As 5G networks are rolled out across ASEAN next year, a broad range of new cyber security threats will emerge, many of which will be different from the ones seen in 3G/4G networks, a panel of cyber security experts has warned.
Speaking on a forum at the Future of cyber security convention in Kuala Lumpur on 20 June 2019, Abid Adam, chief information security officer of Axiata Group, noted that the roll-out of 5G is guaranteed to bring about new attack vectors that target not only the network, but also consumers through new applications.
The security executive for the regional telco group argued that 5G goes beyond voice and connectivity, but because the technology is expected to be adopted by enterprises in industries such as healthcare, manufacturing and automotive, cyber security must be looked into more holistically than before.
“5G will introduce new service models, which will in turn lead to a need for new trust models [between operators, enterprises and consumers],” he told delegates at the event.
Abid noted that even today, when 5G networks are not commercially available yet, enterprises are already struggling to keep up with new threat vectors, noting that the main threats were around ransomware a year ago, but today they revolve around crypto-mining and extortion.
“The threat landscape is evolving and what we’ve faced 12 months ago is very different from today,” he said.
“The challenge is, what are we doing as an industry to stay abreast with the threat landscape?”
Read more about 5G in APAC
- Industry watchers are predicting that 4G LTE subscribers in Asia-Pacific will naturally make the move to 5G’s faster network when the service becomes available post-2020.
- The roll-out of 5G networks will drive a fresh round of cloud transformation and use of hyper-converged infrastructure (HCI) across Australia.
- Singapore’s telecoms regulator is proposing that mobile operators deploy standalone 5G networks, paving the way for enterprises in the city-state to tap the full potential of 5G connectivity.
Keeping up with the threat landscape is not the only major challenge. Another major challenge is the way 5G technology is designed, which essentially pushes a lot of the data and processing power to the edge of a network.
“What really changes in cyber security for 5G is in the way the network is set up,” said Abid. “5G uses network function virtualisation and software-defined networking and thus protection just can’t be at the core network level as data is being pushed further out.
“With 5G need, we will need to seriously re-look at how to architect cyber security as part of the network.”
Complicating these challenges is that the 5G world would require industries to work together through the use of application programming interfaces (APIs). Abid added that while APIs can spur innovation because companies can connect to one another, they also expose backend systems to potential attacks.
Adding to this complexity is the fact that attacks today are smarter and may not involve high volume attacks, but that does not mean all is well. “The thresholds may be significantly lower but that doesn’t mean it’s not as dangerous,” he said.
Security standards are no panacea
When asked if the telco industry needs to come up with strict cyber security standards for 5G, Suresh Ramasamy, fellow panellist and chief information security officer of Hong Leong Bank, noted that while standards are important, they are only as good as the people who implement it.
“I may propose the best standards in the world but it’s up to the person to implement it properly,” he said.
The banking executive said regardless of whether or not 5G cyber security standards are in place, enterprises deploying or using 5G technology have to build their systems with security in mind from the beginning and not as an afterthought.
“At the end of the day, if there is no security consideration on how things are built, it’ll never be secure, regardless of whether there is a standard or not,” he said.
Suresh also believes enterprises cannot fully wait for 5G cyber security standards to evolve completely before implementing them. Citing the example of IPv6 when it was first introduced, he said: “When we first used it, we thought it was very secure but it turned out to be not as secure. You’ve to learn from your journey and as you discover more, you deploy more.”
Panellist and CIO of telco U Mobile, Neil Tomkinson, said 5G will bring massive numbers of devices onto the network and operators would need to prepare for onslaughts of attacks not only on the network but on consumer applications as well.
“With so many devices out there, the threat is on a much bigger scale than we’re used to now,” he said. “Internally, we need to protect the network itself, but in 5G we would also need to look at how to protect the applications and services that run on top of the network.”