5G Security and Resilience

5G Graphic

The fifth generation (5G) of wireless technology represents a complete transformation of telecommunication networks. 5G will transform the digital landscape and serve as a catalyst for innovation, new markets, and economic growth. As tens of billions of devices are connected to the internet through 5G, these connections will empower a vast array of new and enhanced critical infrastructure services.

As the nation’s risk advisor, CISA, through the National Risk Management Center (NRMC), is leading risk mitigation efforts by working with government and industry partners to ensure the security and resiliency of 5G technology and infrastructure.

ANNOUNCEMENT

December 2020: CISA published a new resource, Edge vs. Core - An Increasingly Less Pronounced Distinction in 5G Networks, to inform stakeholders about how edge computing increases the risks of untrusted components into 5G networks by moving core functions away from traditional network boundaries. The product is intended to provide an overview of edge computing and represents CISA’s analysis of the risks associated with installation of untrusted components into 5G infrastructures.  

 

CISA's
5G Strategy

Risks from
5G Deployment

Partnerships

Resources

5G Overview

Roughly every ten years, the next generation of mobile communications network is released, bringing faster speeds and increased capabilities. The first generation (1G) of wireless networks brought the very first cellphones; 2G brought improved coverage and texting; 3G introduced voice with data/internet, and 4G long-term-evolution (LTE) delivered increased speeds to keep up with mobile data demand.

5G represents a complete transformation of telecommunication networks, introducing a wealth of benefits that will pave the way for new capabilities, and support connectivity for applications like smart cities, autonomous vehicles, and telemedicine.

3 images in a panel that read in order from left to right: 100x Faster Download Speeds: 5G brings about much higher data rates. While a 3GB movie would take 40 minutes to download on 4G, it would take only 35 seconds on a 5G network. 100x Network Capacity: 5G promises greater traffic capacity, allowing for millions of devices to be connected on the same network within a small area. 10X Lower Latency: 5G brings near real time interactivity with data response times being as low as 1 millisecond, providing endless possibilities from remote surgery to self driving cars.

When Will 5G Be Available?

 

Download and share the 5G Basics Infographic on key 5G challenges and risks to help strengthen the security and integrity of 5G technology in our nation. Widespread usage of standalone 5G networks is not expected until at least 2022. Initial 5G deployment will operate on a non-standalone network (relying on existing telecommunications infrastructure (i.e., 4G) and has begun being rolled out incrementally across several U.S. cities. Additionally, the continued exponential increase of connected devices will also utilize 4G, 4G Long-Term Evolution (LTE), and 4G/5G hybrid infrastructures to improve the bandwidth, capacity, and reliability of broadband services. The evolution from non-standalone to standalone 5G networks (which do not rely on existing infrastructure) will take years. But the goal remains to meet the increasing data and communication requirements, all while securely reaping the benefits and possibilities 5G brings.

National Strategy to Secure 5G

In March 2020, the White House developed the National Strategy to Secure 5G, which expands upon the National Cyber Strategy and outlines how the Nation will safeguard 5G infrastructure domestically and abroad. In January 2021, the accompanying Implementation Plan was released. The National Strategy to Secure 5G and Implementation Plan puts the United States on the path to make sure that we are equipped to continue development, deployment, and management of secure and reliable 5G. 

As the lead federal agency for cybersecurity, CISA is helping shape the rollout of this emerging critical infrastructure through strategic risk mitigation initiatives that stem from the National Strategy to Secure 5G’s four Lines of Effort:

  1. Facilitate Domestic 5G Rollout
  2. Assess Risks to and Identify Core Security Principles of 5G Infrastructure
  3. Address Risks to United States Economic and National Security During Development and Deployment of 5G Infrastructure Worldwide and,
  4. Promote Responsible Global Development and Deployment of 5G

Through its unique authorities, the Agency is working with interagency, industry, and international partners to ensure relevant policy, legal, security, and safety frameworks are in place to mitigate significant 5G risks. Critical infrastructure systems across all 16 sectors rely on ICT (included 5G components when deployed), for the operation of the National Critical Functions (NCFs), making securing 5G a priority for the Agency.

CISA's 5G Strategy

The CISA 5G Strategy establishes five strategic initiatives that are guided by three core competencies:

  1. Risk Management: Promote secure and resilient 5G deployment by leading efforts to identify, analyze, prioritize, and manage risks.
  2. Stakeholder Engagement: Actively engage federal, state, local, tribal and territorial, industry, association, academia, non-profit, and international partners to address 5G challenges.
  3. Technical Assistance: Update and develop instructional tools and services to support stakeholders with the planning, governance, operational, and technical aspects of secure 5G deployment.

CISA’s 5G Strategic Initiatives are:

  • Strategic Initiative 1: Support 5G policy and standards development by emphasizing security and resilience: Developing 5G policy, best practices, and standards that emphasize security and resilience to prevent attempts by threat actors to influence the design and architecture of 5G networks;
  • Strategic Initiative 2: Expand situational awareness of 5G supply chain risks and promote security measures: Educating stakeholders on 5G supply chain risk, particularly around vendors, equipment, and networks to promote leading security practices within the public and private sector;
  • Strategic Initiative 3: Partner with stakeholders to strengthen and secure existing infrastructure to support future 5G deployments: Strengthening and securing existing infrastructure to support future 5G deployments by recommending improvements for existing 4G Long-Term Evolution (LTE) infrastructure and core networks;
  • Strategic Initiative 4: Encourage innovation in the 5G marketplace to foster trusted 5G vendors: Catalyzing innovation in the 5G marketplace to foster trusted 5G vendors; and
  • Strategic Initiative 5: Analyze potential 5G use cases and share information on risk management strategies: Assessing risk mitigation techniques on 5G use cases in order to share and popularize strategies that continue to secure the NCFs.

