We Can’t Secure 5G Networks by Banning Huawei Gear
The next-generation network simply doesn’t work like the current one. Staying safe will require a new relationship between business and government.
The Trump administration’s approach to fifth-generation wireless networks has been a confused mash-up of trade negotiations, commercial competition, and national security concerns, all epitomized by its focus on barring equipment from Chinese manufacturer Huawei. Regrettably, this has drowned out any discussion of a larger problem: because of the way 5G works, banning one company’s gear won’t keep our data safe — and nor will even the best cybersecurity practices of today. If America is to harness the promise of 5G in a world of malign online actors, there must be a new relationship between business and government.
5G networks are particularly vulnerable because the network has moved away from centralized, hardware-based switching, to widely distributed software-defined digital routing and small-cell antennas. Previous networks were hub-and-spoke designs that brought everything to hardware choke points where cyber hygiene could be practiced. In a 5G software-defined network, that activity is pushed outward to a web of digital routers throughout the network. The absence of chokepoint inspection and control makes 5G cybersecurity exponentially more difficult than on traditional telecommunications networks.
Attaching to this web will be tens of billions of smart devices, the little computers that make up the ever-expanding internet of things, or IoT. From baby monitors and smart refrigerators, to smart-city traffic control and public utilities, to medical monitoring and diagnosis, all run on hackable software. In July, for instance, Microsoft reported that Russian hackers had penetrated run-of-the-mill IoT devices to gain access to networks and plant exploitation software. China, Iran, North Korea, and others won’t be far behind.
As officials of the Obama-era Federal Communications Commission, the authors established a 5G cybersecurity program that recognized the increased risks accompanying the new networks. When the Trump FCC took over in 2017, they eliminated these efforts and asserted that the agency had no authority to improve the cybersecurity of the networks it regulates. This is in stark contrast to what is happening in Europe, South Korea, and China, where governments are eagerly engaging with standards bodies and industry.
They are doing so because they realize that 5G’s promise depends on creating a new kind of cooperation between device and applications companies and the government. The United States must do the same. This model should employ a new iteration of the old “3Rs”:
Reinvent regulatory oversight. The slow-moving and rigid procedures of government must become as agile as the efforts of the digital innovators and those who use such innovations for ill. Government must move from structures and policies designed for the industrial era to those designed for the internet era.
Renewal of risk responsibilities. Providers of 5G products should adhere to the common-law concept of “duty of care.” This means the companies that produce and operate 5G networks, devices, and apps have the responsibility to identify and mitigate potential harms. 5G requires cybersecurity as a forethought, not an afterthought.
Reward and incentivize. Government’s role should evolve from punitive enforcement to defining the expected “duty of care” and rewarding those who exercise it. Such incentives should be financially meaningful and should create a legal safe harbor for participants. We should also have programs that help communities assess, appreciate, and address 5G risks.
“The race to 5G is on and America must win,” President Trump said in April, suggesting that the competition was to get the next-gen network up and running first. It is the wrong measurement. Yes, there is a “race,” but it is a race to secure our nation, our economy, and our citizens. The moment is now for a bipartisan effort to rethink how 5G has expanded the cyber threat and thus expanded the responsibility of both 5G providers and government. A culture of “move fast and break things” must give way to one that “moves fast, securely.”
This piece is adapted from the authors’ Brookings Institution report, “Why 5G Requires New Approach’s to Cybersecurity – Racing to Protect the Most Valuable Network of the 21st Century.”