Analysis | 5G Networks: A Necessary Risk to Information Security
Madrid — Over the last fifteen years, countless televised news segments, articles, and opinion pieces about the advent of network technologies and the politics surrounding their development and installation have been painted across the media landscape. The latest advancement to be placed in the spotlight is 5G. The advantages of upgrading to 5G include faster connection, greater bandwidth, and eventually, the widespread integration of the internet of things (IoT). Nevertheless, several countries and multinational companies have postponed or stalled the integration or implementation of this technology due to concerns over cybersecurity, industrial espionage, and internet transparency.
What is 5G technology?
Fifth Generation Wireless (5G) is the latest advancement in cellular technology that increases the speed of wireless connections and the capacity of networks. With 5G, data transmission capacity is expected to grow 50-fold and latency to decrease 10 to 20 times in comparison to current 4G networks. This means that loading and streaming from the internet or the cloud will be almost instantaneous. Interference will be reduced by adding ports that drive the signal broadcasted by the main antennas. This technology, called “massive MIMO”-Multiple Input Multiple Output-, has the capacity to immensely improve internet connectivity in highly populous digitally-connected areas.
5G technology will also allow companies to “slice the network” and sort the signals bandwidth for different uses — such as autonomous vehicles — that require immediate and continuous connection; IoT devices, whose needs are focused on increase the volume of information and data safety; and business networks which require their own secure connections.
The Risks of 5G
Nevertheless, 5G technology does present significant risks to cybersecurity. Universities in Europe (1,2) and the United States (3) have revealed flaws in the system’s security protocols related to encryption and authentication.
According to a paper authored by researchers at the Technical University of Berlin, Germany (TUB), The Foundation for Industrial and Technical Research, Norway (SINTEF), and The National Research Institute of Numerical Sciences, France (INRIA) (), one of the major flaws in 5G security allows home-made IMSI-catcher to intercept mobile phone and data signals while posing as a “fake mobile tower”.
The paper asserts that similar flaw exists in the 4G network — “location attack(s)” — although thy have been able to gather a new kind of data — “subscriber activity monitoring.” The difference is that creating a sort of “fake base station,” 5G-devices continue to send information even when they are “out of range” of IMSI-catchers. The risk to public information security is significantly compounded when considering that IMSI-Catcher can easily be created from cheaply manufactured materials, assembled at home, and are readily accessible.
The Role of Companies in “5G Warfare”
A point that should be taken in consideration is the role of manufacturers of 5G technology, which are principally in charge of the development of 5G devices and enabling the flow of information across networks and devices. The principle corporate 5G players: Apple and Google in the U.S., Nokia and Ericson in the EU, Huawei in China, and Samsung in South Korea. Among them, Huawei has received the greatest international scrutiny and criticism, principally due to its ties to the Chinese government and the ability of the Chinese Communist Party to access its systems and data per Chinese law and development of population’s control tools such as face recognition systems or social credit.
International concern over Huawei rose to public discourse following the discovery of the background of its founder, Reng Zhenfei, as a former People’s Liberation Army Officer. Criticism continued to mount following the arrest of his daughter, Meng Whanzhou, on December 1st in Canada for violating U.S. secondary sanctions against Iran and the subsequent arrest of the Local Sales Director in Poland, for “conducting high level espionage on behalf of China”.
According to Bloomberg’s investigation published in April, Vodafone’s security Briefing documents of 2009 and 2011 revealed security flaws in domestic routers made by Huawei. This vulnerability consisted in bugs that could have given access to the fixed line network in Italy, UK, Germany and Spain. Huawei assured in 2011 that they had removed the backdoors once they were listed. Nevertheless, the flaws remained two months later and new ones in its optical service nodes, this part of the fixed access network is responsible for transporting internet traffic and Broadband Network Gateways In charge of user’s Authentication.
The investigation never revealed if there was in fact a data leak, if the recipient was Huawei or another institution, or if the recipient still retains backdoor access. In response to the investigation, Vodafone declared: "The issues in Italy identified in the Bloomberg story were all resolved and date back to 2011 and 2012” “Bloomberg is incorrect in saying that this 'could have given Huawei unauthorized access to the carrier's fixed-line network in Italy”.
As a result of these incidents and concern over information security risks to using 5G technology without the ability to verify cybersecurity measures that address them are increasing. The United States and Australia banned the use of ZTE and Huawei’s equipment in their 5G networks. British Telecomunications followed suit, replacing Huawei’s equipment from core parts of its 4G network with French Alcatel-Lucent and American Cisco components.
A number of other Western countries — notably Canada and the United Kingdom — are currently debating the banning of Chinese 5G network technology. However in Britain, the implications of banning Huawei are much broader than elsewhere. In the U.K. Huawei is the main technology provider for a number of phone networks — such as Three — as well as for the new emergency services network — an emergency communication system which covers all of the U.K.’s roads.
The European Union has also weighed in on the issue, stating that a cyber threat to any member state is a cyber threat to the European Union. Brussels argues that cybersecurity issues should be addressed at both the national and European level, but has yet to take specific measures which directly affect Huawei or other foreign 5G providers.
As a result of the waves of criticism over Huawei’s conduct and security vulnerabilities, the tide of concern about China’s access to and influence over the world’s data and internet access has grown stronger and wider.
