M360 ‘Security for 5G’ Predictions Panel
5G Security predictions for 2020
Following 2019’s M360 ‘Security for 5G’ event in The Hague, we have updated our 5G Security Predictions with inputs from our distinguished security panel: Jamie Collier (Digital Shadows), Philip Celestini (Syniverse), Pieter Veenstra (NetNumber), and William Dixon (World Economic Forum). Thanks to the insights provided by this expert panel we have been able to upgrade and share with you the following 5G Security predictions for 2020:
- 5G will accelerate a massive expansion of the attack surface
- First exploits targeting vulnerabilities in the 5G software supply chain
- Cyber intelligence and attribution weaknesses will be publically acknowledged
- Data exposure could reach a critical level on the darknet
- A major attack on Industrial IoT impacting critical infrastructure
- New vulnerabilities will be attributed to a lag in 5G security
- Early adopters get serious about privacy & security tools to protect their ‘personal economy’
- Enterprises will raise the topic of 5G security assurances for operator SLAs
IoT devices are already driving significant growth in the breadth of the threat landscape. Now 5G’s slicing and softwarization of the network is set to increase its complexity as well. Breaches will only get worse, and this time we will see advanced use of adversarial AI and DIY hacking kits available from the darknet enabling amateurs and hacking-as-a-service.
The complexity of integrating SDN, NFV, cloud and open source in the 5G software supply chain requires proper planning and AI automation, without which it will become difficult to manage and easy to misconfigure. Furthermore, a multitude of third parties providing network functions to a highly ‘laminated’ 5G stack can fragment the security environment damaging the trust model that governs solutions, systems and networks. If the trust model is not upgraded to meet 5G’s network security topology, authentication of these third parties could become a new attack vector.
Effective cyber intelligence contributes to successful attribution and investigation of cybercrime and improves cybersecurity. But the attribution rate is still too low (e.g. currently estimated at 0.05% of exploits in the USA) and predicted to worsen in the coming year. Poor relationships between public and private cyber intelligence communities will also get worse in 2020 before they get better. When it does, we will see improved partnering and communications, better predictive security engineering, and the indexing of the dark web resulting in a growing number of takedowns.
Poor mainstream digital literacy will continue to expose peoples’ and organisations’ data to breaches. This will be exacerbated by gaps in encryption of non-standalone 5G networks, accelerating the number and size of breaches exposing our data. The quantity and richness of sensitive data sinking into the darknet will increasingly be exploited by adversarial AI capable of optimizing and ‘productising’ this data for financial, industrial and geo-political gain.
5G connectivity will enable a huge increase in the use of IoT devices and industrial control systems for DDoS attacks, phishing, ransomware, and crypto mining. But 2020 will also see emerging exploits that use data corruption through sensors to misinform organizational decision making. Unfortunately cybersecurity basics capable of mitigating these exploits, such as faster patching and improvements in OTA updates, are not expected anytime soon.
In the race to 5G deployment there is a risk that security-by-design gets left behind; integrating legacy networks with 5G could create interworking vulnerabilities and gaps in encryption; IP-based signaling security threatens to be insecure and complicated to monitor; hasty deployments could lead to inaccurate provisioning to 5G standards; and availability of cybersecurity skills will also fall behind in 2020 exacerbating the security lag for 5G networks still further.
As risk awareness grows, early adopting consumers will invest in privacy & security tools that defend their ‘personal economy’; protecting their net wealth from personalization that over-exploits their spending; defending their knowledge from fakery; and managing their positive reputation and influence. These consumers start to search out and choose companies that will champion their privacy and data, as well as respect and protect their interests.
Complexity and the sheer number of vendors have the potential to fragment the 5G ‘service chain’ causing gaps and leaks resulting in unknown new threats that attract rogue elements. Enterprises recognizing the existence of such threats and the critical importance of network slicing for future business transformation, will be looking for security assurances baked in to operator SLAs.
The views and opinions expressed in this piece belong to the author and do not necessarily reflect those of the GSMA.