Home / Blogs

5G Security Transparency

Anthony Rutkowski

There is considerable rhetoric propagated today about 5G security. Some of the more blatant assertions border on xenophobia with vague assertions that the 5G vendors from some countries cannot be trusted and wholesale government banning is required. Existing treaty obligations are being summarily abrogated in favour of bilateral trade bullying. These are practices that the late President George H.W. Bush sought to eliminate a quarter century ago through intergovernmental organization initiatives that relied on industry collaboration. Bush 41's efforts were enormously successful and opened up a new world of global communication services, products, and economic growth — that are now being systematically undermined. As the world transitions to 5G global communications, the adverse effects of unilateral national isolationism will be profound.

Fortunately, open global industry collaboration is more active today than at any point in history — especially now for 5G security. It is that collaboration that also provides significant 5G security transparency today. That transparency is more essential than ever.

Metrics of 5G Security Collaboration

To provide some degree of transparency on the subject of 5G security and who is actually devoting resources to taking action, we are somewhat fortunate that there is one principal global industry venue that is intensively devoted to the subject — the 3GPP organization's group SA3. Its remit is exclusively security, and there are 17 current Release 16 work items that are devoted to every aspect of 5G product and service security, including supply chain management.

As opposed to other standards bodies, 3GPP's are essentially mandatory, and some are overseen by the industry's global provider and vendor organization, the London-based GSMA. As a result of this stature, the work is extensive, dynamic, and globally inclusive.

During 2018, the SA3 held seven meetings lasting five days, roughly 60 days apart, in the U.S., Europe, and Asia. Arguably, the metrics of participation in these 2018 meetings are transparent indicators of the companies, agencies, and organizations interested and substantively involved in bringing about 5G security and willing to devote resources. In addition, because this open industry activity involves the participants making their Intellectual Property available for collective public use, the input metrics are indicative of the willingness of parties to share their 5G security IPR.

During 2018, 74 different companies (including their subsidiaries) plus a few agencies, sent technical experts to the seven SA3 meetings, expending 2,676 staff days and submitting 3,582 documents devoted specifically to 5G security specifications and liaison communications. The metrics for the top twenty participating entities are shown below and can be openly obtained from the SA3 portal site. These numbers are significant because they demonstrate who is willing to expend monies to have an employee present the most important industry 5G security meetings rotating across three continents, including three in the U.S.

Staff daysEntity
305Huawei
170Ericsson
170Qualcomm
140China Mobile
125Nokia
110NEC
85Motorola
75CATT
75InterDigital
75NCSC
70BT plc
65Orange
65Samsung
55Apple
50Deutsche Telekom
50ZTE Corp
45Datang
45Intel
45Sony
45Vodafone

Among government agencies, UK's NCSC is found in the top 20. The three USGOV agencies — DHS, NIST, and FCC - together expended 60 staff days.

Another measure of substantive engagement — input document contributions to the 5G security standards and studies in 2018 are shown below. The numbers reflect the entity individually or collectively contributing a specification or study proposal or text. These numbers are significant because they indicate the degree of substantive engagement in 5G security provisions.

ContributionsEntity
679Huawei
626HiSilicon
580Ericsson
510Nokia Shanghai Bell
204Qualcomm
180China Mobile
170NEC
152ZTE Corp
127CATT
108Motorola
95KPN
90Deutsche Telekom
89Vodafone
86Samsung
69InterDigital
66NCSC
54China Unicom
53LG Electronics
42Lenovo
37Intel

Here also, many of the same parties are found in the top 20 because contributions require the attention of participant staff. Among USGOV agencies, NIST provided 9 submissions, and the FFRDC, MITRE, submitted 9.

5G Supply Chain Management

Among the many SA3 5G security standards, the one most related to contemporary security supply chain threat rhetoric is the Security Assurance Specification for 5G (SCAS_5G). The 3GPP activity is an extension of an initiative begun in SA3 nearly five years ago based on material from the Common Criteria Control Board to develop a global industry-driven mobile Network Equipment Security Assurance Scheme (NESAS) for equipment supply chain management using a Security Assurance Methodology (SECAM). The managing and accrediting body is the GSMA.

Here also, the contribution metrics show the stark reality both over the past five years as well as today - the U.S. government chooses to completely ignore the principal global activity for supply chain management.

Fourteen parties participated in 2018 in submitting 92 input contributions for developing the 5G Security Assurance specification.

3British Telecom
5CATT
3China Mobile
3China Unicom
11Deutsche Telekom
3Ericsson
17Hisilicon
21Huawei
1Intel
3KPN
39NEC Corporation
38Nokia
14Samsung
10ZTE Corp

The FCC Supply Chain Proceeding and Advisory Committee

Global industry standards activities are not the only forum for treating 5G security. The FCC also instituted a rulemaking making proceeding in March 2018 to consider Commission rules related to supply chain management — especially 5G equipment. See WC Docket No. 18-89. Most of the 84 comments filed in the docket to date have expressed a preference for collaborative industry solutions rather than political-driven edicts.

Additionally, the Commission's own industry advisory group, CSRIC, in its Final Report of the Network Reliability and Security Risk Reduction Working group in March 2018, "recommend[ed] that the industry continue to participate in industry and standards forums and adopt the GSMA recommended controls to address emerging security risks as part of their overall 5G and IoT security approach."

New Threats to Global Industry 5G Security Collaboration

Decades ago, the United States was a leader in global ICT industry collaboration which including collectively developing the security specifications expanding the markets for worldwide growth and trade in equipment and services. That dynamic is alive and well today in 3GPP SA3 and many other venues, even if the participants have changed, and the U.S. government agencies have disengaged. There is an enormous amount of travel and personal sacrifice endured by the individuals involved.

Eight years ago, three Google executives while traveling in Italy, were apprehended because one of their company's offerings allegedly violating a local law. Their trial and imprisonment generated industry widespread outrage. Today, the same has recently occurred to another global ICT company executive from another part of the world. Such governmental actions are serious threats to everyone engaging in global industry security collaboration.

By Anthony Rutkowski, Principal, Netmagic Associates LLC
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

To post comments, please login or create an account.

Related

Topics

New TLDs

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC

Cybersecurity

Sponsored byVerisign

DNS Security

Sponsored byAfilias

Domain Names

Sponsored byVerisign