For American policymakers and companies such as Amazon, the threat of Chinese cyberespionage is not a hypothetical. It was last year that China was accused of introducing during the manufacturing process, a microchip the size of a rice grain into the original design of Super Micro motherboards used by the Department of Defence’s Data Centres .The microchip was a work of a People’s Liberation Army specialized in hardware attacks and enabled the Chinese Army to spy on the servers of both the Department of Defense and the CIA’s drone operations.
Although Super Micro Computers Inc. is a San Jose-based company which provided server motherboards, fiberglass-mounted clusters of chips, and capacitors to companies like Apple or Amazon, much of the manufacturing and assembly process took place in China. After the scandal broke, corporate insiders claimed that Apple also found modified motherboards in its own servers, though the company denied it.
Information technology companies are an old target for foreign espionage. In 2002, Ericsson was also a victim of theft of information by employees who leaked trade secrets to a third country, Russia, though Russian involvement was never confirmed. Ericsson provides IT technology and develops radar and missile guiding systems for Sweden’s main warplane, which makes it a sensitive target for foreign espionage. Despite widespread concerns, in this case, military information wasn’t leaked.
In 2015 a former system software developer of IBM, Xiu Jiaquiang, was charged with “theft of trade secrets” for “stealing proprietary information from his former employer for his own profit and the benefit of the Chinese government,” according to General Carlin, the assistant attorney in the case.
The plethora of suspected and confirmed cases against Chinese actors seeking the theft of trade secrets and extralegal network access has created a pattern which has left many Western advisors and governments wary of both Huawei and of introducing 5G technology domestically.
Is Introducing 5G a Risk Worth Taking?
Despite the drawbacks and geopolitical implications, 5G technology clearly seems to be the next step in the advancement of technological, social, and economic development. The use of autonomous cars and other IoT devices require 5G, the most stable and faster signal to operate. Providing faster and broader data connection would also allow the transfer, analysis, and compilation of larger datasets and programs at greater speeds; The bandwidth relief on existing networks would also make internet use less expensive, faster, and more readily accessible in countries whose networks are particularly overloaded and for which a traditional Telecommunications Network is unaffordable.
Nonetheless, the risk to network security will increase as 5G is extended. With heavily increased flows of data traveling at faster speeds than previous networks, tracking hackers, malware, and spyware in the network will become ever more difficult to monitor and counteract. Compounding the threat, once a network is compromised the users will become more exposed than before.
The biggest weaknesses of 5G technology are the propensity for authentication flaws and the ease with which the network can be monitored clandestinely and without permission. There’s little in the way of a solution at present, apart from strengthening authentication processes, as researchers have pointed out . Additionally, 5G networks rely heavily on the performance of IT companies’ cybersecurity and cooperation with national governments. If a government were to co-opt a company’s access for the purpose of corporate espionage, cyberespionage, or even domestic cybersecurity, it could risk both the integrity and transparency of the network as well as users' confidence in its integrity.
China, and the network-oriented companies founded there, remain the principal actors of concern. China has the interest, opportunity, and capacity to spy through 5G technology. Additionally, attribution for cyberwarfare and cyberespionage activity is difficult to prove, making any substantive case against China or Chinese companies both difficult to prove and mitigate through legal means.
Although China is generally perceived to be the primary threat to cybersecurity, all users would become potentially exposed to the interests of corporate entities that gain the opportunity to monitor data through 5G networks. Intentional data leaks paid for by third countries or alteration of the outsourced components and manufacturing services are but three feasible threats.
To minimize these risks, IT manufacturers must remain cognizant that once their product manufacturing is outsourced — to foreign countries, in particular — they increase the risk of espionage and mechanical tampering. This implies both a risk to business from industrial espionage as well as to personal data security for hundreds of thousands of users.
The assembly and production of routers and motherboards are particularly vulnerable in this regard, as companies often seek to outsource the production of their components as much as possible to atomize the dependence control of the devices’ backdoors. There is little to prevent companies from doing so, nor can we eliminate backdoor access since they serve to allow service and security providers to monitor their proper functioning. The network’s integrity is then at risk when backdoors are not used for technical or security proposes, but to monitor or manipulate data and traffic. Their use as a security control also makes it difficult to determine what kind of information was obtained through them. Although backdoor access is not necessary a security flaw or evidence of data theft, they do present a potential risk to the network's security when third parties have access to their design.
While the technical challenges to cybersecurity from the use of 5G technology have no present solution, national governments can take measures to mitigate the risks they pose. By passing legislation to regulate and improve the security of their networks and user’s data, encouraging the domestic production of sensitive components, and facilitating the diversification of the industries that contribute to 5G technology, national governments can reduce the risk of cyberespionage for themselves and their citizens.
The ultimate aim of any government policy aimed at mitigating the risks to 5G application should be to encourage diversity in the IT market both in terms of companies and countries involved with the purpose of balancing the influence of any single country or company. Without an outsized influence on international 5G networks, both companies and countries in the international community could be incentivized to become watchmen of 5G networks’ integrity, security, and transparency.
All views expressed in this article are solely those of the author, and do not represent the views of The International Scholar or any other organization.