Privacy by design: Cybersecurity and the future of 5G

History has shown that when we rush to expand computing power and interconnectivity – IoT and cloud tech, to name two – we expose ourselves to new kinds of cyberattacks and bad actors. Can we get it right with 5G?

5G mobile wireless network technology emerging from smartphone
Brosko / Getty Images

Two words capture the difference between the existing generation of connectivity and the next: speed and latency. Fifth-generation wireless (5G) is projected to be almost one hundred times faster than our current iteration, massively reducing the delay between a given order and its execution.

Globally, carriers are funnelling hundreds of billions of dollars into developing the technology. Effective implementation will require a completely novel approach to network infrastructure, which will capitalize on new swaths of the electromagnetic radio spectrum. According to predictions, the technology will herald a new era of low-power, low-latency Internet of Things (IoT) devices, from remote robotic surgeons to autonomous vehicles and hypersonic weapons. The projections are bold, and the stakes are high. The 5G economy, we are told, will pave the way for a fourth industrial revolution.

Implementing the next generation of mobile broadband is not a feat of engineering alone. Though still in its infancy, the technology has already generated a tangled international web of threats, allegations, indictments, arrests, and general anxieties. As usual, there are deep concerns that privacy and security might be an afterthought, lost in the fervour surrounding the newest, most disruptive technology.

So far, carriers and governments have focused on efficiency and first-to-market strategies over the pre-emptive security of their services. Looking back to the arrival of the first IoT and cloud technologies, history has repeatedly shown that when we rush to expand our computing power and interconnectivity, we expose ourselves to an entirely new landscape for attackers to leverage and abuse. 5G is a brave new world for businesses, but also for threat actors.

China and the politics of global networks

Given the political and economic stakes, it’s no surprise that global power rivalries have begun to infect the development and build-out of 5G. As states are poised to make procurement decisions for next-generation infrastructure, they are having to confront and navigate long-standing geopolitical conflicts.

Chinese telecoms giant Huawei sits at the epicentre of this conflict. Currently the global leader in the telecommunications infrastructure market, Huawei had cornered nearly thirty per cent of the global market by the start of this year, with revenues up thirty-nine percent year-on-year. Despite facing at least partial bans in America, New Zealand, and Australia, Huawei has already settled 40 contracts to deliver 5G infrastructure across the globe, and is expecting to have shipped 100,000 base stations by May 2019.

China has made it clear that it wants to dominate 5G technology and its deployment from the start. Through Huawei and the products it manufactures, Beijing is poised to control the 5G network rollout, dictate the international standards for its deployment, and leverage the foundation of the 5G system for its own benefit.

Political leverage isn’t the only issue at stake. Cybersecurity experts, politicians, and independent investigatory bodies have accused Huawei of being a conduit for Chinese intelligence. Concerns have been raised that Beijing is using companies like Huawei and ZTE as an extension of its intelligence network, engaging in criminal behaviour to advance not only its bottom line but the interests of the Chinese state.

It’s clear that winning the ‘global race’ to 5G is about more than economic necessity; it is a geostrategic imperative for the promotion of national agendas and the garnering of political footholds.

The latest report from Britain’s Huawei Cyber Security Evaluation Centre (HCSEC) offers a damning portrait of Huawei. It tackles not the corporation’s alleged links to Chinese intelligence, but — more disturbingly — the “serious and systemic defects in Huawei’s software engineering and cyber security competence.”

The report is deeply disturbing for those concerned about a Huawei-built 5G network, regardless of supposed ties to foreign intelligence. The painful truth is that any service provider sitting at a low level in a network enjoys a powerful and privileged position. Should it so choose, it is capable of exploiting, inspecting or otherwise interfering with data as it passes over the network. Rather, in a software-driven, complex 5G network, the immediate and preventable risk will be of flaws and vulnerabilities that allow anyone – not just the Chinese government – to compromise the privacy and security of users.

Security challenges, new and old

On a fundamental level, 5G is vulnerable to the same potential risks as its forerunners: authentication, accessibility, data security, and confidentiality. As several 5G protocol specifications have been brought over from 3G and 4G networks, the untapped vulnerabilities of these previous generations will also be inherited. Network-downgrade attacks pose a similar and significant risk; the lack of authentication at the initial connection phase may allow adversaries to downgrade a target’s network to 4G or 3G, enabling them to exploit existing vulnerabilities.

On top of these inherited risks, 5G will also introduce a new set of security challenges. As well as preventing deliberate flaws that may benefit a state’s domestic agenda, regulators must focus on building and enforcing a consistent and coherent approach to security-by-design.

Most immediate of these new risks is the impact of scale on security. The number of devices requiring authentication will soon be an order of magnitude larger than what we know at present. These devices will require a long lifetime and therefore low-power security; in the case of cars, meters, and sensors, they may also be built-in -- preventing physical access. Consequently, it may prove impractical if not impossible to physically swap identity or security modules at scale.

Given the diversity of these applications and networks, it’s clear that a spectrum of security solutions will be necessary to meet the range of 5G use-cases. Heterogeneity in 5G is not limited to device type; separating functions such as network slicing and Control and User Plane Separation (CUPS) – seen as fundamental to 5G functionality – themselves introduce new challenges, such as effective separation of network slices with differing security levels.

