5G technology is popular on both sides of the political aisle but some security concerns remain, especially when it comes to the supply chain. Chinese-run telecom companies Huawei and ZTE have been effectively blacklisted by the US government because of vulnerabilities in their products, but now the concern is less to do with federal technology and more focused on smaller governments domestically, as well as global allies.
Christopher Krebs, director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), testified before the Senate Judiciary Committee last week on 5G national security worries. He said 5G will support a range of activities from the Internet of Things to autonomous vehicles, remote medicine and a smart electrical grid.
“There’s no doubt that there will be a broad, diverse range of possible risks associated with 5G technologies, threatening to exploit the integrity, confidentiality and availability of data, as well as the critical functions that data enables,” Krebs said on Federal Monthly Insights — 5G Connected Government. “To ensure we’re positioned to manage those risks we’ve established a 5G working group within CISA that brings together our relevant expertise in emergency preparedness communications, cybersecurity, supply chain risk management and infrastructure security.”
Krebs said the group works closely with industry partners and the departments of Justice, State and Defense, the National Telecommunications and Information Administration, the National Institute of Standards and Technology, the Federal Communications Commission and the Intelligence Community. The goal is to establish a “common baseline understanding” of how 5G can be deployed, and therefore the necessary risk management priorities.
“As a part of this we are taking a risk-based approach to understanding the implications of the growing global presence of Chinese telecom equipment throughout the 5G technology stack,” Krebs told the Federal Drive with Tom Temin. “The potential for Chinese intelligence and security services to use Chinese firms as routine and systemic espionage platforms against the United States and our allies is concerning and a potential direct threat to our mandate to ensure national security and emergency preparedness communications.”
He noted that the 2019 National Defense Authorization Act included a provision generally banning agencies from procuring or contracting with agencies that use equipment from entities controlled by the Chinese government. And the Federal Acquisition Regulations Council is developing rules to implement that law.
Robert Strayer, deputy assistant secretary for Cyber and International Communications Policy at the State Department’s Bureau of Economic and Business Affairs, joined Krebs in testifying. He said the department is urging other countries to adopt risk-based security frameworks for their communication systems that get upgraded for 5G.
“To this end, the department is executing a global campaign on 5G security that includes strategic bilateral and multilateral engagements to convince our allies and partners of the need to adequately secure these networks,” Strayer said in his opening statement. “An important element of this risk-based security approach is a careful evaluation of hardware and software equipment vendors and their supply chains.”
He said the criteria should include whether vendors are subject to control by foreign governments “with no meaningful checks and balances” that government’s ability to compel cooperation with intelligence and security agencies. Strayer said this is because vendors can be ordered to undermine their own network security, to steal personal information or intellectual property, partake in espionage or even conduct cyber attacks.
The US is seeing that awareness resonate in other countries. The European Union released recommendations to improve cybersecurity of 5G technology, and a conference of 32 countries’ representatives — including the U.S. — in Prague on May 3 produced proposals to guide this effort.
“We will continue our bilateral and multilateral engagements to ensure that telecommunications, the internet, and all the critical services that 5G will enable are secure and reliable,” Strayer said.