5G & Massive IoT Business5G Security

Is 5G security being sacrificed at the altar of profit, politics and process?

Homo sapiens is an incredibly adaptable species, arguably the most adaptable ever. But it is also a forgetful one, quick to take things for granted. Many of us can remember when cell phones first emerged, when the internet first became publicly available, when the first iPhone was released. These momentous shifts occurred within a generation, altering the nature of society and civilization.

Just a few decades ago, none of these existed, but by the time Covid-19 hit, billions of people were able to lift their smartphone and video call a loved one on the other side of the world. At the time, few people seemed to pause and recognize that the ability to make that call was almost miraculous. Almost.

Because, the massive technological complex that gave people access to each other across the globe was not made up of miracles, but rather hardware, software, and the networks that grew around them. And what ensured these networks were able to function across borders, cultures and industries? Standards – the guidelines, specifications and protocols that define the development, implementation, and function of technologies and infrastructure components.

Sure, they’re not sexy. When social media goes crazy about the latest device or communications technology, nobody talks about standards. But they are foundational to the successful integration of those technologies and devices. Standards are not very exciting, but they are extremely important, ensuring consistency, compatibility, and reliability across various systems, devices, networks, and applications.

Standards define your office network, your home network, the cloud, the internet, and mobile networks. They’re why you can phone home when you’re overseas, collaborate with a colleague on an online document, or have a pizza delivered to your door with just a few clicks. And they’re why you can do all of these things safely, because one of the crucial roles of standards is in ensuring a secure cyber environment.

This is especially true in telecommunications, where constant evolution has necessitated the growth of standard-setting bodies that can help guide and shape the industry. These Standard Development Organisations (SDOs) help to ensure that technology is interoperable, reliable, and secure across different networks and devices, a role that has been crucial during the emergence of 5G.

With its radically different network architecture, virtualized network components and progressive technologies like network slicing, 5G represents a whole new level of challenge in standards development, and with this heightened focus has come increased scrutiny of the standards setting process. Industry commentators have raised concern about the way in which standards are set and what is included in them. The process has flaws and is open to manipulation: the stakeholders that make up these SDOs are able game the system for corporate gain.

Of course, there’s nothing wrong in principle with having commercial motives, which is why this debate is less an ethical one and more a practical one. When the global standards-setting process is not working as it should, we risk sacrificing interoperability for profitability. 5G networks are jeopardized. Security will not evolve at the rate it needs to keep the network safe, and 5G, the most powerful technology to have been developed in decades, could also become the most dangerous.

Origins of telecoms SDOs

Standard Development Organizations bring together varied interests including industry experts, businesses and government agencies, to collaborate on defining common specifications and guidelines. Well-known examples include the International Organization for Standardization (ISO) that develops standards across various industries and sectors, such as technology, manufacturing, healthcare; the Internet Engineering Task Force (IETF), responsible for developing and maintaining standards for internet protocols and technologies; the Institute of Electrical and Electronics Engineers (IEEE), that develops standards in fields like telecommunications, information technology, power and energy; and 3GPP, the most influential SDO in mobile telecommunications technologies.

Strictly speaking, 3GPP is an engineering organization, not an SDO – it sets the technical specifications that are translated into standards by the seven global SDOs – but its influence is such that it is regarded as an SDO in effect. The origins of 3GPP can be traced back to the early days of mobile telephony, when the first generation (1G) of cellular networks was introduced. These networks were based on analog technology and were largely limited to voice communications.

In the 1980s, the second generation (2G) of cellular networks was developed, which introduced digital technology and allowed for the transmission of data in addition to voice. The development of 2G networks was driven by a desire to improve the efficiency and capacity of cellular networks, as well as to support new services such as SMS messaging.

As mobile technology continued to evolve, there was a growing need for a unified standard that would allow for interoperability between different networks and devices. In response to this need, several standard-setting bodies were established, including the European Telecommunications Standards Institute (ETSI) and the International Telecommunication Union (ITU).

In 1998, the GSM Association (GSMA), which represents the interests of mobile network operators around the world, established the Third Generation Partnership Project (3GPP) to develop a common standard for third-generation (3G) cellular networks. The 3GPP was created as a collaboration between several regional standards bodies, including ETSI, the Japan-based Association of Radio Industries and Businesses (ARIB), and the American National Standards Institute (ANSI).

Since its establishment, 3GPP has played a critical role in the development of mobile telecommunications standards, including the development of 3G, 4G, and 5G technologies, and today boasts a global membership that includes over 500 organizations from around the world.

SEParation of powers

While 3GPP has been successful in developing standards that have helped to advance mobile telecommunications, the process of developing these standards has come under criticism in recent years. Some complain the 3GPP process is sluggish and bureaucratic, slowed down by the competing agendas and priorities of the body’s many membership organizations.

