Every once in a while, a new technology is unleashed that changes our lives. The wheel, the steam engine and the internet are just some examples that had a profound effect. 5G could be the latest to do the same. Its rollout will forever change how we manage mobile security, posing an entirely new set of risks we have not handled before.
Mobile Connections Are Booming
Mobile industry forecasts can be eye-popping. GSMA Intelligence, the research arm of the GSM Association, released a report in February 2019 titled, “The Mobile Economy 2019.” The report made two major predictions:
- There will be 1.4 billion 5G connections by 2025, accounting for 15 percent of the global total.
- The number of global internet of things (IoT) connections will triple by 2025, reaching 25 billion.
But with possibilities come potential perils.
Looking at the numbers should sound off alarms: There is a resource management problem on the horizon, both in terms of tech and human capabilities. In case you have doubts regarding the magnitude of the mobile security problem we are facing, I’d invite you to check out GSMA’s real-time “mobile connections” counter. At the time of writing, it sits right around 8.84 billion.
A New Set of Problems for the 5G Era
This new wireless environment will unleash something completely different from the wired/stationary environment we have been used to securing for about six decades, creating an entirely new set of challenges. These challenges can be broadly outlined in three areas: manageability, the supply chain and usage. All of these problems stem from the fact that we’re going mobile and producing and consuming data at incredible rates.
Problem 1: Manageability
When you look at the minimum technical performance requirements for IMT-2020 radio interfaces — a fancy way of saying 5G — you get a clear understanding of what it is designed for. Here are just a few key specifications:
- Ability to download gigabytes in seconds.
- Potential uses include augmented reality, self-driving cars, smart cities, mission critical applications, work and play in the cloud, 3D video and UHD screens, and industry automation.
- Minimum connection density of 1 million devices per square kilometer.
- Mobile connections that can provide quality of service at speeds between 0–500 km/h.
In other words, it’s designed to replace virtually all of our existing communication platforms and infrastructures.
I already see two glaring problems: endpoint security management and data traffic analysis issues, especially those happening in real time. All these little gadgets — that go well beyond our phones, or should I say, our devices — are going to be endpoint headaches, especially since we haven’t yet figured out how to handle many IoT vulnerability issues. Put another way, instead of solving one of today’s major problems, the new wireless rollout will fuel it for tomorrow.
Similarly, think about how dangerous just a few kilobytes of malicious data can be. Do we have the resources to ensure gigabyte-per-second downloads are not carrying some payload that can knock us out?
Remember, the more complex something is, the greater the likelihood of fragility. A new research study from the Centre for Wireless Communications at the University of Oulu in Finland — a country well-known for its mobile technology innovations — identified some of the key security threats associated with 5G, including:
- Flash network traffic;
- Security of radio interfaces;
- User plane integrity;
- Mandated security in the network;
- Roaming security;
- Denial-of-service (DoS) attacks on the infrastructure;
- Signaling storms; and
- DoS attacks on end user devices.
So how can you handle the manageability problem? In 2019, I’d advise you to slow down. Before you adopt all the wonderful tech wizardry that is about to be released, make sure your current mobile security posture is on sound ground.
Other quick fixes include ensuring you have the right technology for your organization’s needs, sound policies and employee training, and critical vendors and specialized consultants on speed dial, ready to help out with your cyber hygiene maintenance or when things go south. You can do a lot in-house, but chances are you can’t do everything. Your business focus is likely elsewhere.
Problem 2: The Supply Chain
The supply chain issue is in large part driven by geopolitical factors. Issues such as who sets the security standards or who the dominant suppliers are will play a large role. That’s why your enterprise should work to address two key areas.
First, can you reasonably identify what you’re connecting to, where the data is passing through and who the possible listeners are? With trade secrets, business strategies and personally identifiable information (PII) sitting on servers everywhere, you not only need to know what your crown jewels are, you need to know how your crown jewels could be accessed. Data at rest versus data in motion could have very different security needs, and a lot of it is going to be in motion soon. The days of the stationary corporate intranet setting are fading; our business needs are increasingly being pushed to mobile and the cloud and rely on third-party service providers.
Second, do you trust your gear? This is a question I expect we will hear more and more as time passes, especially with respect to IoT devices. Until such a time when there is a clear certifying authority that can sign off and say, “This device is safe,” you are going to need to do some serious relationship building with your vendors and consultants. You may not have the in-house tools to determine what’s safe or not, but they might. It’s amazing what you can do in a trusting relationship.
Problem 3: Usage
Unless we’re ready to split up work and play — meaning a total segregation of professional and personal devices and services — we’re going to have problems in this space. There is no universal answer to this problem, which is why I will defer to award-winning computer security analyst and risk management specialist Dan Geer, who said, “Freedom, security, convenience: choose two.”
Ultimately, your enterprise is going to have to decide which mobile security route to take and create a framework to deal with those nontechnical issues like privacy and law. That’s a policy decision, which is why organization leaders and security professionals need to be speaking the same language when making these decisions.
Prepare for Changes to Mobile Security Management
Don’t waste time, because this is happening quickly. You don’t need to be an early adopter of 5G technology, but you need to ensure your current cybersecurity game is up to par. Otherwise, you’re building on unstable foundations, something that has been a bad idea since the beginning of time.
Yes, knocking down the house and building a new one, while coming with a greater upfront capital cost, is an option worth exploring. It may not be for everybody, as every organization’s needs are different, but just remember, this new wireless standard is going to have usage-altering effects, so don’t go building on something that is shaky. Even your favorite pair of shoes can only be worn so long before they need to be retired.