A sensible set of recommendations. Going back many decades to my time working for a large telco, the first rule for any change was “don’t break the network”. We made it a contractual commitment for each major technology provider to build a test network and demonstrate that the platform was stable and secure before rolling out any change. This is obviously a major drag on rapid innovation, but did ensure that 99.999% availability of the telephone service…:
To make the most of this technology, policy makers should work with the private sector to implement effective 5G prevention and control measures.
First, to build a safe and secure 5G networks, governments have to adopt zero-trust frameworks. A cybersecurity system using this framework has four characteristics: i) limiting access to all interactions ii) regulating all interactions iii) partitioning assets through small segments, and iv) regularly monitoring security systems. The end-to-end protecting and monitoring mechanisms of the zero-trust framework will ensure that every activity on the 5G network is secure.
Second, the authorities have to verify the security of the supply chain. Recent examples of major cyberattacks, including Solarware attack, show that supply chains are the primary target of hackers. Therefore, leveraging trustworthy components and vendors is the foundation for 5G cybersecurity. Regulators need to continuously monitor how 5G vendors secure their corporate environments from being attacked. The government has to look at the way 5G vendors protect their entire supply chains: from development to delivery to implementation.
Lastly, cybersecurity policy must focus on preventive security controls and periodically monitor and respond to actions. In this regard, machine learning capabilities and AI are going to be essential tools that help regulators monitor the security system and prevent potential cyberattacks. Moreover, regulators should also focus on monitoring physical devices that are connected to 5G networks. To monitor these devices, regulators should consider adopting a Manufacturer Usage Descriptions (M-U-D) policy. Under this framework, manufacturers need to embed certificates to identify the class and model of all IoT devices.