Influence in the standards development process is also heavily weighted in favor of larger companies, most of whom are major players in the telecoms industry. Quite simply, participation in the process of technical definition and development comes at a cost and, when it comes to deciding what the next standards release is going to look like, those with the deepest pockets are able to bulk up their representation at voting events with the level of technical expertise required to make valid contributions to standards. This has geopolitical implications – as we’ll see shortly – but the primary play here is commercial. There’s a lot of money to be made in standards-setting, and it all starts with standard essential patents (SEPs).

5G SEPs are patents deemed essential to the implementation of a 5G technical standard. Royalties on these patents are paid by anyone wishing to comply with the relevant technical standard and use the patented technology in their products or services. Implementers may include manufacturers of devices, infrastructure providers, service providers, or any entity incorporating the patented technology into their offerings. The specific arrangements and agreements for royalty payments vary, and can be calculated based on factors such as the number of units sold, the revenue generated from implementing the SEPs, or other mutually agreed-upon terms.

The commercial value of owning an SEP can be significant, and thanks to the 3GPP decision-making structure, that commercial benefit is more likely to pool around those who have the most influence in the standards-setting process. If you want to have your patent regarded as “essential” – and, therefore, a mandatory royalty-earning part of technological implementation – it certainly helps if you’re one of the strongest voices in the room when it’s decided what’s to be included in the next standard. The obvious risk – and an increasingly vocalized critique of 3GPP – is the potential for anti-competitive behavior.

Companies that own SEPs can demand high royalties from other companies that want to use their technology, which can make it difficult for those companies to compete effectively. This has led to accusations that the SEP ownership model reduces competition and establishes the perfect conditions for an effective oligopoly featuring a handful of major players like Ericsson, Huawei, LG, Nokia, Qualcomm and Samsung. Critics argue that by owning patents deemed essential to 3GPP standards, companies can dictate licensing terms, leading to inflated costs and barriers to entry for competitors. This can hinder innovation and limit consumer choice, as companies lacking the necessary patents may struggle to enter the market or face excessive licensing fees.

The simple commercial inequalities such a market arrangement generates have the tendency to foster territorial and counter-productive (for the industry) practices, such as “patent hold-ups” and “patent hold-outs.” Patent hold-up refers to the situation where a patent holder delays the disclosure of its SEPs until after the standard is established. This strategic move enables them to negotiate more favorable licensing terms, effectively exploiting implementers’ reliance on their patents. Conversely, patent hold-out occurs when implementers refuse to negotiate licenses in an attempt to devalue the patent holder’s intellectual property. Both practices can harm the industry’s competitive dynamics and hinder the adoption of new technologies. Even without such cynical tactics, though, SEPs play a huge strategic role – especially for telecoms technology giants – in ensuring the ceaseless battle for leadership of increasingly competitive industrial value chains.

Anti-competitive behavior is theoretically averted by agreements between industry stakeholders that SEP royalties be subject to fair, reasonable, and non-discriminatory (FRAND) licensing commitments. These commitments aim to ensure that the licensing terms and royalty rates are fair and accessible to all potential implementers, encouraging widespread adoption of the standard and promoting fair competition. As we all know, though, commitments in principle work perfectly in principle, but often come unstuck in practice.


A lot of noise is made about who – organization or country – owns the most 5G SEPs, which is understandable; given their powerful commercial and strategic value, SEPs have the potential to secure companies and nations huge advantages in the race for autonomy and control in networked 5G technologies. But, the view on who leads the global 5G patent race varies significantly depending on who you speak to and how they’re choosing to read international patent filing records, which are open to a lot of interpretation anyway.

We could look at the number of standards contributions, but not all standards involve SEPs so those numbers are inconclusive. We could consider the number of patents filed, but this is a poor marker of contribution to innovation and tech development as a patent is simply a measure of uniqueness, not a measure of potential value. Counting SEPs doesn’t give a clear and accurate picture either because SEPs vary so much in value, usage and impact. Also, not all patents are essential. In fact, as much as 70% of patents – perhaps even more – do not qualify as “essential”.

This issue is plaguing the industry. Determining which patents qualify as essential to 3GPP standards is a complex and contentious process. The risk of over-declaring patents as essential or under-declaring them undermines the efficacy of the standards. Over-declaration may lead to patent thickets, where multiple patent holders claim rights over similar technologies, creating legal complexities and uncertainty. Conversely, under-declaration may result in technological gaps and hinder interoperability. Striking the right balance in the essentiality determination process is crucial but challenging, which is partly why the UK government has recently started a review of the SEP ecosystem to help determine whether the current system is effective and fair to all parties, and whether government intervention may be required. Experts on behalf of the European Commission have also suggested that better and fairer rules are needed to dictate the licensing of SEPs.

