5G adds more concerns: CISOs should build cybersecurity from the ground up

Public 5G networks, private 5G networks, broader attack surfaces, and more complex environments add extra layers of vulnerability, expert says.

5G: More speed adds more vulnerabilities, IoT security expert says

TechRepublic's Karen Roby spoke with Curtis Simpson, CISO of Armis, an Internet of Things (IoT) security company, about security concerns with 5G. The following is an edited transcript of their conversation.

Karen Roby: We talk a lot about 5G, of course, and all different facets of the technology. We talk a lot about security as well, but not as much about the two together. When it comes to 5G and the security implications, what are you most concerned with?

SEE: 5G: What it means for edge computing (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

Curtis Simpson: There's actually a lot of concerns here. Just to bubble up a few of them, we're moving from a centrally managed hardware-based type of network that's built and managed by telecom providers to a software-based network that is both owned by providers as well as companies. 

We're actually going to see private 5G networks interacting with public 5G networks, but here's the rub: Not for benign use cases. With the speed that 5G is going to deliver, it's no secret that around the world, we're rapidly developing and initiating the rollout of smart cities at a very large scale, and this is just the beginning. We will reach a point where a smart city ultimately could be described as a ton of different smart devices or IoT devices delivering critical services and quality-of-life services, all running over 5G networks. On top of that, we're going to have private 5G networks that are built by businesses and used to maintain all sorts of internal operations, critical functions in remote areas of the world, etc.

The challenge, when you look at the latter in particular, is that security practitioners are struggling with the complexity of their current environments. They haven't even got their hands or heads around the multitude of IoT devices, the risks around those devices, the attacks occurring against critical IOT devices. Now those businesses are standing up private 5G networks with unique devices they hadn't yet seen before, on networks they've never been responsible for managing, and these networks will be interacting with other public networks. In addition to that, many of the exposures that existed in 3G and 4G networks still exist in 5G networks. Providing the ability to track users, to trigger alerts on a mass level to different devices, we haven't seen a lot of exploitation of these things in the past. There wasn't necessarily a reason to, but when you look at the use cases around what will be running on 5G networks, lot of concerns there.

Karen Roby: What needs to happen, what type of collaboration needs to be involved? Because 5G is here, it's moving in and smart cities are rapidly evolving. This stuff is all happening so quickly.

SEE: Future of 5G: Projections, rollouts, use cases, and more (free PDF) (TechRepublic)

Curtis Simpson: It is. And we've got to be intelligent about it. And really, if we look at what we have to do, the base factor is that security needs to be at the foundation of both private and public 5G networks. And as we think about private 5G networks, we've got to have the talent, the skill sets, the experience to actually build these networks responsibly, safely, and we have to take the time to do it. This isn't like when we started migrating to the cloud where we just do it, we just move key workloads, key capabilities into the cloud, and then we get back around to securing those clouds so that we can protect those key workloads, and services, and solutions effectively. We can't do what we've historically done. We always build the secure or the business value first and then secure later.

The reality cannot be true here. If it's true here, who will pay the price? Because we won't have the resources required to securely build out these networks, securely manage these networks, monitor these networks, understand when things are potentially going malicious versus still acting normally, and these will be running critical functions both within our businesses and as we think about smart cities, we're actually now talking about the potential disruption of human lives. Both quality of life and actually impacting life such that people could die if we're not building security into the base, which also means that we can't inherently take IoT devices that we might introduce at home today and equally introduce within a business and then just drop those into 5G networks that are powering smart cities or key business capabilities.

The challenge is those devices were not built with security in mind. We have to build the networks and the devices with security in mind, which means we've got to collaborate with manufacturers, we've got to have those right talents that are building out these networks, enabling those devices, configuring those devices with partnerships, with those manufacturers. Security has to be everywhere, always, and from the very beginning.

Karen Roby: How widespread is the understanding that that's the way it needs to be, Curtis? Is this something where there's people like you trying to shout from the rooftop, "Hey, everyone. We've got to understand that this has to be the basis of it or we will face incredibly tragic repercussions." Or is this something you feel like as a community, and CISOs like yourself, and others, the manufacturers, are kind of all on board with that. How far is the acceptance?

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

Curtis Simpson: There's a general around what I'm saying. The concern that I have is what we've historically seen, is that if a business needs to take certain actions from their perspective to remain viable or to break into a certain market within a given period of time, again, the thought or strategy has always been let's get there and then let's worry about optimizing it going forward. I'm worried we're going to do that again. And as we do that, we're going to pay the price, and then we're going to have to learn from those that have paid the price, and then go back and do that work. That's the general concern.

I'm also worried that security practitioners are tired right now. This is a very common conversation in the space right now because environments have become more complex, budgets are what they were, head counts what it was. We haven't moved to the cloud, we've added the cloud. We're not moving to 5G, we're adding 5G. We've got to be considerate here about the fact that we're creating an entirely new attack surface in addition to a new plane of doing business. And we're going to have to fund that, we're going to have to give it the time that it needs, we're going to have to really take that seriously. And I think the more we can do to make sure that CEOs and others that are making some of these decisions in support of business strategy truly understand that security is at the root of that. And we need to make sure that we're empowering and bringing our CISOs the energy they need to fight that fight and to bring those messages to the top.

Karen Roby: What else does CISOs need to do? I'm sure many of them, most of them are overwhelmed right now.

Curtis Simpson: They absolutely are. And they can't take this on in terms of understanding the risk, strategizing around managing the risk, and building operations, and programs, and deploying tools around all of this, in addition to everything else they're doing today. That is the reality. They just can't. They're going to tip over. That does mean as we look at this both within the companies as we're standing up private 5G networks and consuming 5G capabilities, we need a dedicated staff. We've got to look at this as we're building an entirely new line of business, or we're building an entirely new subgroup or sub company within our organization. We have to take this just as seriously from the perspective of staffing this with dedicated resources to do this right, and funding new additional head counts to be able to manage this environment in a very mature and secure way going forward. Because if we do what we've always done, just bolting this on to the current infrastructure and security teams, this will be a problem.

Karen Roby: It's the fancy and fun part to talk about something. With 5G for so long it's been, "Oh, lower latency and faster speeds. It's going to be great, great, great." But without that foundation, like you've mentioned, and the pieces that need to be laid first, it could be disastrous.

Curtis Simpson: Yeah. And we're talking about entirely new networks. On top of that, not only are we going to a software-driven network, but we're going to a software-driven network that actually relies upon protocols and communication methods that are more typical, which makes this even worse because not from the perspective of having the resources to understand that, but attackers now have an edge that they didn't necessarily have in a 4G environment. So, they have an edge our practitioners and the folks building and securing these environments don't, they're behind, which is why I say we very much have to focus on this as a program and stand this up and fund this as a program, with security as the very beginning of that foundation.

Also see