G with Brazil, China, Japan and South Korea.

Further international cooperation along these lines—in addition to sharing good practices and making the needed investments in strengthening 5G infrastructure on a national level—will expedite governments’ ability to make 5G a positive transformational force.


Experienced leader and board member, international authority in cybersecurity, with a proven track record in developing and managing strategy, programs and initiatives. Innovative thinker, with several international patents to his name, proven successful communicator and consensus builder across borders and cultures.

Chris is Director and Past Chair of the Board of ISACA, an international non-for-profit association with more than 200 Chapters, serving more than 160,000 IT, Cybersecurity, Information Security, Audit, Risk and Compliance professionals, in 180 countries. He has served ISACA as Chair of the Board for 2 consecutive terms (2015-2016 and 2016-2017) and as director of the BoD for 9 terms (2010-2014 and 2015-present).

Chris is also a Board Member at INTRALOT a leading gaming solutions supplier and operator active in 42 regulated jurisdictions around the world. Prior to his role he has served as Group CEO, Group Chief Services and Delivery Officer, Group Director of Technology Operations and Group Director of Information Security.

He has also served as a member of the Permanent Stakeholders Group (PSG) of the European Network and Information Security Agency (ENISA) from 2012 to 2015. Chris has been working in the area of information technology for 20 years, he holds 3 patents, 6 awards and has authored more than 150 publications.

He holds a degree in Electrical and Computer Engineering and a Ph.D. in Information Security.