These initiatives include associated objectives to ensure there are policy, legal, security, and safety frameworks in place to fully leverage 5G technology while managing its significant risks.

Read the CISA 5G Strategy

Risks from 5G Deployment

The Agency is working interagency, industry, and international partners to manage the accompanying risks and challenges to 5G implementation appropriately, increasing its security and resilience at the design phase and reducing national security risk from an untrustworthy 5G network. While the deployment of 5G presents opportunities to enhance security and create better user experiences, there are several risks that should be considered, such as:

Attempts by threat actors to influence the design and architecture of 5G networks: 5G will utilize more ICT components than previous generations of wireless networks. Municipalities, companies, and organizations may build their own local 5G networks, potentially increasing network vulnerabilities. Improperly deployed, configured, or managed 5G equipment and networks may be vulnerable to disruption and manipulation.
Susceptibility of the 5G supply chain due to the malicious or inadvertent introduction of vulnerabilities: The 5G supply chain is susceptible to the malicious or unintentional introduction of risks such as malicious software and hardware,  counterfeit components, and poor designs, manufacturing processes, and maintenance procedures. 5G hardware, software, and services provided by trusted entities could increase the vulnerabilities of network asset compromise and affect data confidentiality, integrity, and availability.
Current 5G deployments leveraging legacy infrastructure and untrusted components with known vulnerabilities: 5G builds upon previous generations of wireless networks and is currently being integrated with 4G LTE networks that contain some legacy vulnerabilities. Some of these legacy vulnerabilities, whether accidental or maliciously inserted by untrusted suppliers, may affect 5G equipment and networks despite the integration of additional security enhancements.
Limited competition in the 5G marketplace resulting in more proprietary solutions from untrusted vendors: Despite the development of standards designed to encourage interoperability, some companies, such as Huawei, build proprietary interfaces into their technologies. This limits customers’ choices to use other equipment. Lack of interoperability with other technologies and services limits the ability of trusted companies to compete in the 5G market.
5G technology potentially increasing the attack surface for malicious actors by introducing new vulnerabilities: The implementation of untrusted components into a 5G network could expose communications infrastructure to malicious or poorly developed hardware and software, and could significantly increases the risk of compromise to the confidentiality, integrity, and availability of 5G data .

Partnership Enables 5G Security and Resilience

CISA works with industry leaders and public sector agencies to bring awareness to national critical infrastructure risk, as well as to educate and drive behavioral change towards the Nation’s relationship with ICT and other critical systems, including 5G technologies.

  • Federal Departments and Agencies: Through information sharing and coordination with federal departments and agencies, CISA helps establish collective risk management strategies that support the development of national policy and strategy frameworks for future 5G deployment.
  • SLTT Government Agencies: CISA engages with state, local, tribal, and territorial (SLTT) government agencies to understand common vulnerabilities and share assessments of potential risks posed by 5G technology. In addition, CISA works with SLTT stakeholders to discuss the specific policy, technological, and legal implications inhibiting secure 5G deployment.
  • Private Industry: CISA relies on its partnership with the private sector to understand and manage risks posed to 5G technology. With the promise of connectivity between billions of Internet of Things (IoT) devices, it is critical that CISA and industry collaborate to identify vulnerabilities and ensure that cybersecurity is prioritized within the design and development of 5G technology. By coordinating with 5G network providers, infrastructure technicians, and telecom companies CISA is helping ensure that risk mitigation techniques are consistently applied across the network – both for existing 4G LTE and new 5G deployment. Through meaningful risk dialogues, industry working groups, and partnerships, CISA can provide extensive value to industry players looking to shore up their security apparatus.
  • Non-Governmental Organizations: The research and development (R&D) initiatives carried out by associations, academia, and non-profits is invaluable to the security and resilience of 5G networks. From the analysis, design, testing, and development of new 5G capabilities, partnerships with these entities provide both subject matter insight and expertise that promote secure 5G deployment.
  • International Allies: As 5G connectivity becomes a reality, there is the potential for an increase in untrusted vendors, equipment, and devices. Whether vulnerabilities are malicious or inadvertent, there will remain a need to maintain strong relationships with international partners to communicate risks and safeguard the flow of information.

5G Resources

CISA developed these resources as voluntary tools for secure adoption and implementation of 5G technologies. Any analysis of 5G vulnerabilities represents the beginning of CISA’s thinking on this issue, not the culmination of it. These resources are not an exhaustive risk summary or technical review of attack methodologies.

5G External Resources

These resources are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide warranties of any kind regarding this information, nor does it endorse any commercial product, service, or subjects of analysis. Any references to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by DHS.

  • 3rd Generation Partnership Project (3GPP): A telecommunications standards organization, develops a series of releases that provide developers with a stable platform for the implementation of cellular telecommunication features. Releases 15, 16, and 17 focus on 5G.
  • Framework to Conduct 5G Testing: A Framework by the Federal Mobility Group (FMG) to support the diverse needs of federal use-cases of 5G as well as coordination of 5G test activities across the federal government.
  • National Telecommunications and Information Administration: Housed within the Department of Commerce, NTIA is principally responsible for advising the President on telecommunications and information policy issues.
  • O-RAN ALLIANCE:  An effort committed to transforming radio access networks (RAN) towards open, intelligent, virtualized and fully interoperable RAN.
  • State Department’s 5G site: Provides the latest security and policy concerns related to 5G


For questions or comments, email 5G@cisa.dhs.gov.

Was this document helpful?  Yes  |  Somewhat  |  No