The timeline of human history is marked by inflection points of major technological advancement. The plow, the printing press, the telegraph, the steam engine, electricity, the telephone, the internet: each of these breakthroughs precipitated tectonic shifts in how people lived and worked. Now, in the early part of the 21st century, we stand witness to the birth of a new industrial revolution built on 5th generation cellular technology – 5G network.
As the name implies, 5G network follows a developmental chain. First came 1G, the first generation of cellular communication that freed us to make voice calls without being tethered to a physical phone connection. Then 2G augmented this by adding data services like SMS and MMS. 3G gave us access to mobile internet, video calling and other data-heavy services. 4G, the highest standard commercially available at the moment, has enabled high-speed data services like HD mobile video and real-time gaming.
In one sense 5G network is the next step in this evolution. It continues the trend towards higher and higher data speeds and greater connection density.
However, 5G is much more than that. It is a reconceptualization of what a communications network looks like. It is not, as the previous four generations were, rested in physical architecture. While there is new hardware, 5G is first and foremost a virtual network through which the boundary lines of physical and cyber reality will become increasingly blurred.
The latent potentials of 5G network are as endless as the applications that can be built on it. From healthcare to public safety to domestic leisure to travel, childcare, manufacturing and even warfare, 5G will change everything. It, together with IoT and AI will be one of the single biggest technological leaps our species has seen.
But with this tremendous power comes tremendous risk. 5G network is not the same as 4G or 3G, nor can we view the cybersecurity of 5G in the same way as we did with previous network generations. As we move into an era of driverless cars, autonomous factories and ubiquitous drones, we need to think differently about how we secure our networks.
New tech, new cybersecurity dangers
A 2018 study of more than 1000 senior managers and C-suite executives in Western Europe, the Middle East and Japan found that the top business priority for senior leaders globally was cybersecurity. It’s not difficult to see why. Significant data breaches are becoming more commonplace, exposing corporations to material losses of shareholder value, investor confidence and customer faith.
A recent example is the hack of Capital One that saw the theft of more than 106 million customers’ personal information. What was especially pertinent about this attack, though, was that it was conducted on cloud-based data stores, not physical servers. The Capital One incursion has raised concerns about the safety of sensitive information in the cloud, but with 5G these dangers increase in complexity, scale and magnitude.
The reasons for this are the same as those that make 5G such a thrilling prospect for human development.
Firstly, 5G network is fast. Very very fast. Whereas 4G tops out at 100 Mbps, 5G’s theoretical top speed is 200 times faster at 20 Gbps. Secondly, 5G has breathtakingly low latency (the time it takes for a system to receive a response to a request). The average human reaction time to a stimulus is 250 milliseconds (ms). Most humans perceive 100ms as instantaneous. 5G’s reaction time is 1ms.
Though the general public is sold on what this means for entertainment (think: UHD movies downloaded in seconds, multiplayer games with zero time lag), the true benefits of high speed and super-low latency will be felt in society-shifting technologies like autonomous vehicles, remote surgery, and AI. New functions will come online that most people cannot currently imagine.
5G is able to deliver these unimaginable efficiencies because it lives in the frictionless universe of the cloud. It is essentially an all-software network operated through distributed digital routers, virtual networks, and network slices orchestrated with the help of AI. It is a decentralized system that optimizes processing speed and power by relocating operations to the fringe. This is very different from the ‘hub and spoke’ configurations of previous generations.
Such a setup unleashes almost unlimited potential and is the gateway to a truly AI-empowered world. But it also reveals previously unseen numbers of vulnerabilities.
To begin with, software is by its nature hackable, so a system built on software interfaces will always be prone to hacking. 5G specifically virtualizes in software higher-order network functions usually employed in physical hardware. The language used in virtualizing these services is universally known and accessible. At the level above, the network is, as in the case of services like network slicing, operated by software, probably even basic AI. Anyone capable of corrupting this software can gain control of everything it manages.