Key protections such as encryption, hashing, and secure protocols in virtualized environments come at the expense of time and computational overheads. Trade-offs in balancing the level of protection against the associated overheads need to be carefully considered, particularly for low-power or latency-sensitive applications. Protocols must be looked at carefully to see if precomputation can offer time savings.

The enormous numbers projected for the 5G-driven IoT have caught our collective imagination. Practically, many millions of long-lived devices operating concurrently is likely to cause a degree of congestion in both licensed and unlicensed spectrum – the electromagnetic equivalent of rivers full of plastic waste. To avoid this, it may be necessary to consider embedding a means of remotely switching-off redundant IoT devices operating in prime mobile bands. If a means to remotely switch these devices off is embedded, this feature will require careful design to avoid the potential for compromise.

Hyper-connectivity and user privacy

As it stands, mobile network operators and services are largely diversified, which in turn diversifies the origin of our data. In terms of privacy, the impending consolidation of this power into the hands of a few companies should raise alarms for consumers. It is yet to be decided who should or should not have access to user content and its associated metadata like IP addresses, personal identifiers, and location history.

Technically and idealistically, 5G should facilitate confidentiality where it is necessary and access to information where it is required. This will likely involve a concept called multi-context security: a move beyond two-party end-to-end encryption where “middleboxes” are used to access data in carefully controlled situations. As with most privacy debates, there is an inherent tension here: much of the value from 5G applications such as smart cities is derived from creating and leveraging ‘big data’, yet these data stockpiles increase the privacy consequences of successful attacks, which in turn fuels their motivation and resourcing.

Opening up new bands of the electromagnetic spectrum is paramount if we are to realise the breakneck speeds promised by 5G. The majority of U.S. carriers are preparing to transfer their services to much broader bands to facilitate the passage of wide streams of data. These high-frequency bands – known as millimetre waves – were not available for mobile networking until recently thanks to improvements in antenna technology. In practice, these millimetre waves are difficult and fragile: they can only travel small distances – around one thousand feet – and are easily hampered by buildings, plants, bodies, and even the weather.

To bypass these physical limitations, 5G relays will require regular installation on streets, city blocks, and inside buildings. Relays fixed to thirteen million utility towers, for example, would deliver 5G service to approximately half of the U.S. population, with a collective installation cost of approximately four hundred billion dollars.

A system founded on millions of antennas, sensors, and cell relays mounted just hundreds of feet apart offers surveillance potential on a previously inconceivable scale. Large telecom corporations already sell reams of user location data to advertisers and data brokers, while authorities have used similar information to monitor protesters, suspects, and journalists.

Excluding the use of VPNs and other consumer security software, 5G will for the most part enable governments and corporations to register exactly where someone has been, where they’re going, and what they’re doing. Combined with developing facial recognition technology and the processing power of artificial intelligence, the data volume, quality, and tracking capabilities of 5G may make privacy a thing of the past.

Next steps: defence by design

Huawei appears to be inseparably bound to a government that sports a known history of international data theft, cyber-espionage, and domestic spying. Keeping a company with these ties out of global digital infrastructure is sensible; but prohibiting Huawei hardware will not protect those networks. Even without this equipment, critical systems may still rely on software produced in China, and any alternatives can be remotely reprogrammed by malicious parties.

Hardware and software supply chains are global, and even the most wholesome tech brands have components that are sourced in China. Moreover, 5G infrastructure will sit on top of existing 4G equipment. Unless a country destroys its existing Huawei-built equipment – at immense cost – it will not be able to eliminate China’s influence from its future mobile infrastructure.

It seems privacy and security concerns are not at the heart of the current administration’s fixation on 5G. In recent conversations negotiating international standards, America eradicated a requirement that the specifications of 5G include cyber-defence. Rather than focus on the most effective and secure methods of implementation, the Trump Administration, keen to win what it has branded “the race to 5G”, may be more interested in attempting to stall Huawei’s – and, by extension, China’s – progress.

Ultimately, privacy and security for an immense, global network like 5G cannot be properly erected on top of an existing system. Given the depth and diversity of challenges and potential use-cases, safeguards must be built into the system from the very beginning. Developers must establish which security criteria can be included at the early stages and focus on finding multi-context security protocols that can deliver both privacy for end users and security for enterprises. We must stimulate a healthy marketplace for products which support the isolation of sensitive functions in virtualized environments.

As 5G starts to roll out, the economic pressure to collect and exploit new swathes of data from individuals and companies will only intensify. Building privacy and security protections into the technology seems like a moral necessity that is yet to be considered an imperative.

The dangers here – despite the media’s coverage – are not restricted to one opposing nation-state. What is critical in the long-term is what is existential to democracy: allowing any government or corporate body unfettered access to its consumers’ activities at all times. With that knowledge, the tendency will always be the desire to regulate how you think and behave. Even innocuous-seeming technology, when paired with increasingly authoritarian and regulatory impulses, may challenge liberal values in unexpected ways.

This story, "Privacy by design: Cybersecurity and the future of 5G" was originally published by CSO.