RAND Corporation just published a new research report: “Securing 5G – A Way Forward in the U.S. and China Security Competition.”
The report examines 5G security issues, the 5G supply chain, and the competitive landscape in 5G equipment. It describes where U.S. or Chinese companies have technology or market advantages in the emerging 5G security competition between the United States and China and provides recommendations for securing U.S. 5G networks.
The report correctly views the 5G competition through three intertwined dimensions: economics, technology, and security. However, it is primarily framed in terms of the 5G security competition between the United States and China; with Huawei singled out as a CCP-controlled agent. The authors outline a number of alleged instances of Huawei-led espionage and use that to highlight the risk of Chinese espionage as the main 5G security risk.
It is a bit disappointing that always excellent RAND researchers framed the issue in such a shortsighted way. My two main problems:
5G networks will eventually transport lots of of critical infrastructure traffic. More than just espionage, the key risks have to be related to malicious actors achieving cyber-kinetic impacts by abusing the 5G network access to achieve remote access to critical infrastructure and/or compromise the integrity of sensor and control data.
Those that only evaluate cybersecurity risks based on previous incidents, will always be defeated by adversaries with more imagination and patience – those that might be positioning themselves today for exploits eight years down the line.
Singling out and banning Huawei might make sense for the US from technology independence and economic points of view. However, it is a mistake to consider 5G security risks only as a “Huawei issue”. By removing Huawei we might achieve a false sense of security. This is a whole-of-hardware-and-software-supply-chain issue and we have to develop tools and processes to assess and reduce backdoor and front-door risks independent of who the supplier is.
The report is available here: https://www.rand.org/pubs/research_reports/RRA435-4.html