Then, compared to 3G and 4G networks, for example, where hubs and connections are more centralized and can be used to conduct cyber hygiene, the 5G network is open and distributed. This creates an entirely new set of cybersecurity challenges. Decentralization and removal of network ‘choke points’ makes the network far more difficult to police. But the problem is not just structural.
A conflict of interests
The internet of things (IoT) already consists of billion devices linked to servers and the internet in different ways. These can be anything from a car’s navigation system to a child’s toy doll. Chips and sensors turn everyday objects into mini computers that create and share data. As 5G becomes the standard, the IoT will explode. Soon we will see entire cities connected in seamless silent communication.
Smart cities are an example of ways in which 5G network might improve the living standards of every citizen, but they also show what might go wrong. When billions of devices are connected to a 5G network, and all of those devices have many possible types of applications, the cyberattack vectors become limitless.
When hackers or cyberterrorists manage to compromise the systems that keep a smart city functioning, the consequences move out of the digital realm into the physical. When water supply, power supply, traffic management, waste removal or connectivity are disrupted, humans suffer. This is to say nothing of what might happen if a highly sophisticated matrix of autonomous vehicles, all driving at high speeds during peak time traffic, were brought down in an instant.
On a smaller, but more personal scale, the accelerated ubiquity of IoT devices in our normal lives will leave us open to surveillance in our own homes. Even basic devices can, without our knowledge, be turned into microphones or cameras by someone why gains remote access. Then, if those devices are infected with a virus that recruits them in a DDoS attack, networks or businesses face an army of billions of devices flooding them with requests. The result is inevitably breakdown.
So, the risks are dramatic and, as the news regularly reports, the threat is real. So what should we be doing and why are we not doing so already?
For one thing, there are too many competing interests in the market. Devices and applications are being designed as iterative models, always released as a minimum commercially-viable product. Device and application developers know that their software can always be updated later to fix bugs and errors – the key is to get the product to market as soon as possible. This is understandable when profit is the only aim. But it makes security almost impossible.
There is an old military saying: ‘slow is smooth and smooth is fast.’ Do something properly and you will save yourself the time that will give you the upper hand over your adversary. This is not, however, the philosophy guiding device and application design. Nor is it the thinking guiding 5G network construction.
Too many cooks in the 5G network kitchen
Unlike China which has a managed economy, western democracies are governed by the rules of free market economics. Using the US as an example, multiple network operators have licences to move ahead with 5G, and with diversity comes less alignment.
Yet, a coordinated move to build cybersecurity into 5G networks from the ground up is critical if we are to deliver on the promises of the technology. Without it the rollout of one of the most powerful tools of our times will be fraught with peril.
It is one of the reasons why the US National Security Telecommunications Advisory Committee (NSTAC)—composed of leaders in the telecommunications industry— recently told President Trump that, “The cybersecurity threat now poses an existential threat to the future of the [n]ation.”
For 5G to become a blessing and not a curse, public and private interests will need to be congruent. Governments and businesses will need to work together to establish policies and operational agreements that grant capitalistic freedom without infringing on the safety of our people.
Corporate interests owe their customers a duty of care. That is a fundamental principle of business, but ignoring it in a 5G world could be catastrophic. Governments, on the other hand, need to be more sober about how they determine their policy agendas. The recent furore around the US and Huawei may or may not be justified. What is certain, though, is that it has obscured the true scale of the 5G threat.
Technology is changing faster than anyone could control. Cyber criminals and cyber terrorists know this and take advantage of it. When 5G comes online the battlefield opens up. We need to act now in an agile and coordinated fashion if we hope to make the coming decades the prosperous ones the world deserves.
For over 30 years, Marin Ivezic has been protecting people, critical infrastructure, enterprises, and the environment against cyber-caused physical damage. He brings together cybersecurity, cyber-physical systems security, operational resilience, and safety approaches to comprehensively address such cyber-kinetic risk.
Marin leads Industrial and IoT Security and 5G Security at PwC. Previously he held multiple interim CISO and technology leadership roles in Global 2000 companies. He advised over a dozen countries on national-level cybersecurity strategies.