That legislative bodies are asking these questions is a positive sign, but there is a lot of work to be done before we reach anything close to a global consensus on these matters. While the standards-setting process may include a commitment to FRAND licensing terms, the test of that commitment takes place far from 3GPP conferences and in the courtrooms of the world.

Resolving disputes related to SEPs is a multifaceted challenge. Inconsistencies in national patent laws, varying interpretations of FRAND commitments, and jurisdictional issues complicate the resolution process. Additionally, enforcement mechanisms differ across countries, making it challenging to ensure consistent and fair outcomes. This may be a global issue, but it’s rooted in regional peculiarities: jurisdiction policy is a major factor in deciding the outcomes of a growing body of SEP licensing litigation. Where a patent is owned and enforced matters significantly, which is one of the reasons people are so focused on who owns what.

Despite the difficulties in analysis described above, work by IPlytics suggests that there is still a clear direction of travel in global SEP ownership and it’s pointing to the east: China leads in the number of declared 5G patent families as well as standards submissions. With the recent Huawei ban still fresh in our minds, it’s clear that Chinese dominance in 5G SEP ownership raises a lot of geopolitical questions for those in the West. But, we don’t need to wait for what plays out on the world stage to see conflict around 5G patent ownership – we already have multiple examples in corporate litigation in this area and they suggest that much of the expectation of FRANDs democratizing 5G technology implementation has been naive.

Disputes over what constitutes a fair and reasonable licensing fee often involve patent holders being accused of demanding disproportionately high royalties, and implementers arguing for lower rates to promote wider access and affordability. The resultant impasse is not helped by the lack of clear guidelines and inconsistent enforcement of FRAND commitments. Things are going to get worse before they get better too. Determining FRAND rates is complicated enough, but with its escalated network complexity 5G promises to raise far more challenges in agreeing licensing terms that suit everyone.

Added to this, the rapid expansion of the Internet of Things (IoT), which includes consumer goods as well as dedicated verticals within the IoT like Industrial IoT and Healthcare IoT, means a growing number of use cases, devices and concomitant software developments. 5G is a nested ecosystem that’s difficult to tease apart. As a result, the legal solutions to effective and appropriate SEP management are going to take a long time to resolve. To reach a fair and credible 5G patent landscape is going to require changes by SDOs to their current processes, possibly even regulatory intervention. The current approach followed by organizations like 3GPP is simply not up to the task in managing an evolution of 5G that is safe and secure for all.

Costs to 5G Security

Issues with negotiating and licensing SEPs slow down 5G network development and ultimately have a negative impact on the ecosystem as a whole, but a far bigger concern is the fragmentation and delay in security implementation caused by commercial conflicts. Extended licensing disputes or negotiations can hinder the timely integration of essential security features into network infrastructure and devices, leaving the network and users vulnerable to cyber or cyber-kinetic attack.

Disputes over SEP licensing terms potentially encourage implementers to opt out or avoid fully implementing necessary security measures, leading to a fragmented security landscape. That effect could be compounded by breakdowns in relationship between key stakeholders as a result of legal or commercial contests. Poor relationships make collaboration more difficult and less reliable, and collaboration is the foundation of a strong, cohesive approach to 5G network security. That collaboration also requires a free flow of information between security researchers, vendors and practitioners – if hard lines are taken on IP restrictions or patent licensing, doing those jobs properly can be severely hampered.

Solving this conundrum is not easy. It will require structural changes to the standard setting process, disincentivizing oligopolistic behavior and strengthen dispute resolution mechanisms to address licensing disputes effectively and efficiently. It may require regulatory reform. It will require all stakeholders to commit more authentically and consistently to doing what SDOs do when they’re operating at their best: prioritizing the broader good over private gain.

Territorial mindsets and continuous patent disputes are not sustainable – in the long term they will damage the industry and limit 5G’s potential. This technology is not about speed, nor is it about profit, even though there’s obvious value in both these things. 5G is about the potential it liberates, about what becomes possible at the frontiers of humanity’s evolution and the society we can build beyond those boundaries. For any of that to happen, we need to rethink the way we agree and implement the standards that underpin human connectivity.

Avatar of Marin Ivezic
Marin Ivezic
 | Website

For over 30 years, Marin Ivezic has been protecting critical infrastructure and financial services against cyber, financial crime and regulatory risks posed by complex and emerging technologies.

He held multiple interim CISO and technology leadership roles in Global 2000 companies.

Related Articles

Back to top button
Share via
Copy link
Powered by Social Snap